However...
What I personally think is really interesting here is the bundle. I don't want to pay $10/month for a Twitter clone. I don't want to pay it for VPN. I don't want to pay it for email, or file storage, or contact manager, or payment system.
But as a bundle?
$10/month to actually solve all of my digital privacy concerns?
That's a rather appealing proposition. I'm not sold Librem One truly solves this, for all the reasons in this HN thread. But I think the idea that I could make a single Netflix-sized monthly payment to simply solve privacy across-the-board is something I could get behind. And I'm cheap AF.
They're onto something.
If Purism is offering clean and transparent connections to services backing them combined with some sort of delivery (update) + support mechanism, that is already far better than just telling someone to download 5-6 apps + subscribe to 3-4 services (VPN, email server, backup server, etc).
It's not as ideal as a purely decentralized, multi-party system for securities sake, but it's better than what 99% of people are going to be using otherwise - in the real world.
Everybody is still free to set up a server at home or on a VPS. But there has to be a place you can point ordinary people to.
It seems preferable to the donation model.
The challenge, at least in my neck of the woods, is that all the independent ISPs got purchased by bigger players who aren't exactly in a rush to be innovative.
Librem Chat = Riot.im
Librem Social = Mastodon (specifically the Tusky app)
Librem Mail = K9 Mail
Librem Tunnel = OpenVPN
The alternative seems to be walled gardens.
Other companies do similar things, such as Fastmail which develops the open source IMAP server Cyrus [1]. I've been a happy Fastmail customer for years. Cyrus is still free for anyone to use even though Fastmail makes money from it.
Like 5% to Riot, 5% to Mastodon, 5% to K9.
Could also give to the GNOME Foundation, Linux Foundation, and OpenVPN, but I think those are pretty sustainable already.
I'd easily pay $10 a month for this if they make it clear they're going to give back to the open source projects included.
So while you have a point, I think "quite dishonest" is a bit too much condemnation. The stack is so big, with the majority of energy already being siphoned off by SaaS bundlers, it's basically impossible to rebuild the entire stack anti-surveillance-like as one big release. Rather we're going to end up with many approaches, each trying to solve a bit of the problem. The bit of the problem being solved here is really the popularization angle - making an easy touchstone recommendation for someone who is interested in privacy but would/could/should never self-host.
I quickly picked up that the Chat was Matrix, and assumed the tunnel was openvpn or wireguard (designing a new protocol would be a priori cryptographic incompetence). So perhaps constructive feedback to better summarize the underlying software for people "in the know" is worthwhile. But writing off the actual value-add of the project, the productization itself, mainly just results in hindering the ability of the Free community to market.
Personal side note: I’m not a fan of branding open source apps. It delays security updates and waters down the original brands; Riot and K9 have good reputations; Why not utilize those?
Either way, anything that gets people using more encrypted open-source software is totally okay with me.
As long as they are transparent about their stack and the authors of the software are cool with it - why not have it bundled with clean packaging and a slick donation model?
> Librem Mail – end-to-end encrypted email used by nearly everybody already
> Librem Tunnel – end-to-end encrypted VPN tunnel proven by millions of users
> Librem Social – public social media with millions of people already active
I was wondering what they meant, _how could the apps of something that haven't yet launched be used by "millions of active users"_.
But, the Social app looks exactly like a twitter screen shot, and the VPN looks identical to PIA’s iOS app.
The chat UI isn’t great, and the Mail app is even worse. They all look like apps you would find on F-Droid which are great, but I wouldn’t feel excited about paying monthly for an app suite that lacking in polish.
Their claims of millions of active users on each of the services also seem questionable. Maybe if they’re counting the total number of XMPP users I could see that.
Lastly, the framing of donating to what is by definition a for-profit company is off putting for me personally.
