[Nick Daly] > Hi folks, during the call today, Markus and Sunil brought up the fact > that they had concerns about distributing 100 boxen to developers > (projectdanube.org), and thought it would be a good idea to discuss > what those concerns are. This might help us direct the 1.0 todo list > as well.
More PR and buzz is defintely a good thing, but one issue we need to have in mind is the general perception of the project. We still have to fight the idea that FreedomBox is only for the Dreamplug, and it isn't many weeks since the last time I saw someone on IRC being surprised to learn we also provide Raspberry Pi images. If we "marked" this specific hardware as something "official", we might in the future end up having to fight the idea that it is the only or best supported hardware, which will be a problem when we try to provide a solution for several hardware platforms. This tell me we need to be careful with how such offer is communicated. We need to ensure it is made clear that it is just one of many possible hardware platforms, and one provided for convenience, to try to counter the idea that FreedomBox is only for one or a few hardware platforms. > To start, my concerns are that we've written Plinth and some glue code > (like Augeas-lenses, FBuddy, etc.) for the project. I'm pretty sure > all of these things were necessary (because nothing available in > Debian did them in the coordinated way we needed them to), but I'm > uncomfortable releasing externally-facing services without getting > those services a proper security review. I'm sure we'll do our best, > but it also feels negligent to ask people to rely on our tools without > making reasonable external verifications. While this is important, I am not sure this is very important for a development box. I guess it depend on which threat model one want to address. Which attackers do we want to defend against? Is it random script kiddies, focused attackers, well funded goverment attackers or something else? Require a complete security review before putting anything "public" might become a mental block making it impossible to get any progress. How do we avoid that pitfall, while not making life harder for those in needing protected communication and computing systems? I am not sure. -- Happy hacking Petter Reinholdtsen _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss