Lots of great criticism on this thread. Lots of great reasons to maybe stay away from Purism.
However...
What I personally think is really interesting here is the bundle. I don't want to pay $10/month for a Twitter clone. I don't want to pay it for VPN. I don't want to pay it for email, or file storage, or contact manager, or payment system.
But as a bundle?
$10/month to actually solve all of my digital privacy concerns?
That's a rather appealing proposition. I'm not sold Librem One truly solves this, for all the reasons in this HN thread. But I think the idea that I could make a single Netflix-sized monthly payment to simply solve privacy across-the-board is something I could get behind. And I'm cheap AF.
Agreed, just OSS software on it's own is great but these products need proper marketing and delivery.
If Purism is offering clean and transparent connections to services backing them combined with some sort of delivery (update) + support mechanism, that is already far better than just telling someone to download 5-6 apps + subscribe to 3-4 services (VPN, email server, backup server, etc).
It's not as ideal as a purely decentralized, multi-party system for securities sake, but it's better than what 99% of people are going to be using otherwise - in the real world.
Yup! Privacy apps are borderline useless to me if the people I want to engage with don't use them. And probably 95% of the people in my social circle are not hackers/engineers who are comfortable managing their own servers.
While I think modular.im is a good idea for the Matrix devs to hopefully be able to sustain development, getting more third-party hosts should be the name of the game.
And while I love the Matrix.org folks and all the work they've been doing, the recent hack was such a complete shit-show (with so many glaringly bad decisions). This was likely the result of nowhere near enough resources to dedicate to infrastructure, so maintaining thousands of clients' infrastructure as well would be a very bad decision.
Personally, there's no way I would use them for hosting if I was planning on not using matrix.org anyway.
i'm currently finishing up the postmortem writeup on the security breach, but the tl;dr is that the old infra surrounding the matrix.org server had grown organically and hadn't received any proper ops love.
modular.im however runs on entirely different infra, and was set up by a professional ops team, was not compromised during the breach, and should be considered trustworthy. Also, money from Modular goes directly to supporting the core Matrix.org team, so if people don't use it due to concern over the breach it's going to hurt us badly. This is doubly true if people end up using other paid hosting providers (like Librem.one) which don't actually contribute any funding back to the project.
I fund you folks on Liberapay so you've already got my $10/mo (and much more) without the other overhead of taking care of my messaging service. I also self-host so am not going to use Librem.one anyway[+]. However...
> old infra surrounding the matrix.org server had grown organically and hadn't received any proper ops love
I'm sorry to be a bit harsh, but "hosting package and android signing keys on production servers" and "not putting services on an internal network accessible only by VPN" aren't small mistakes. They're major screw-ups. An "organically grown" setup where the signing keys were on one developer's laptop would've arguably been more secure than the old setup.
Don't get me wrong, I really want you to do well (I've used Matrix for years and have donated >£1500 over that time). But I have to be honest with you that trust in your infrastructure is going to be very hard to get back. Hell, it took until last week for some of the remaining services from the breach to be back up (fedtester was down last week from memory)!
The offer for hosting matrix.org packages on OBS is still open. It'd reduce at least a bit of maintenance overhead and would at least allow homeserver operators to get the latest packages independently of the main matrix.org infra. :D
> and was set up by a professional ops team
Given that the ops team is presumably employed by New Vector, why wasn't the matrix.org infrastructure fixed before launching a new product? Was this something that was planned to happen but never did, or was the long-term plan to shut off matrix.org and get everyone to switch to Modular?
[+] Though I'm surprised that you seem to see public offerings of Matrix homeservers to be a negative rather than a success of the protocol -- surely this plan was obvious given the Librem 5 wanting to use Matrix as the main messaging service. Obviously I think they should contribute back to Matrix.org, but isn't focusing on that missing the wood for the trees? Also the main benefit people will have out of a service like Librem.one is that you are paying for all of the services provided, not just one. I have a feeling selling "just another chat system" to folks (which is what most people think when they first see Matrix) will be much harder than selling "G-suite that protects your privacy".
wrt the security practices on the old infra; yes - clearly they were major screw-ups. all I can do is spell out what we did wrong, and that we are painfully aware of the errors, and what we are doing to fix it going forwards.
> why wasn't the matrix.org infrastructure fixed before launching a new product.
because we put all our energy into getting modular sorted properly to try to increase $ to fund the team, rather than tidying up the old infra, with the expectation of eventually moving matrix.org over to the new hosting infra RSN.
> Though I'm surprised that you seem to see public offerings of Matrix homeservers to be a negative
It's very much a positive from the protocol's perspective. But from the painful practicality of keeping the team funded, it's a problem to spend time supporting Librem-specific issues if there's no $ to cover the time, as it just ends up sucking time from the core project. There is a massive risk of the tragedy of the commons here. In other words: from the perspective of keeping the team paid to work on Matrix as their day job, we'd rather users bought Matrix hosting from providers who funnel some of the revenue back to the core team. Hopefully Purism will end up doing so.
I look forward to reading your write-up. And I really do hope that Purism gives money back to you folks and the other original projects (unfortunately there are many more counterexamples than examples of this happening in the past). Wasn't there already some agreement with them in order for them to have decided to use Matrix on the Librem 5 -- or is there no such revenue-sharing arrangement? (Or was the arrangement "host your own homeserver"?)
> Wasn't there already some agreement with them in order for them to have decided to use Matrix on the Librem 5 -- or is there no such revenue-sharing arrangement?
We were hoping they would funnel $ from the Librem 5 campaign to help support Matrix, and there was an agreement to do so if the campaign reached a given threshold. So far we haven't seen anything, but live in hope.
This seems to be to basically be the logical conclusion of profitable FLOSS software, no? The entire software stack is free and open-source; what the end-user is paying for is an attached service, like the infrastructure hosting/bandwidth, cloud storage, software support, updates, etc.
The challenge, at least in my neck of the woods, is that all the independent ISPs got purchased by bigger players who aren't exactly in a rush to be innovative.
I actually think it's great if there is commercial use of open source. That means they can reinvest development time into the projects, because their customers will depend on those projects.
The alternative seems to be walled gardens.
Other companies do similar things, such as Fastmail which develops the open source IMAP server Cyrus [1]. I've been a happy Fastmail customer for years. Cyrus is still free for anyone to use even though Fastmail makes money from it.
I do hope they make some sort of official commitment to using parts of these funds to fund maintenance and development of the open source projects they are depending on, especially the smaller ones that need funding. They should earmark an official percentage, which could be subject to change in the future, but at least make it known.
Like 5% to Riot, 5% to Mastodon, 5% to K9.
Could also give to the GNOME Foundation, Linux Foundation, and OpenVPN, but I think those are pretty sustainable already.
I'd easily pay $10 a month for this if they make it clear they're going to give back to the open source projects included.
Fully agree that it is great to see commercial offerings which help to further decentralize the internet - and by using open source software - as well as ensuring that their is a business model which will keep them available for customers. (Note, that i stated customers and not merely users.) From a capitalist perspective: the more choice, the better it is for consumers - and in this case it generates the side benefit of decentralization. The only thing i nitpick on here is that they really should disclose the underlying open source software that their platforms are based upon. I mean, it really shouln't take much more than a few entries into their FAQs.
This is the standard playbook of every Surveillance as as Service business though - package up a bunch of preexisting Free software, design a proprietary closed-world frontend, and market the hell out of it.
So while you have a point, I think "quite dishonest" is a bit too much condemnation. The stack is so big, with the majority of energy already being siphoned off by SaaS bundlers, it's basically impossible to rebuild the entire stack anti-surveillance-like as one big release. Rather we're going to end up with many approaches, each trying to solve a bit of the problem. The bit of the problem being solved here is really the popularization angle - making an easy touchstone recommendation for someone who is interested in privacy but would/could/should never self-host.
I quickly picked up that the Chat was Matrix, and assumed the tunnel was openvpn or wireguard (designing a new protocol would be a priori cryptographic incompetence). So perhaps constructive feedback to better summarize the underlying software for people "in the know" is worthwhile. But writing off the actual value-add of the project, the productization itself, mainly just results in hindering the ability of the Free community to market.
Speaking as the project lead for Matrix - we are hoping that we will see some kind of financial support from Purism to fund the prioritised bugfixes/features/support they need around Synapse and Riot to ensure Librem.one's (and the Librem 5's) success.
$8/month is rather steep for some email and IM hosting. So there should be revenue left to share with you and the other upstream projects.
Personal side note: I’m not a fan of branding open source apps. It delays security updates and waters down the original brands; Riot and K9 have good reputations; Why not utilize those?
The first is that librem may need to make changes that cannot be accepted by upstream. It can be features they need to have now to keep users happy. But another example could be that they want their Riot to default to their homeserver and not to matrix.org. You don't want to wait until you get a trademark conflict with the main project.
The second reason could be that Librem has to market their brand. If they keep Riot for example, people type it in google and end up on the official riot site, then it may be hard for Librem to attract new users.
> But another example could be that they want their Riot to default to their homeserver and not to matrix.org.
This isn't valid. They could absolutely ship Riot with its existing branding, with a config set to use their (or any other) homeserver. The matrix.org homeserver just happens to be the default (at the moment).
Imagine somebody using a Librem Riot version that has been modified to default to the Librem homeserver. Now that user needs to use Riot on a new device and ends up with the standard Riot. The user doesn't see any difference but just finds that it fails.
If the user calls Librem support then they have figure out what is going on. Which costs money and they still have a frustrated user.
Branding is often not about what is technically or legally possible, but about creating the right perception with users.
The VPN isn't a hosted service? Just the client software? A few others mention they are connected to subscription systems, such as the back-up service. So it seems to be more than just repackaged software, but software + service + support (the big barrier for most OS adoption - requiring the customer to set up and configure 6 different services).
Either way, anything that gets people using more encrypted open-source software is totally okay with me.
As long as they are transparent about their stack and the authors of the software are cool with it - why not have it bundled with clean packaging and a slick donation model?
I believe you are mixing up "hosting" an OpenVPN server and having a client on your machine to connect to it (ie, their branded OpenVPN-powered client).
From the page it's clear they are also providing hosted file and email servers via subscription in addition to the branded-clients. Which is why I asked specifically about VPN hosting.
I'm not upset they rebranded them, but this comment is what I was looking for. I figured they didn't scratch built all of it, and wanted to know what services they were really selling.
I agree and this strikes me as odd as well. I really want to like this product and it’s squarely in the area of a service I would pay monthly for.
But, the Social app looks exactly like a twitter screen shot, and the VPN looks identical to PIA’s iOS app.
The chat UI isn’t great, and the Mail app is even worse. They all look like apps you would find on F-Droid which are great, but I wouldn’t feel excited about paying monthly for an app suite that lacking in polish.
Their claims of millions of active users on each of the services also seem questionable. Maybe if they’re counting the total number of XMPP users I could see that.
Lastly, the framing of donating to what is by definition a for-profit company is off putting for me personally.
Two things - you're not paying for apps in any way, they're FLOSS. You're paying for services - infrastructure, administration, "cloud" space etc.
Also, while Purism is indeed a for-profit company, it's actually an interesting case since it's a Social Purpose Corporation - it's not there to maximize profits, but to maximize its social purpose. It legally can't do anything that would be at odds with its legally defined social purpose: https://puri.sm/about/social-purpose/
I see your point, but as they’ve also created the apps under their brand it seems likely the monthly fee would also go towards (hopefully!) the continued improvement of those apps.
Judging from my past interactions with people from Purism I'm pretty sure their goal is to have all their improvements going upstream, with forks focusing mostly on branding and cross-integration within the bundle and their hardware.
With Librem One you get a Mastodon account on there own Mastodon instance. That instance can speek with all other instances on the fediverse with ActivityPub protocol. So yes, with Librem Social you can easy connect with more then 2 million people.
I wonder if they just took those apps and rebranded them or if they contacted those projects and asked for their permission (even if legally not required).
I mean, I like what Librem does in general and I also think that marketing those apps as a uniform service (without distracting attributions) is definitely a pro for consumers, but if I would be one of the contributors to those projects I might be a bit pissed off if they didn't ask for permission.
This is something that I've noticed too. I really want to like this but they are claiming to charge people for apps that they don't own and are already free. If they said that they simply take care of all complicated hosting or simplified the process I'd be more optimistic about this.
They are charging for hosting, administration and development, not for the apps that are just branded and provided for the convienience. You can use any app you want, or use Librem-branded apps with other servers for free (both as-beer and as-freedom).
> I really want to like this but they are claiming to charge people for apps that they don't own and are already free.
Selling people collections of software (which you didn’t code yourself, you simply repackaged) on floppy disk or tape was an old-school practice in the Free Software world and generally considered perfectly fair.
Those were disks you installed and ran yourself. This is a hosted product that runs in a (not free) data center. It's perfectly legit to charge for the service of hosting an open source or free app.
They do say exactly that, and that's what you're paying for. If you'd like to host your own versions of those open source apps, you're more than welcome to.
Agreed! I'm not opposed to companies making fair money off of open source software...BUT, they need to disclose clearly the underlying software. Hey RedHat - for all their good or ill - has made tons of money that way, so there is precedent.
Those are just the protocols. They should also list the client application they're forking as well. What they're doing is like forking nginx selling you a webserver, then when people ask what it's based on they reply with 'http(s)'.
Also notice, in their "alternative graphics" none of the open source clients are listed.
It's a bit of a shame that Librem Tunnel doesn't use WireGuard, though I imagine they'll switch once it's in mainline.
Otherwise, seems like a pretty neat idea -- it could open the door to more lay-people using open protocols like Matrix without everyone jumping on Matrix.org for free or having to self-host. I am interested to see how the Librem Files/Backup system will work if it comes about (I would guess NextCloud but if they have a better solution I'd like to see it since I've had my fair share of pain with self-hosting NextCloud). It looks like there would be some kind of cohesive management of all these services, which I think is a great example of the usefulness (for users) that open standards can have.
It does bother me a bit that the apps are clearly mild reskins and there is no mention of the original app creators -- obviously this helps with brand recognition but seems a little bit dishonest. Really, you're paying for hosting (which is totally fine), and it should be clearer that they're just giving you mostly-consistent apps that work with their service out-of-the-box.
I also am doubtful the Librem Pay idea will pan out though. The number of real businesses which accept $x-coin is effectively zero for most people.
> It's a bit of a shame that Librem Tunnel doesn't use WireGuard, though I imagine they'll switch once it's in mainline.
It's a bit of a shame that WireGuard still requires out of tree components to work.. I'm rooting for it to get accepted/merged, but until it does it just becomes a greater risk to build a business off of it.
It's in the process of being merged into net-next and mainline right now[1] and most of the hangups are around the new crypto library that WireGuard uses[2].
But honestly though, the risk is identical to any other kernel module -- the author and future subsystem maintainer ensures it builds and works with all new and old kernels, and releases snapshots very regularly. Almost all distributions have packages for WireGuard which are automatically rebuilt with new kernel releases.