Also, while Purism is indeed a for-profit company, it's actually an interesting case since it's a Social Purpose Corporation - it's not there to maximize profits, but to maximize its social purpose. It legally can't do anything that would be at odds with its legally defined social purpose: https://puri.sm/about/social-purpose/
With Librem One you get a Mastodon account on there own Mastodon instance. That instance can speek with all other instances on the fediverse with ActivityPub protocol. So yes, with Librem Social you can easy connect with more then 2 million people.
I mean, I like what Librem does in general and I also think that marketing those apps as a uniform service (without distracting attributions) is definitely a pro for consumers, but if I would be one of the contributors to those projects I might be a bit pissed off if they didn't ask for permission.
Selling people collections of software (which you didn’t code yourself, you simply repackaged) on floppy disk or tape was an old-school practice in the Free Software world and generally considered perfectly fair.
I did wonder how they got all these apps out of the gate so quickly.. they didn't.
Librem Mail – Standard SMTP/IMAP/POP MTA, with OpenPGP
Librem Tunnel – OpenVPN
Librem Chat – Matrix, XMPP (coming soon)
Librem Social – ActivityPub
Edit: formatting
Also notice, in their "alternative graphics" none of the open source clients are listed.
Otherwise, seems like a pretty neat idea -- it could open the door to more lay-people using open protocols like Matrix without everyone jumping on Matrix.org for free or having to self-host. I am interested to see how the Librem Files/Backup system will work if it comes about (I would guess NextCloud but if they have a better solution I'd like to see it since I've had my fair share of pain with self-hosting NextCloud). It looks like there would be some kind of cohesive management of all these services, which I think is a great example of the usefulness (for users) that open standards can have.
It does bother me a bit that the apps are clearly mild reskins and there is no mention of the original app creators -- obviously this helps with brand recognition but seems a little bit dishonest. Really, you're paying for hosting (which is totally fine), and it should be clearer that they're just giving you mostly-consistent apps that work with their service out-of-the-box.
I also am doubtful the Librem Pay idea will pan out though. The number of real businesses which accept $x-coin is effectively zero for most people.
It's a bit of a shame that WireGuard still requires out of tree components to work.. I'm rooting for it to get accepted/merged, but until it does it just becomes a greater risk to build a business off of it.
But honestly though, the risk is identical to any other kernel module -- the author and future subsystem maintainer ensures it builds and works with all new and old kernels, and releases snapshots very regularly. Almost all distributions have packages for WireGuard which are automatically rebuilt with new kernel releases.
There are arguments against using it because it's still (on paper) pre-1.0 software but given it's had fairly widespread use for the past 3 years and no security nightmares it's shown to be quite a bit more secure than
[1]: https://marc.info/?l=linux-netdev&m=155323912319537&w=2 [2]: https://lwn.net/Articles/770750/
The offering is a bundle of services that respect you and your privacy. $7.99/mo for a software suite: Librem Chat (Riot), Librem Social (Mastodon), Librem Mail (K9), Librem Tunnel (OpenVPN), and more services coming soon e.g. Librem Files, Librem Backup, Librem Contacts, Librem Pay, Librem Dial.
The key value for me is all of these are curated, updated, available/accountable via one vendor, etc. Other people who prefer free-as-in-beer versions can still get Riot, Mastodo, K9, OpenVPN, etc. as is.
And if any of you are product managers or technical marketers, have a look at the Librem products matrix and explanations area-- in my opinion it's the among the best in the industry: https://librem.one/#mce_1
The documented switches like SYNAPSE_CACHE_FACTOR seem to cause wild oscillations in ram use and worsen the OOM problems, when enabled Synapse would jump between 500MB and 3.8GB of ram constantly, eventually OOMing.
Edit: Also, the support channels for Synapse exist, but you will rarely get any response.
One big misconception is that somehow RAM usage is related to the number of users on your server - instead, it's related to the size & complexity of the rooms your users are participating in. In other words, one person who joins thousands of rooms with thousands of users in them will use a lot more RAM than a server with a thousand users who use it only for small group chats.
The things to check if your Synapse RAM is high are:
* Make sure you're running postgres. Sqlite is not currently usable in production.
