[Freedombox-discuss] Wider Distribution Concerns?
> Hi folks, during the call today, Markus and Sunil brought up the fact
> that they had concerns about distributing 100 boxen to developers
> (projectdanube.org), and thought it would be a good idea to discuss
> what those concerns are. This might help us direct the 1.0 todo list
> as well.
More PR and buzz is defintely a good thing, but one issue we need to
have in mind is the general perception of the project. We still have to
fight the idea that FreedomBox is only for the Dreamplug, and it isn't
many weeks since the last time I saw someone on IRC being surprised to
learn we also provide Raspberry Pi images.
If we "marked" this specific hardware as something "official", we might
in the future end up having to fight the idea that it is the only or
best supported hardware, which will be a problem when we try to provide
a solution for several hardware platforms.
This tell me we need to be careful with how such offer is communicated.
We need to ensure it is made clear that it is just one of many possible
hardware platforms, and one provided for convenience, to try to counter
the idea that FreedomBox is only for one or a few hardware platforms.
> To start, my concerns are that we've written Plinth and some glue code
> (like Augeas-lenses, FBuddy, etc.) for the project. I'm pretty sure
> all of these things were necessary (because nothing available in
> Debian did them in the coordinated way we needed them to), but I'm
> uncomfortable releasing externally-facing services without getting
> those services a proper security review. I'm sure we'll do our best,
> but it also feels negligent to ask people to rely on our tools without
> making reasonable external verifications.
While this is important, I am not sure this is very important for a
development box. I guess it depend on which threat model one want to
address. Which attackers do we want to defend against? Is it random
script kiddies, focused attackers, well funded goverment attackers or
something else? Require a complete security review before putting
anything "public" might become a mental block making it impossible to
get any progress. How do we avoid that pitfall, while not making life
harder for those in needing protected communication and computing
systems? I am not sure.