Show HN: Bulk convert images online without sending to server (webutils.app)
There are lots of solutions already, but most solutions have too many ads or they process on server(privacy concern).
Webutils convert all images on client using webassembly.
112 comments
[ 2.6 ms ] story [ 178 ms ] threadBut most people are not comfortable using CLI or someone may just not want to install it for one off conversion. Also webapp works on smartphones, tablets or anything with browser, while Imagemagick does not.
Imagemagick is ofcourse lot more feature rich and fast. If anyone is already comfortable using Imagemagick, webapp is not for them.
Negative feedback (including yours, and mine, and that of those who may reply to this disagreeing with me) has its place.
I’ve seen forums (fora?) where almost everyone is exclusively positive (like some reddit look-what-I-made topics), and that well-intentioned behavior can be pretty unhelpful if you’re trying to get different perspectives on your own project.
Yet there are always people there who bend over backwards to make someone feel bad if the person was (sarcasm: rude enough) to suggest there may be a way to improve something. Enforcing the positivity-only social norms.
I’m glad that HN, by contrast, stands out as having more free range thinkers who tell it like it is.
You cannot have privacy with web apps. At all. Ever.
> HN feedback has become cancer
It's all too easy to succumb to false feelings of generality about this kind of thing [1], because (a) there's a spectrum, as I mentioned, and (b) we're all inclined to notice the things we dislike, and weight them more heavily [2]. But these are all comments that other users posted to the same thread:
https://news.ycombinator.com/item?id=30060780
https://news.ycombinator.com/item?id=30049509
https://news.ycombinator.com/item?id=30048458
https://news.ycombinator.com/item?id=30047502
https://news.ycombinator.com/item?id=30047488
https://news.ycombinator.com/item?id=30047403
https://news.ycombinator.com/item?id=30046427
https://news.ycombinator.com/item?id=30050602
Those commenters all managed to offer positive feedback without combining it with negative generalizations about others. If you could do the same in the future, that would be very helpful.
[1] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
[2] https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...
https://news.ycombinator.com/newsguidelines.html
I don't see the value of commendeering a browser to run applications that would run more efficiently on the OS natively.
https://www.unix.com/man-page/osx/1/sips/
In future planning to make the app available offline using service worker. So first time internet would be required, next time onwards without internet also it will work.
Sadly, because of the nature of the web, one can never be sure that the image actually stays within the browser. There's no way to prevent it from secretly sending everything you convert with this to some shady website because it runs in the browser. I trust the people behind this just fine, but sadly the promise of offline-level privacy and running code inside the browser just don't go well together.
Disconnect wifi of on Desktop, but agree with OP there is no good way to check if processing is actually happening locally.
what about:
* DNS leaks (eg. trying to connect to payloadhere454098357987.attacker.example, leaks payloadhere454098357987 to the attacker)
* websocket
* webRTC
* prefetching
* service workers (background sync)
* beacons
* CSP reports
Resize to particular size idea came, when online service asked me to upload image upto 25KB. I had to just keep on changing size till image became 25KB.
The thing is, that logic applies just as well to desktop apps. There's never any guarantee on either desktop or web unless you have very specific counter-measures in place (firewalls, airgapping, ...).
It's just "closer to the web" when it runs in the browser, but if malice is the intent, it's as likely on either. Desktop apps are just "harder" to install.
While not impossible, the likelihood of, say, imagemagick doing this, while going through this process, is extremely improbable.
I agree that just downloading apps off random websites is every bit as risky as a browser app.
But who does that?!
(The last statement was sarcastic, and aimed at the curl | bash crowd, the nodejs crowd, the composer crowd... these things are the polar opposite of trusted, secured, audited, safe, sensible.)
Just because ubuntu is terrible, and uses snaps, does not mean all distros do. You should have taken the high road, and debated what I was discussing here.
In Debian proper, you can read the source code of everything too. After all, old school distros like debian are they very reason you have such freedoms. They've been fighting the good fight for decades, working to keep OSS running pure, untarnished from closed licenses!
The very idea that you think Linix distros are less audited than npm, and have less accessible source code, is, to me, incomprehensible. It also shows how little you know about OSS, while you use the very tools giants crafted for you.
This doesn't make me mad, it makes me very, very sad.
Snaps seemed like a fair example since you didn’t specify, and Ubuntu is one of the largest distros by market share. I don’t know what licensing has to do with your original point. I don’t know what vanishingly small linux distros used by a tiny minority of technical people has to do with @scrollaway’s point. I don’t know how making assumptions about what I know to slide in an ad-hom zinger has to do with taking the high road.
The point that you bypassed with your straw man in the first place is that once a software distribution ecosystem gets large enough, it’s guaranteed to run on some amount of trust and gets too large to be auditable. This is why we have sandboxing, but ultimately even sandboxed apps when they get popular are a privacy threat, this is a problem Debian hasn’t even remotely solved.
Most NPM libraries (even open source) are compiled and / or minified before they are uploaded to npm so it’s actually pretty common to get unreadable source code from npm.
Nothing in NPM ensures that the package code is the same thing you see on GitHub. This would require NPM to checkout and build all the packages by themselves.