* Make sure you're running Python 3.7
* Increase the synapse cache factor a bit.
* Check for and prune extremities (https://github.com/matrix-org/synapse/issues/1760), which will soon be a thing of the past, but we're not there quite yet.
If it's still overloaded, then you need to look at splitting the synapse master process off into workers (https://github.com/matrix-org/synapse/blob/master/docs/worke...) or disabling presence.
In terms of whether you get response in the support rooms - whilst the core team has been preoccupied with infrastructure security over the last few weeks, the rest of the community is generally happy to help with synapse tuning and the rooms are far from idle...
You can't call something ethical without going into detail about what you mean. and:
Policy No Ads No Tracking We respect you
is not useful.
The value in ethics is in the conversation around what is ethical, not in a big, friendly "this is ethical" sticker.
This is as useful as "do no evil", and from the vague wording on the landing page, I'd imagine the people behind librem don't think google is very ethical right now.
so... no-one can say their product/service is "ethical" without getting into a semantic argument about what "ethical" means
or... anyone can call their product/service "ethical" and it's up to the buyer to work out if their definition of that agrees
What I would like is for services like this to provide, up-front, a more complete discussion of how they've arrived at their recommendations, and what criteria they consider.
I actually agree 100% with you, however I think at this stage of the market development, its enough to have a 3rd choice who's apps and services are open.
Librem is facing the "Grandmother problem". In order for this concept to actually succeed, it eventually needs regular folks to buy it. Its not enough to tell thousands of grandmothers to "buy our phone hardware and simply download and install any of the dozens of confusing and competing software stacks by following these 20 instructions on github". It needs to be marketed and sold as coherent integrated product, otherwise just buy an old Samsung and root it yourself....
I think it would be a huge mistake to NOT tailor a specific experience for a Linux phone since it would then be doomed to obscurity (more than just by fact of not being Android or IOS) like the million Linux desktop distributions that never "just get it" out of the box for 99% of people.
If all you want is a "Linux phone", you could buy a PinePhone for $150 or work on porting postmarketOS to an Android phone. The Librem 5 clearly has higher ambitions and could prove to be a more mass-market product.
Which means that "which means we put social good above exploiting people" should really be "which means we can put social good above exploiting people" as it's not a requirement.
So, what's the purpose of a SPC instead of just a for-profit company? A for-profit can also consider social and environmental issues, AFAIK.
The idea that "fiduciary duty" requires directors to pursue profit "above all else" is flatly false, and has led to untold amounts of misunderstanding and meaningless noise since whichever fool monkey first uttered it.
Right at the root of something very fundamentally wrong about our way of conceiving of/enforcing how business is done.
What matters is whether they can win, or cost enough that you have to settle. It appears that shareholders have not had much luck with such gambits.
So this is really more marketing phenomenon: "we won't be as bad as FAGAM", and we rely on the people who chose to work there to keep it honest.
That can work as long as they don't get too big, or too cozy.
Cautionary examples include the American Cancer Society (wholly lost) and the Red Cross (mismanaged).
I don't understand encrypted email very much at all. Is encryption on emails that I have received controlled by the sender? Almost all of the transactional emails I have received (receipts, confirmation numbers, etc) are probably unencrypted, right? This doesn't sound desirable.
The sender encrypts a message with the sender's priv key and the recipient's pub key.
The recipient decrypts the message with the the sender's pub key and the recipient's priv key.
> Almost all of the transactional emails I have received (receipts, confirmation numbers, etc) are probably unencrypted, right?
Totally up to your email provider and a sender's email provider. Your provider may choose to send/accept email over TLS, which is also encrypted. Gmail, for example, does this.
You just need the recipient's public key to encrypt. Are you thinking about the sender adding a cryptographic signature, too?
> The recipient decrypts the message with the the sender's pub key and the recipient's priv key.
You don't need the sender's public key, just the recipient's private key to decrypt. Though, if there's also a cryptographic signature from the sender, then you would need the sender's public key to verify the signature.