There are arguments against using it because it's still (on paper) pre-1.0 software but given it's had fairly widespread use for the past 3 years and no security nightmares it's shown to be quite a bit more secure than
> the risk is identical to any other kernel module
Nope, it's not identical. There's a forcing function (e.g. Linus) to help motivate maintainers to fix their crap in the kernel tree if it breaks. That forcing function does not exist for out of tree patches.
If we were talking about the out-of-tree VirtualBox drivers I would agree with you. But we're not -- WireGuard has proven itself to be incredibly solid for the past 3 years and supports all kernels since 3.10 (with each commit getting tested against all of those kernels).
To be honest, that is far more stringent requirements than most subsystems in the Linux tree. Being in-tree is better for a variety of reasons, but just because something is in-tree doesn't make it significantly more stable or safe (I can think of several counter-examples where Linus hasn't motivated maintainers to fix mistakes and breaking changes).
Awesome. Props to the Purism Librem team for excellent ongoing progress on the superb laptop, new phone, and this new Librem One software offering.
The offering is a bundle of services that respect you and your privacy. $7.99/mo for a software suite: Librem Chat (Riot), Librem Social (Mastodon), Librem Mail (K9), Librem Tunnel (OpenVPN), and more services coming soon e.g. Librem Files, Librem Backup, Librem Contacts, Librem Pay, Librem Dial.
The key value for me is all of these are curated, updated, available/accountable via one vendor, etc. Other people who prefer free-as-in-beer versions can still get Riot, Mastodo, K9, OpenVPN, etc. as is.
And if any of you are product managers or technical marketers, have a look at the Librem products matrix and explanations area-- in my opinion it's the among the best in the industry: https://librem.one/#mce_1
I'd be wary of Librem Chat being viable long term, Synapse (the server software for matrix) is a real ram hog, we see it hover at ~2GB of ram with 5 active users and have bumped its VM up to a dozen gigs of ram to deal with it OOMing (despite having 4GB of ram).
The documented switches like SYNAPSE_CACHE_FACTOR seem to cause wild oscillations in ram use and worsen the OOM problems, when enabled Synapse would jump between 500MB and 3.8GB of ram constantly, eventually OOMing.
Edit: Also, the support channels for Synapse exist, but you will rarely get any response.
Speaking as the project lead for Matrix; we are continuing to work on Synapse's RAM use, and it will only get better over time.
One big misconception is that somehow RAM usage is related to the number of users on your server - instead, it's related to the size & complexity of the rooms your users are participating in. In other words, one person who joins thousands of rooms with thousands of users in them will use a lot more RAM than a server with a thousand users who use it only for small group chats.
The things to check if your Synapse RAM is high are:
* Make sure you're running postgres. Sqlite is not currently
usable in production.
In terms of whether you get response in the support rooms - whilst the core team has been preoccupied with infrastructure security over the last few weeks, the rest of the community is generally happy to help with synapse tuning and the rooms are far from idle...
Looks like we are using sqlite and Python 3.5.3, synapse cache factor is currently not set in our config, any pointers for how to migrate to Postgres? This box has basically been given to me after the person who set it up gave up in frustration.
It happens, guessing SQLite was default at one point or suggested by the install guide that was followed. Kinda surprised it has survived thus far, never really thought of SQLite as something for high volume, multi-user messaging.
SQLite is definitely not ideal for high volume and high transaction frequency. Postgres will be better at that. I have used it for quickly getting a single table database up that I can just dump into and then query through linearly afterwards. It is better than dumping to JSON or some other purely textual serialization.
This is really frustrating, and basically the exact same thread as happened a while back with another list of "ethical alternatives".
You can't call something ethical without going into detail about what you mean. and:
Policy
No Ads
No Tracking
We respect you
is not useful.
The value in ethics is in the conversation around what is ethical, not in a big, friendly "this is ethical" sticker.
This is as useful as "do no evil", and from the vague wording on the landing page, I'd imagine the people behind librem don't think google is very ethical right now.
That's my point. The value is in the discussion around what's considered ethical, not in the label.
What I would like is for services like this to provide, up-front, a more complete discussion of how they've arrived at their recommendations, and what criteria they consider.
that's reasonable, I guess... though I can see a point where they want to sell things, rather than engage in endless discussions about everyone's opinion of what "ethical" means ;)
I like Librem, though I am a little concerned here. I prefer if hardware and services comes from different companies. Even well intentioned, it can be easy for a company to fall into vertical integration... Imagine a Librem 5 working best with their own service, and support for alternatives being a little weaker or less prioritized.
>I like Librem, though I am a little concerned here. I prefer if hardware and services comes from different companies
I actually agree 100% with you, however I think at this stage of the market development, its enough to have a 3rd choice who's apps and services are open.
Librem is facing the "Grandmother problem". In order for this concept to actually succeed, it eventually needs regular folks to buy it. Its not enough to tell thousands of grandmothers to "buy our phone hardware and simply download and install any of the dozens of confusing and competing software stacks by following these 20 instructions on github". It needs to be marketed and sold as coherent integrated product, otherwise just buy an old Samsung and root it yourself....
I definitely agree re: Grandmother problem, but I'd rather it configure services for you they aren't selling you. There's no shortage of services that already exist Librem could make easy to work with.
I mean that is a significant reason mobile development is fragmented. Some things have to be tailored for the device if you want any kind of mass appeal or reliability.
I think it would be a huge mistake to NOT tailor a specific experience for a Linux phone since it would then be doomed to obscurity (more than just by fact of not being Android or IOS) like the million Linux desktop distributions that never "just get it" out of the box for 99% of people.
I agree with your second paragraph. The Librem 5 isn't just a "Linux phone", and Purism is trying to build an ecosystem with strong expectations of privacy and end-user control, which is something we don't have today.
If all you want is a "Linux phone", you could buy a PinePhone for $150 or work on porting postmarketOS to an Android phone. The Librem 5 clearly has higher ambitions and could prove to be a more mass-market product.
First sentence is "Purism is a Social Purpose Corporation (SPC), which means we put social good above exploiting people". I've never heard of a SPC before (probably because I'm not from the US) so had to look it up. It seems it's still a for-profit corporation, just that it "enables, but does not require, considering social or environmental issues in decision making".
Which means that "which means we put social good above exploiting people" should really be "which means we can put social good above exploiting people" as it's not a requirement.
So, what's the purpose of a SPC instead of just a for-profit company? A for-profit can also consider social and environmental issues, AFAIK.
My layman's understanding is that it allows managers to choose their stated ethics over profits. Traditionally, investors could sue the company for not pursuing above all else.
Those cases are almost always dismissed summarily, unless the plaintiff can demonstrate fraud or other kinds of bad faith. The "Business Judgement Rule" [0] requires courts to give a very wide latitude to the officers of a corporation.
The idea that "fiduciary duty" requires directors to pursue profit "above all else" is flatly false, and has led to untold amounts of misunderstanding and meaningless noise since whichever fool monkey first uttered it.
Above commenters are correct, in the US you have to have a special designation to consider a values-based mission as more important than providing value to shareholders.
Right at the root of something very fundamentally wrong about our way of conceiving of/enforcing how business is done.
> Librem Mail. Main Features: Safe (We delete unencrypted emails after 30 days)
I don't understand encrypted email very much at all. Is encryption on emails that I have received controlled by the sender? Almost all of the transactional emails I have received (receipts, confirmation numbers, etc) are probably unencrypted, right? This doesn't sound desirable.
PGP is a two-party system. The sender has a public/private keypair, and the recipient has a public/private keypair.
The sender encrypts a message with the sender's priv key and the recipient's pub key.
The recipient decrypts the message with the the sender's pub key and the recipient's priv key.
> Almost all of the transactional emails I have received (receipts, confirmation numbers, etc) are probably unencrypted, right?
Totally up to your email provider and a sender's email provider. Your provider may choose to send/accept email over TLS, which is also encrypted. Gmail, for example, does this.
> The sender encrypts a message with the sender's priv key and the recipient's pub key.
You just need the recipient's public key to encrypt. Are you thinking about the sender adding a cryptographic signature, too?
> The recipient decrypts the message with the the sender's pub key and the recipient's priv key.
You don't need the sender's public key, just the recipient's private key to decrypt. Though, if there's also a cryptographic signature from the sender, then you would need the sender's public key to verify the signature.
I was attempting to explain in a simplified manner, since OP said that they did not know much about email encryption. But if you want to be semi-technical about it:
Both the sender's and recipient's public keys are required to calculate a shared secret. That shared secret is then used to encrypt the message. The recipient's priv key is used to decrypt the message.
Edit: Validating a digital signature is typically part of the process when using all-in-one software (eg: Thunderbird's Enigmail extension). That is why I mention the use of private keys. Again, an oversimplification on my part in response to OP's statement "Is encryption on emails that I have received controlled by the sender?", which is false.
The difficult part is for the sender to get a copy of the recipient's public key. In practice, a sender will always sign with their private key, since they can just send a copy of their public key with the message.
I think GP thought it necessary to give a complete example, but not a complete explanation.
Almost 100% of the email aimed at most people does not use PGP, and thus temporary in this scheme. That means that it gets deleted every 30 days. However, doesn't that only mean that the librem One user loses their copy (unless they made a backup), but the other party gets to keep theirs?
What am I missing that causes this to make sense as a feature?
I support their effort of making free software more accessible. But saying "no ads" and then lists PIA as the only other vpn when they have partnered up with them dishonest [ https://puri.sm/posts/purism-becomes-pia-first-oem-partner/ ]
Regarding the VPN row, I don't think this is a case of being dishonest - meaning, Purism is lying. Rather, this chart simply feels like it was created hurriedly.
What motive would they have for saying they are in competition with PIA, when PIA is most likely the service behind Librem Tunnel. Perhaps someone goofed.
Edit: My suspicion that this page was rushed is seemingly confirmed when I see:
They are really shaping up to become a proper major hardware and service provider. If what they are saying about their values actually promises permanence, I'll seriously consider switching to their hardware soon.
I think what we really need, the enabler of migration is, and always was, decent collaborative office suite. Acceptable collaboration level evolves over time, that's true, but otherwise requirements are the same.
There is no point is free/ethical/etc file storage if I still have to use Microsoft Office to edit files, which is neither free nor very collaborative. Text editors are relatively easy to replace. Google Sheets are really really hard to replace. Even Microsoft Excel seems somewhat inferior to Google Sheets to me now.
First, most users will never want to pay for a service, especially things like chat, email, social. What I mean by that is, the market is already there for social apps that allow completely free usage by using user data, think Facebook, Twitter, Instagram, etc.
Second, asking users to pay for a service at about $8/mo is pretty steep. Purism/librem aren't building all the apps themselves.
You aren't paying for the apps here, you are paying for the online services. $8 per month is not too different from what you would pay for a hosted email these days. IMO, the cost sounds reasonable once you consider that it is a bundle.
> 18 U.S. Code § 2709. Counterintelligence access to telephone toll and transactional records
> (c) Prohibition of Certain Disclosure.—
> If a certification is issued under subparagraph (B) and notice of the right to judicial review under subsection (d) is provided, no wire or electronic communication service provider that receives a request under subsection (b), or officer, employee, or agent thereof, shall disclose to any person that the Federal Bureau of Investigation has sought or obtained access to information or records under this section.
TLDR: If the FBI tells them not to, they can't tell you they've given your information away.
In the interest of full disclosure, I believe they should warn people about this.
