> > You are right. A competent sysadmin can build a secure system without > > using virtualization. I don't think that an average FreedomBox user can > > manage the more advanced security features that you mention. So, must > > they become dependent on FreedomBox security experts every time they > > want to install a new service that connects to the internet? That's no > > freedom to me. In my design i use VM's as sandboxes. Users are free to > > install whatever they want inside a VM. > > Sure, users are free to whatever with their FreedomBoxes - it is Free > Software.
People will install other non FreedomBox approved software. It would be nice if the FreedomBox has a software architecture that makes this as safe as possible. > > But the FreedomBox is a *subset* of Debian with additional constraints > especially on user-friendliness. I do not consider "aptitude install > whatever your heart desire" as especially user-friendly. > > I envision that we decide on some pieces in Debian, work with the > maintainers of those pieces to make them possible to not only be > installed in the "aptitude install, tinker with configfiles until happy" > fashion that we are used to, but also supports hooking up with a > dead-simple design which we invent - or (hopefully) discover that others > have invented and convince someome to package and maintain in Debian. > > So I expect the "dead-simple" interface of FreedomBox to only be able to > add/remove - or enable/disable if there are so few that it makes sense > to inlude them all as part of the "core" - those services which are sane > for the device - which means both user-friendly and considered secure. User friendliness is essential for the success of the FreedomBox. I think virtualization is helpful with this respect. On my blog i described how to build a WordPress virtual machine. One visitor asked me the following question: Question: Just curious: Have you considered automating a process like this using Puppet or another configuration management system, if that’s possible? It would be nice if a setup like this were as easily built-up and torn down as a single “app” on a freedombox My answer: One of the reasons i house my modules inside LXC containers is ease of deployment. If you build a container for one processor architecture it can be copy-pasted to any machine with the same architecture. For the configuration and data inside a container i am planning a simple data interface. As you can see from the WordPress module, there is very little configuration data that must come from outside the container. To answer your question: My FreedomBox modules should be built by competent sysadmins and deployed with the normal Debian package management tools (hidden behind a nice user interface). > > Maybe the cloud companies have done some research on that? You have a > > valid question here. I'm very interested how secure the virtualization > > i use (LXC) is. > > You expect cloud companies to have done research in running > virtualization on crippled hardware without dedicated RNG or even CPU > virtualization support? > Yes. Cloud companies are very security aware. CPU virtualization features are mostly there to improve performance, not security. The hardware of the FreedomBox is not crippled hardware. It is modest hardware for modest tasks. Cloud companies have more powerful hardware, but on this hardware they are running far more VM's. From my own experience i would say that a VM on my FreedomBox has roughly the same performance as a cloud VM. > > One of the goals of the FreedomBox is to decentralize popular social > > networking services. The software to do so is still in development or > > does not exists. In order to develop the software FreedomBoxes are > > needed. Are you going to wait until Diaspora is mature in order to let > > it run on the FreedomBox? > > I am going to bet on alternatives to Diaspora not building everything > from scratch, e.g. Buddycloud - approached as an XMPP extension with > multiple implementations. Diaspora is just an example. The problem here is that in order to mature some programs that we want to have on our FreedomBoxes need our platform to mature. Rob van der Hoeven. http://freedomboxblog.nl _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/freedombox-discuss
