[cyphar]

It's a bit of a shame that Librem Tunnel doesn't use WireGuard, though I imagine they'll switch once it's in mainline.

Otherwise, seems like a pretty neat idea -- it could open the door to more lay-people using open protocols like Matrix without everyone jumping on Matrix.org for free or having to self-host. I am interested to see how the Librem Files/Backup system will work if it comes about (I would guess NextCloud but if they have a better solution I'd like to see it since I've had my fair share of pain with self-hosting NextCloud). It looks like there would be some kind of cohesive management of all these services, which I think is a great example of the usefulness (for users) that open standards can have.

It does bother me a bit that the apps are clearly mild reskins and there is no mention of the original app creators -- obviously this helps with brand recognition but seems a little bit dishonest. Really, you're paying for hosting (which is totally fine), and it should be clearer that they're just giving you mostly-consistent apps that work with their service out-of-the-box.

I also am doubtful the Librem Pay idea will pan out though. The number of real businesses which accept $x-coin is effectively zero for most people.

[craftyguy]

> It's a bit of a shame that Librem Tunnel doesn't use WireGuard, though I imagine they'll switch once it's in mainline.

It's a bit of a shame that WireGuard still requires out of tree components to work.. I'm rooting for it to get accepted/merged, but until it does it just becomes a greater risk to build a business off of it.

[cyphar]

It's in the process of being merged into net-next and mainline right now[1] and most of the hangups are around the new crypto library that WireGuard uses[2].

But honestly though, the risk is identical to any other kernel module -- the author and future subsystem maintainer ensures it builds and works with all new and old kernels, and releases snapshots very regularly. Almost all distributions have packages for WireGuard which are automatically rebuilt with new kernel releases.

There are arguments against using it because it's still (on paper) pre-1.0 software but given it's had fairly widespread use for the past 3 years and no security nightmares it's shown to be quite a bit more secure than

[1]: https://marc.info/?l=linux-netdev&m=155323912319537&w=2 [2]: https://lwn.net/Articles/770750/

[craftyguy]

> the risk is identical to any other kernel module

Nope, it's not identical. There's a forcing function (e.g. Linus) to help motivate maintainers to fix their crap in the kernel tree if it breaks. That forcing function does not exist for out of tree patches.

[cyphar]

If we were talking about the out-of-tree VirtualBox drivers I would agree with you. But we're not -- WireGuard has proven itself to be incredibly solid for the past 3 years and supports all kernels since 3.10 (with each commit getting tested against all of those kernels).

To be honest, that is far more stringent requirements than most subsystems in the Linux tree. Being in-tree is better for a variety of reasons, but just because something is in-tree doesn't make it significantly more stable or safe (I can think of several counter-examples where Linus hasn't motivated maintainers to fix mistakes and breaking changes).