Prose.io is a completely client side editor that authenticates against github to allow you to directly edit your markdown files in the repo.
It has a tiny tiny server-side component that exists only to complete the oauth handshake (for the remote server to have something to call back to), called gate keeper.
It's completely open source and self-hostable. They also make a webhook so you can trigger rebuilding on your own server.
They built it to be able to replace their need on a traditional CMS when they switched from Drupal to Node.JS many years ago.
DevelopmentSeed was the company that eventually spun off into MapBox.com, the open source open data map tile hosted service.
They have a long history with the open source community, and are spearheading
a lot of the open source mapping stack by employing the lead developers of
mapnik, leaflet and much more.
Other than Mapbox.com and Prose.io they also built :
Could anyone provide screenshots? I hate to be a hater but authorizing an app to access all my private repos is little too much (not sure how GH allows OAuth scoping)
"This application will be able to read and write all public and private repo data. This includes the following:
Code
Issues
Pull requests
Wikis
Settings
Webhooks and services
Deploy keys
"
Indeed, no way am I authorizing this. Why does it need deploy keys and settings access. That's insane. I can't even do that because that would give it access to my job's code too, although I should probably create a new, separate GitHub account for my job. One time I said yes to one of these, tenexer I think it was, and the thing added webhooks to all hundred some private repos for my job. I ended up having to create a script to remove all those hooks. I could have been fired for that I bet.
There just isn't much granularity there - GitHub OAuth enabled integrations that need repository access can jump from having no specified scope - which grants access to your profile data only - to scope 'public_repo', which grants read-write access to all the data you've listed above, in any public repository, and then to scope 'repo', which grants the same for public and private repos.
It's a shame, because most GitHub integrations I've seen seem to need enough access to just list your repositories (public and private) and ask your permission to enable a webhook on a given repo at your request.
There's no way to do that with GitHub OAuth at the moment without asking for the 'repo' scope, and along with it a whole load of privileges that most people just can't / won't feel comfortable granting.
I'm no longer involved in the development. However, I do understand your security concerns. But I think this is not just a discussion about the limitations of OAuth Scopes. When using a hosted service, you always pay the price of loosing full control of your data. In return it's very convenient.
I wrote an article about decentralized publishing the other day.
I would also like to mention the project I'm working on right now, Substance. It is an easy-to use self-publishing system, which runs locally and thus gives you full control about your content. (at least until you publish it, because then there's no way back ;))
GitHub are also working on enabling users to accept just a subset of the requested scopes, like just access to public repos, which will make using all of the more fine-grained scopes easier: https://developer.github.com/changes/2013-10-04-oauth-change...
http://en.wikipedia.org/wiki/XACML would be one - it can be a little complicated, but if you can get over that it's quite nice and also adds the idea of an Obligation (something that must be performed on a grant/deny - for example, logging/e-mailing)
Sounds like a UX nightmare and a huge pain. I'm glad that privacy maximalists don't design user interfaces...
Wow, this comment sounds a lot more dickish than it was intended to. What I mean is, secure design would be that the app can't even see repos that it isn't authorized for, which means the user has to go through some back channel privacy settings page to authorize it every time they set up a new repo.
I don't want to have to specifically authorize x y and z repos every time I touch the app, and I seriously doubt anyone else does either.
Actually we do design UI, every day. And there are plenty of ways to do this in a comfortable fashion without authorizing read access to the contents of every repository. You could for example, show a list of all repos and when you click to edit one for the first time ask for permissions once for that repository - hardly a UX nightmare?
You probably don't want some random, just-released / potentially buggy application touching all your repos. Wouldn't you want to test it on a throwaway repository first to see if you actually want to use the app / does the app work properly, and then authorize it only for the repos you want.
If you’re looking for an open source, self-hosted, webbased plain-text editor, that supports Markdown, reST, and LaTeX, and has Git integration too: just stumbled upon https://notex.ch/ — quite impressive work. Doesn’t look as nice as Prose.io e.a., but even the GUI is well-done.
Actually, it's a Backbone.js application. It uses the browserify library to load other modules, which is what the "require('blah')" bits are. this confused me too when I first read it. so essentially you can run this on a static file server like GH pages.
As far as I remember in order to get the GitHub authentication piece working you need to use an external app simply for the authentication with GitHub. DevelopmentSeed also wrote an app for this called gatekeeper (I think) which I believe is a node.js application.
Two Things:
1. The link to view the Github projects sites are wrong, they attach the prose.io domain to the actual domain.
2. It's cool that there is a publish button that shows if it has been published, but then when I clicked on it, it said it would be unpublished. I know I have to save first, but that was kind of bad UX. Also when I click it again to set it back to publish, the record still appears to be dirty, with changes to save. Kind of unsettling since I was just browsing to see the functionality.
One more thing: Is there a service (hosted or otherwise) that has this kind of web based editing with a preview of MY website, not just the plain Markdown? I like that non devs could edit it, but we also have our own CSS that could change the way it looks (video embedding, etc.).
It seems nice, but I'd like to know more about where the UI is hosted and whether I can easily host it myself. Is there an architecture diagram somewhere?
The UI is hosted on Github pages: there's no server-side code. The only required server-side component is https://github.com/prose/gatekeeper - an app that makes OAuth possible with CORS.
It's not about 'editing your github files', and anybody who brings up VIM is definitely missing the point (it's not for you!). As I understand it Prose is about the potential to host totally CMS-free sites (e.g. Jekyll sites) on Github and give your customers a decent editor to alter their content.
It's potentially combining the best of the 'push to git to deploy static site' ethos with 'CMS-like editing capabilities so your customers can reasonably edit content'. I think that's why a lot of people are watching this project closely.
I personally would be happy to see this reposted once a month so we can see its progress and maybe encourage more competition in this space.
I'm not here to discuss the tool. It's a good tool. Nothing wrong with it. It's a great tool, worth discussing. It has its uses etc.
However, there's nothing visibly new with each repost. If someone posted like a release, or maybe a changelog, or a blog post with some feature updates, sure. But as of right now, I see Prose get reposted monthly, with no visible changes. And THAT'S annoying.
Is the same person reposting it? If so, its spam and should be reported. If it's a new person each time, and each time it continues to get up-voted, then you're going to have to just live with it just like we all have to live with articles we don't care for making it to the front page. Obviously HN has consciously made a decision to allow reposts after some cool-off period.
This seems like a great product, but the fact that they include no product details or information doesn't meet the high bar that should be met for someone to provide OAuth access to GitHub.
I used Prose before. However, after Heartbleed incident, I removed many OAuth tokens in GitHub, including Prose, and now the site won't load for me at all.
It can be configured to work almost like how you would expect a typical CMS to work – with different content types, additional fields in the forms etc: https://github.com/prose/prose/wiki/Prose-Configuration Which means users don't have to know much about Jekyll to add content to such a site.
Prose is tweaked specifically to offer additional features to sites built with Jekyll.
They have a markdown editor, similar to the one github offers, but have a few extra features to deal with Jekyll specific stuff like drafts, image uploading and a distraction free writing mode.
It has a tiny tiny server-side component that exists only to complete the oauth handshake (for the remote server to have something to call back to), called gate keeper.
It's completely open source and self-hostable. They also make a webhook so you can trigger rebuilding on your own server.
They built it to be able to replace their need on a traditional CMS when they switched from Drupal to Node.JS many years ago.
http://developmentseed.org/blog/2012/07/27/build-cms-free-we...
DevelopmentSeed was the company that eventually spun off into MapBox.com, the open source open data map tile hosted service.
They have a long history with the open source community, and are spearheading a lot of the open source mapping stack by employing the lead developers of mapnik, leaflet and much more.
Other than Mapbox.com and Prose.io they also built :
TileMill - https://www.mapbox.com/tilemill/ - An node-webkit based map designer
Id - http://ideditor.com/ - The OpenStreetMap editing interface
(disclaimer: I used to work for them, and left around the time they spun off into mapbox)