I like the message, I like the intent, I like what Librem does. I like that they're going to have data after this seeing just how many people are willing to pay money for privacy. I am. I'll probably pay for this software regardless. It's just a shame our own governments are standing between us and actual privacy - I'm starting to wonder who is serving who these days.
I find the “ethical” framing around this to be rather problematic.
I hate ads and care about my privacy as much as anyone else here. However, the argument that a free ad-supported product X available to anyone in the world with an internet connection is less ethical than product Y which requires a monthly payment for access seems tenuous at best. Especially when you consider that the price is out of the question for those in developing countries.
I really don't get your point.. user tracking for the purpose of serving ads (or any other purpose for that matter) and putting up paywalls (that allow certain users/bots to crawl content) is both unethical.. why does it matter which of the two is the most unethical? You can easily have ethical ads and paywalls, e.g. duckduckgo.
Maybe the term paywall isn’t the right one. I’m referring to the premise that you must pay the monthly fee to use the product and whether that is really any more ethical than ad supported products that are free for anyone in the world to use regardless of income.
I think you'll have a hard time finding people who think it's unethical to require a monthly fee to use the product.
If a product can only exist by violating people's privacy (for the purpose of user tracking ads and whatnot), then perhaps said product shouldn't exist at all. That being said, I highly doubt that you can think of a product that couldn't operate with ethical ads/paid features/non-profit social service funding.
Again: you pay not only with your data. The cost of advertising is already included in the cost of the product being advertised. You pay for it both ends.
Sure, but it must also be recognized that this is true only if you value your data.
In our bubbles we all certainly do. But in the context of a resident in a developing country who can’t afford to pay, the trade off of allowing access to your data rather than no access at all seems more ethical.
It might be enlightening for you to apply this line of reasoning to historical forms of exploitation. But no, it is not ethical to exploit someone just because they can't afford alternatives.
I'm too much disappointed with this bullshit, because it's coming from a company which I really appreciated 'n respected. AFAIK, Purism hasn't yet delivered the Librem 5 phone. If that's case, then it's a priority violation. Now, the best Purism can do is abort this bullshit and pay all the backers their money back before it's too late.
It is not clear to me that the two are competing for resources. Getting a phone working requires completely different staff from bringing up online services, and a steady cash flow can lift the pots on all the burners.
To me, it still looks like a priority or some other kind of problem. Sorry :) Let's assume all of this as a "good intentioned mistake" and hope that Purism abolish this ASAP.
Privacy isn't fixed by technical products, it needs to be fixed at a legal level.
The existence of crypto near any product makes me immediately do a double take anymore, because there are tax implications there that you're kinda forcing on people.
The design of these apps needs to be much more refined if you want to charge money for them. I'm usually willing to give a bit on it when it's for the right cause, but... this stuff feels so off that it's tough to look at. If you're gonna play in the iOS app store, you need to be willing to invest in this.
End hot takes, I guess. I want Purism to succeed but I feel like they're just making the same mistakes every "year of the Linux desktop" scenario made, wherein they're not competing on the features that draw eyeballs. It doesn't need to be the focus, but you can't neglect it either.
Exactly, I won't trust a company based in the US my privacy, no matter how cool it is.
Maybe for stuff that requires convenience but not security. I don't trust any five eyes country neither.
I currently use Swiss and Romanian services for my business, and while the experience is not as smooth as, say, Gmail or Digital Ocean, it's good enough.
However...
What I personally think is really interesting here is the bundle. I don't want to pay $10/month for a Twitter clone. I don't want to pay it for VPN. I don't want to pay it for email, or file storage, or contact manager, or payment system.
But as a bundle?
$10/month to actually solve all of my digital privacy concerns?
That's a rather appealing proposition. I'm not sold Librem One truly solves this, for all the reasons in this HN thread. But I think the idea that I could make a single Netflix-sized monthly payment to simply solve privacy across-the-board is something I could get behind. And I'm cheap AF.
They're onto something.