What am I missing that causes this to make sense as a feature?
Regarding the VPN row, I don't think this is a case of being dishonest - meaning, Purism is lying. Rather, this chart simply feels like it was created hurriedly.
What motive would they have for saying they are in competition with PIA, when PIA is most likely the service behind Librem Tunnel. Perhaps someone goofed.
Edit: My suspicion that this page was rushed is seemingly confirmed when I see:
"In the Press As mentioned in:"
But there is nothing there.
1: https://librem.one/wp-content/uploads/2019/03/competitive-ta...
https://lh3.googleusercontent.com/R3_hK1xk1oBWLb_jXB9EsWETnO...
On Tuesday, 30 April 2019 at 23:29, [me] wrote: > Hi there, will you support custom email domains? I'd love to migrate from > Google Apps!
We're looking into it, but cannot say nothing for sure for now.
> -[me]
Kind regards,
-- [support person] Purism support
..."The Corporation will only use and distribute free/libre and open source software in the kernel, OS, and software in its products."...
However, I'm going to hold off on paying for the service until I see how it evolves over the next year or two.
There is no point is free/ethical/etc file storage if I still have to use Microsoft Office to edit files, which is neither free nor very collaborative. Text editors are relatively easy to replace. Google Sheets are really really hard to replace. Even Microsoft Excel seems somewhat inferior to Google Sheets to me now.
Not even as a planned app?
First, most users will never want to pay for a service, especially things like chat, email, social. What I mean by that is, the market is already there for social apps that allow completely free usage by using user data, think Facebook, Twitter, Instagram, etc.
Second, asking users to pay for a service at about $8/mo is pretty steep. Purism/librem aren't building all the apps themselves.
> "A lawful request for account information was received"
Maybe sometimes, but the US government has an unconstitutional tool up its belt it has been using freely since 2001:
https://www.law.cornell.edu/uscode/text/18/2709
> 18 U.S. Code § 2709. Counterintelligence access to telephone toll and transactional records
> (c) Prohibition of Certain Disclosure.—
> If a certification is issued under subparagraph (B) and notice of the right to judicial review under subsection (d) is provided, no wire or electronic communication service provider that receives a request under subsection (b), or officer, employee, or agent thereof, shall disclose to any person that the Federal Bureau of Investigation has sought or obtained access to information or records under this section.
TLDR: If the FBI tells them not to, they can't tell you they've given your information away.
In the interest of full disclosure, I believe they should warn people about this.
(Yall probably have heard about this in the form of Warrant Canaries: https://en.wikipedia.org/wiki/Warrant_canary)
I like the message, I like the intent, I like what Librem does. I like that they're going to have data after this seeing just how many people are willing to pay money for privacy. I am. I'll probably pay for this software regardless. It's just a shame our own governments are standing between us and actual privacy - I'm starting to wonder who is serving who these days.
I hate ads and care about my privacy as much as anyone else here. However, the argument that a free ad-supported product X available to anyone in the world with an internet connection is less ethical than product Y which requires a monthly payment for access seems tenuous at best. Especially when you consider that the price is out of the question for those in developing countries.
This is a luxury purchase, not an ethical one.
The existence of crypto near any product makes me immediately do a double take anymore, because there are tax implications there that you're kinda forcing on people.
The design of these apps needs to be much more refined if you want to charge money for them. I'm usually willing to give a bit on it when it's for the right cause, but... this stuff feels so off that it's tough to look at. If you're gonna play in the iOS app store, you need to be willing to invest in this.
End hot takes, I guess. I want Purism to succeed but I feel like they're just making the same mistakes every "year of the Linux desktop" scenario made, wherein they're not competing on the features that draw eyeballs. It doesn't need to be the focus, but you can't neglect it either.
Maybe for stuff that requires convenience but not security. I don't trust any five eyes country neither.
I currently use Swiss and Romanian services for my business, and while the experience is not as smooth as, say, Gmail or Digital Ocean, it's good enough.
