[esonderegger]

I see a bunch of comments asking about the use case, so I'll share one...

The Defense Department agency I work for employs between 50 and 100 developers, many of whom, like me, are contractors. The security folks have things locked down to such a degree that developers don't have root access to their own machines and the process for getting new software approved for use on a developer machine takes months. We just got permission to have git installed, for example. Getting Nodejs installed probably isn't going to happen unless they could figure out a way to disable npm. All ports to the outside are shut down except for 80 and 443 and everything runs through IronPort, so anything running https has to allow you to not verify SSL.

If the latency/general performance is good enough, I think developers would love to use something like this for their primary development environment. From the agency's perspective, $50-100 per developer per month would be cheap enough to be a no-brainer. As far as the security folks are concerned, this is just web traffic, so they would have no problem with it.

My only issue is that this pricing doesn't seem to be very friendly to the use case of wanting just one instance, but with unlimited hours.

[alexlarsson]

This seems like a pretty bad idea. All you do is work around the security rules of the agency. If your "easy to install" software has some kind of security exploit in it you just gave someone access to all the work you were doing on your "virtual workstation", which might be pretty bad.

Its probably less bad than an exploit of some locally installed software, but if you do most of your work in the vm it can still be pretty bad.

I understand that you're pissed of at the security rules making your job hard, but the correct fix is to fix policy, not work around it.

[JPKab]

Yeah, he can get right on fixing the policy. All he has to do is go talk to Obama and right after that he can get lunch with the Secretary of Defense and show him a powerpoint about why everything the government does with IT security is stupid.

Then, 3 years later, he can get started doing work.

[esonderegger]

To me, it comes down to whether the deliverable is the source code itself or the process by which the source code is created.

If the deliverable is static html, for example (it often is), then it shouldn't matter if that static html is authored in Eclipse or Sublime Text. By all means, the dependencies used in java projects should be scrutinized. The problem is, when it is too cumbersome to even experiment with something new from the open-source community, you end up trying to create your own in-house solution, which is way more expensive and usually less secure.

Fortunately, even top levels of management have recognized this problem. Virtual workstations are just one of a couple proposed solutions, but it's a serious option.

[teekert]

If they allow this they don't care about the security regarding any code or IP you generate or any data you use, in which case it is strange they don't just put you on a separate, less restricted part of the network, or give you a box there.

Also, a DO droplet would be cheaper (and with unlimited hours); you can have a droplet running a vnc server in a couple of minutes (and clone it afterwards), with any DE you like. Don't know about how the (cpu) speed compares though.

[esonderegger]

Fortunately, the source code and test data we're working with are not considered sensitive. As a matter of fact, the separate, less restricted part of the network approach has also been proposed. I don't know what's been holding up that proposal, but assigning responsibility for that separate part of the network can be tricky.

I had always figured DO was the wrong approach because ssh isn't an option, but I suppose if you create a droplet with the VNC over https stuff already set up, then it could just be cloned by everyone else. Thanks for the idea!

[ogezi]

I don't think that this solution will have any general appeal. First it's probably only a niche of developers that will consider using this product. Secondly, why would someone use a computer in the cloud that will probably perform as well as a low end pc. Your case may be valid but for someone that wants serious security, is an cloud based OS really that secure?

[ogezi]

I don't think that this solution has any general appeal. Why would you use a computer in the cloud that will probably perform as well as a low end pc. Your case may be valid but for someone that wants serious security, is an cloud based OS that secure?

[ddoolin]

> Getting Nodejs installed probably isn't going to happen unless they could figure out a way to disable npm.

Entirely possible! Just ask the folks at the last company I worked for (a bank). What a nightmare.

[esonderegger]

Good to know - thanks!

Although I would say that would cripple the entire point of having node, since now things like grunt, gulp, browsersync, etc. would all need to go through that same approval process. Better to have development happen on a network so far removed from sensitive data and mission-critical hosting that the admins aren't scared of it.

What were you trying to do at the bank that used node, but didn't need npm?