[Freedombox-discuss] [Freedom Box] Finding your FB box on the network

[Christian Brædstrup]

Hi,

> 2010/10/14 <bertagaz at ptitcanardnoir.org>

> I was thinking of a process where either the user download an installer to
> boot his machine on and install his FB, or he buy a plug with an installer
> already shipped in he just have to boot to install. Then use the web
> interface of the debian installer. But not sure it's feasable easily.
>

The two situations you talk about I think can be solved in the same system.
If the user has a box and want to install FB on it then he downloads the FB
live image and installes it over the web interface. That installs a base
system and the packages he wants. He can then remove the USB or CD and boot
his new system. In the FB enviorement he can of course choose to install
more software.
If he buys a device with FB on it then it ships with just the base system
and default settings. When he boot the system he can then choose what
packages to install (just like the user who installs it from scratch). The
thing is that then we don't need to supply two different system. Just the
live installer that installs the base system (with the option to install
custom packages at that stage). The live system is just a ISO you can
download from the website and put on a CD or USB.

Yeah, but how does the user know what IP address his FB had by the DHCP so
> that he can install it with the web interface? Zeroconf might be the
> answer, but as I'm talking about using the debian installer, that'd mean
> put avahi in it, which I'm not sure is feasable nor is a good idea. Like
> what if a malicious user is on the network you're installing the FB on. If
> he/she uses zeroconf too, that'd be problematic.
>

The problem with getting the IP is what I have "solved" with the perl
scripts. The user just needs to run the BroadcastClient.pl script when he
starts the device that he wants to install FB on. Then it grabs the IP of
the server and starts a webbrowser with the homepage of the webserver. It is
of course a hack but it is a start. More elegant solutions can of course be
made.
I have never worked with Zeroconf but what if you run a DHCP server and a
DNS server on your network already? Can't it give some problems? I also like
the solution where the user doesn't have to download any software to his own
PC but how easy is it to setup on any network?

I'm not sure to understand the process. Where does the user put the
> liveCD? I guess the "where" is related to the FB box, so I don't
> understand why the user would have to choose the location of the
> installation.
>

The user burns the ISO to a CD if his device has a CD-ROM drive or he puts
it on a USB. The USB solution is easy and it is safe to assume that all
devices FB should run on has a USB port (Or is it? Does all plugs have
that?). The "where" refers to the place to install FB (Harddrive, NVRAM, USB
device, ...). On a plug system there is just one place to install it but on
my T1 I can have many drives attached and I don't want FB to install and
overwrite all my data :)
So just installing FB on some devices can give problems.

Actually the debian liveCD doesn't have an installation mechanism, but
> AFAIK they are working on it. If you want to play with it, you might want
> to read live-* mailing-list or read the sources. Not sure what the state
> of this installation in debian live though.
>

I have looked at it but they don't have any docs to read. I have thought
about asking on the IRC but haven't tryed it yet. On the live-cd webpage
they say that for now using debootstrap to install from a live-cd is the
official Debian solution right now (but it is troublesome).

2010/10/14 Jonas Smedegaard <dr at jones.dk>

> If security is a concern (and it is!), then we need some way of
> establishing a secure connection between the FreedomBox and its user.
>
....
>

> My favorite would be that the security token was a WebID, i.e. a
> client-side SSL certificate (with some extra hints added to act as a
> semantic web user id too).  Tough part of this is to follow the
> documentation on generating WebID correctly - and make it work inside an
> install routines.  It should be pretty easy to then restrict web interfaces
> to only use SSL and only accept communication with those in possesion of
> that WebID.
>

I couldn't agree more.  Security both on the system but also during the
install process is VERY important. I have also thought about it but didn't
consider the WedID solution. I think that there might be a problem with
non-tech users who don't know what WebID is and don't know how to set it up.
A solution could be to have a system like the Live-CD web builder that
Debian has. The user builds a custom live image with the packages he wants
and get a custom password to access the installers web interface (That is
hardcoded into the install system somehow). The solution has one big
downside. There needs to be a build server somewhere to produce the ISO's.
Having the scripts at hand and caching the packages can reduce the strain on
the CPU and the connection but the server still has to run. Perhaps we could
get in on the existing debian live build server when the project matures.
One of the advantages of having a custom build system is that users with low
bandwith can download the ISO's at work or school and don't need a internet
connection at home to install all the packages he wants. But I think that
solution is a bit into the future and now a simpel system will work just
fine. I also see it as being a bit cloumsy but it would require the user to
know the password to get acces to the install web interface and that would
add a good layer of security. This solution could of course be just one way
to provide security. Then the user can select his prefered way of
authentication on the web install login page.

Hope you could follow along on my rant. The solution would be technical
difficult to implement (just like the webID) and I agree with Jonas that is
a project for the future but a important one.

Cheers,
Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20101014/6405b621/attachment-0001.htm>