[Freedombox-discuss] Policy questions

Rob van der Hoeven robvanderhoeven at ziggo.nl
Sun May 8 11:23:50 UTC 2011 

> > You are right. A competent sysadmin can build a secure system without
> > using virtualization. I don't think that an average FreedomBox user can
> > manage the more advanced security features that you mention. So, must
> > they become dependent on FreedomBox security experts every time they
> > want to install a new service that connects to the internet? That's no
> > freedom to me. In my design i use VM's as sandboxes. Users are free to
> > install whatever they want inside a VM. 
> 
> Sure, users are free to whatever with their FreedomBoxes - it is Free 
> Software.

People will install other non FreedomBox approved software. It would be
nice if the FreedomBox has a software architecture that makes this as
safe as possible.

> 
> But the FreedomBox is a *subset* of Debian with additional constraints 
> especially on user-friendliness.  I do not consider "aptitude install 
> whatever your heart desire" as especially user-friendly.
> 
> I envision that we decide on some pieces in Debian, work with the 
> maintainers of those pieces to make them possible to not only be 
> installed in the "aptitude install, tinker with configfiles until happy" 
> fashion that we are used to, but also supports hooking up with a 
> dead-simple design which we invent - or (hopefully) discover that others 
> have invented and convince someome to package and maintain in Debian.
> 
> So I expect the "dead-simple" interface of FreedomBox to only be able to 
> add/remove - or enable/disable if there are so few that it makes sense 
> to inlude them all as part of the "core" - those services which are sane 
> for the device - which means both user-friendly and considered secure.

User friendliness is essential for the success of the FreedomBox. I
think virtualization is helpful with this respect. On my blog i
described how to build a WordPress virtual machine. One visitor asked me
the following question:

Question:

Just curious: Have you considered automating a process like this using
Puppet or another configuration management system, if that’s possible?
It would be nice if a setup like this were as easily built-up and torn
down as a single “app” on a freedombox

My answer:

One of the reasons i house my modules inside LXC containers is ease of
deployment. If you build a container for one processor architecture it
can be copy-pasted to any machine with the same architecture. For the
configuration and data inside a container i am planning a simple data
interface. As you can see from the WordPress module, there is very
little configuration data that must come from outside the container.

To answer your question: My FreedomBox modules should be built by
competent sysadmins and deployed with the normal Debian package
management tools (hidden behind a nice user interface).

> > Maybe the cloud companies have done some research on that? You have a 
> > valid question here. I'm very interested how secure the virtualization 
> > i use (LXC) is.
> 
> You expect cloud companies to have done research in running 
> virtualization on crippled hardware without dedicated RNG or even CPU 
> virtualization support?
> 

Yes. Cloud companies are very security aware. CPU virtualization
features are mostly there to improve performance, not security. The
hardware of the FreedomBox is not crippled hardware. It is modest
hardware for modest tasks. Cloud companies have more powerful hardware,
but on this hardware they are running far more VM's. From my own
experience i would say that a VM on my FreedomBox has roughly the same
performance as a cloud VM.

> > One of the goals of the FreedomBox is to decentralize popular social
> > networking services. The software to do so is still in development or
> > does not exists. In order to develop the software FreedomBoxes are
> > needed. Are you going to wait until Diaspora is mature in order to let
> > it run on the FreedomBox?
> 
> I am going to bet on alternatives to Diaspora not building everything 
> from scratch, e.g. Buddycloud - approached as an XMPP extension with 
> multiple implementations.

Diaspora is just an example. The problem here is that in order to mature
some programs that we want to have on our FreedomBoxes need our platform
to mature.

Rob van der Hoeven.
http://freedomboxblog.nl

More information about the Freedombox-discuss mailing list