[Dev] [consensus due 11-11-16] Defining the nonprism repo
hahj87 at gmail.com
Thu Oct 27 22:28:07 GMT 2016
Luke <g4jc at openmailbox.org> writes:
> Hello All,
> Per the last consensus there was the recommendation to keep nonprism
> "secure", and to split the iceweasel package into two packages to avoid
> impacting users with less "features".
I would expect [nonprism] would be secure by default,
but the repo should be activated as opt-in.
> The problem I see with this is, people are using nonprism thinking they
> are getting the most secure setup - and are not. However, it is still
> technically in line with the current purpose of nonprism which is "not
> using insecure/privacy invasive protocols". The nonprism repo's
> descriptive purpose is not very well defined on our wiki, so there is no
> statement as to how secure it should be. 
> To fix this issue I propose the following two proposals for consensus,
> and two questions:
> 1) Re-define or rename [nonprism] so that it also includes packages for
> hardened, secure defaults, and less metadata/fingerprinting.
I agree hardened packages belong here.
> 2) Provide a "meta package" that installs
> your-privacy-*hardened/options* rather than just your-privacy. It can
> recommend packages, but they will not be mandatory and should not
> conflict with other software, so that users can comfortably have
> "iceweasel"(insecure) and "iceweasel-hardened" both voluntarily
> installed on the same system.
Can't find any 'your-privacy' package.
> 3) Should we just remove iceweasel/icedove-nonprism instead of further
> complicating things by keeping 3 packages?
> e.g. icedove/iceweasel (insecure), icedove/iceweasel(nonprism/non-free
> protocols facebook and crapware removed), and iceweasel/icedove-hardened
> (which contain actual hardening and some resistance against fingerprinting.)
Could this be installed side by side?
This way users could try running `iceweasel-hardened`
and use just `iceweasel` where needed.
Or maybe using a `iceweasel` (hardened)
and `iceweasel-without-privacy` where needed.
A logo and a warning on installation could help make people aware of
> 4) Should iceweasel/icedove-hardened be kept in [pcr] or moved back to
> [nonprism] when/if nonprism is re-defined to include hardening?
I vouch for Yes.
> I think it is the expectation of Parabola's privacy repo to provide the
> most secure/privacy respecting packages, even if that means breaking
> some features. However, for a reasonable compromise a voluntary meta
> package seems like the best option.
More information about the Dev