So no, with NPM, you are totally running random code on your company’s computer. But surprisingly the world seems to be ok with that.
It’s true that use of NPM requires trust. At least NPM projects have a name attached to them and some accountability. It is by no means foolproof, but malicious projects lose their accounts along with the reputation that takes time to earn. The world does seem to be okay with a certain amount of trust.
This is really true of any software distribution system, even and including all distros of Linux. The point at the top of the thread is that we don’t have a way to know what happens when we download any software, or when we give our data to an application. We can protect our computers by auditing software and sandboxing systems, but the system still requires trust. Open source and auditing is still just a narrative that I have to trust from my point of view, unless I’m the person doing the auditing myself.
It might help to clarify the threat model. The poster I replied to confused a security model with a privacy model. The thread above it was about privacy, not about security. There is no software distribution model anywhere that addresses what happens with my data on somebody’s backend once sent, nor whether they can share data that I enter into an application over the internet, right?
Windows Firewall commonly serves this purpose even among users who are not familiar with terms like “countermeasures.” The only problem with their system is, the warnings are so common that clicking through them becomes a reflex action.
I can’t imagine it’s just so flawed because it’s been like that for years. There must be another reason I don’t get.
A website might serve a different code every time you use it. It might even serve a malicious code specifically for some users.
Desktop apps can do this little trick, too. Also, many desktop apps can enlist the help of other desktop apps using the three decades or so of various ways our OSes have made to lett apps talk to each other. Bad actors were using macro languages in desktop apps long before the invention of the web browser. Now, it's just as easy for a desktop app to hit an endpoint, grab a script (shell or macro language) and then execute it. The browser is just another desktop app - one with much more scrutiny than that MP3 tagging thing with a built in Lua interpreter that Bob in sales just gave local admin privileges to...
Oh, and most desktop apps have some level of access to your identity - or outright have you confirm your identity when you activate your license.
I wish browsers, Android, and iOS had this option so that users could be confident that the app/site doesn't have access to the internet. Maybe a little tricky with a browser but perhaps it could be possible somehow.
If you do not trust the developer of a web app, you can always disconnect from your Wi-Fi, use the app, close the tab and then reconnect to your Wi-Fi.
Web browsers don't come with such a firewall, and they need to be permitted by the system firewall to operate normally. It's technically possible to block outgoing requests with addons and configuration, but that's a pain to get right, especially compared to the simple toggle you can find in most OS firewalls.
For example: you enable throttling, upload a picture, that picture gets buffered by a serviceworker, you close the tab, therefore closing the dev tools and disabling the throttling you set up, and the serviceworker uploads whatever you resized to the server anyway.
Or: the application just tries to upload stuff whenever you open the page, turning the throttling solution into a race between you and your browser.
I don't think using dev tools intended to replicate offline-only behaviour are a good way to actually enforce offline-only behaviour.
did you compile some c++ library into wasm or js is enough to do the job?
If the data never leaves the local, how is it online?
"Bulk convert images in the browser without sending to server" seems more appropriate
Thats not true, because everything is client side, you just open app once. Next time onwards resources are cached and served from browser cache.
I'm completely new to WASM but excited to learn — how did you use the Squoosh repo to turn it into WASM, and how did you embed that into your app? Is that just a static file you can "import" and use in the client?
And can anything be "turned into" WASM (e.g. a python library), or is that kind of a new paradigm of writing code from scratch?
WASM is a compilation target for AOT compiled code.
For now wasm can be compiled from C,C++, Rust and Go, so mostly compiled languages. https://emscripten.org/ can help compile C,C++, Rust and Go has native support to compile. There is also a Typescript like language which compile to wasm(assembly script)
Python or most dynamic languages are too difficult to compile to wasm.
> Any pure Python package with a wheel available on PyPi is supported. Many packages with C extensions have also been ported for use with Pyodide. These include many general-purpose packages such as regex, PyYAML, lxml and scientific Python packages including NumPy, pandas, SciPy, Matplotlib, and scikit-learn.
It’s 100% private, editing happens in the browser.
Here are a few ideas to make yours faster:
1. Use the browser's canvas element to compress JPEG or PNG images instead of WASM. The libraries which come with browsers can use processor-specific instructions, while WASM only targets the smallest common denominator of the most common architectures, so it will be slower.
2. Which resizing method are you using to find a fitting image size? For me, it worked well enough to downscale by some factor a few times until it fits, but if you want to get super close, you could use binary search.
https://caniuse.com/mdn-api_paintrenderingcontext2d_imagesmo...
On a similar note, does anyone know similar lightweight web/desktop apps for basic photo editing, specifically, resize, conversion, crop, color overlay, etc. I use Photopea[0] on Linux but I still feel I could go lighter.
[0]: https://photopea.com
I found that it starts to hang on XLSX files ~50MB because the spreadsheet model it produces get's a bit too big and sheetjs dies. Doing this in a web worker is a good idea because otherwise it will clog the main thread.
For CSV the story is different, because you can read a plain text file in chunks (even in JS) with FileReader and readAsArrayBuffer(file.slice(byteOffset, byteOffset + chunkSize, file.type)).