Lots of great criticism on this thread. Lots of great reasons to maybe stay away from Purism.
However...
What I personally think is really interesting here is the bundle. I don't want to pay $10/month for a Twitter clone. I don't want to pay it for VPN. I don't want to pay it for email, or file storage, or contact manager, or payment system.
But as a bundle?
$10/month to actually solve all of my digital privacy concerns?
That's a rather appealing proposition. I'm not sold Librem One truly solves this, for all the reasons in this HN thread. But I think the idea that I could make a single Netflix-sized monthly payment to simply solve privacy across-the-board is something I could get behind. And I'm cheap AF.
Agreed, just OSS software on it's own is great but these products need proper marketing and delivery.
If Purism is offering clean and transparent connections to services backing them combined with some sort of delivery (update) + support mechanism, that is already far better than just telling someone to download 5-6 apps + subscribe to 3-4 services (VPN, email server, backup server, etc).
It's not as ideal as a purely decentralized, multi-party system for securities sake, but it's better than what 99% of people are going to be using otherwise - in the real world.
Yup! Privacy apps are borderline useless to me if the people I want to engage with don't use them. And probably 95% of the people in my social circle are not hackers/engineers who are comfortable managing their own servers.
While I think modular.im is a good idea for the Matrix devs to hopefully be able to sustain development, getting more third-party hosts should be the name of the game.
And while I love the Matrix.org folks and all the work they've been doing, the recent hack was such a complete shit-show (with so many glaringly bad decisions). This was likely the result of nowhere near enough resources to dedicate to infrastructure, so maintaining thousands of clients' infrastructure as well would be a very bad decision.
Personally, there's no way I would use them for hosting if I was planning on not using matrix.org anyway.
i'm currently finishing up the postmortem writeup on the security breach, but the tl;dr is that the old infra surrounding the matrix.org server had grown organically and hadn't received any proper ops love.
modular.im however runs on entirely different infra, and was set up by a professional ops team, was not compromised during the breach, and should be considered trustworthy. Also, money from Modular goes directly to supporting the core Matrix.org team, so if people don't use it due to concern over the breach it's going to hurt us badly. This is doubly true if people end up using other paid hosting providers (like Librem.one) which don't actually contribute any funding back to the project.
I fund you folks on Liberapay so you've already got my $10/mo (and much more) without the other overhead of taking care of my messaging service. I also self-host so am not going to use Librem.one anyway[+]. However...
> old infra surrounding the matrix.org server had grown organically and hadn't received any proper ops love
I'm sorry to be a bit harsh, but "hosting package and android signing keys on production servers" and "not putting services on an internal network accessible only by VPN" aren't small mistakes. They're major screw-ups. An "organically grown" setup where the signing keys were on one developer's laptop would've arguably been more secure than the old setup.
Don't get me wrong, I really want you to do well (I've used Matrix for years and have donated >£1500 over that time). But I have to be honest with you that trust in your infrastructure is going to be very hard to get back. Hell, it took until last week for some of the remaining services from the breach to be back up (fedtester was down last week from memory)!
The offer for hosting matrix.org packages on OBS is still open. It'd reduce at least a bit of maintenance overhead and would at least allow homeserver operators to get the latest packages independently of the main matrix.org infra. :D
> and was set up by a professional ops team
Given that the ops team is presumably employed by New Vector, why wasn't the matrix.org infrastructure fixed before launching a new product? Was this something that was planned to happen but never did, or was the long-term plan to shut off matrix.org and get everyone to switch to Modular?
[+] Though I'm surprised that you seem to see public offerings of Matrix homeservers to be a negative rather than a success of the protocol -- surely this plan was obvious given the Librem 5 wanting to use Matrix as the main messaging service. Obviously I think they should contribute back to Matrix.org, but isn't focusing on that missing the wood for the trees? Also the main benefit people will have out of a service like Librem.one is that you are paying for all of the services provided, not just one. I have a feeling selling "just another chat system" to folks (which is what most people think when they first see Matrix) will be much harder than selling "G-suite that protects your privacy".
wrt the security practices on the old infra; yes - clearly they were major screw-ups. all I can do is spell out what we did wrong, and that we are painfully aware of the errors, and what we are doing to fix it going forwards.
> why wasn't the matrix.org infrastructure fixed before launching a new product.
because we put all our energy into getting modular sorted properly to try to increase $ to fund the team, rather than tidying up the old infra, with the expectation of eventually moving matrix.org over to the new hosting infra RSN.
> Though I'm surprised that you seem to see public offerings of Matrix homeservers to be a negative
It's very much a positive from the protocol's perspective. But from the painful practicality of keeping the team funded, it's a problem to spend time supporting Librem-specific issues if there's no $ to cover the time, as it just ends up sucking time from the core project. There is a massive risk of the tragedy of the commons here. In other words: from the perspective of keeping the team paid to work on Matrix as their day job, we'd rather users bought Matrix hosting from providers who funnel some of the revenue back to the core team. Hopefully Purism will end up doing so.
I look forward to reading your write-up. And I really do hope that Purism gives money back to you folks and the other original projects (unfortunately there are many more counterexamples than examples of this happening in the past). Wasn't there already some agreement with them in order for them to have decided to use Matrix on the Librem 5 -- or is there no such revenue-sharing arrangement? (Or was the arrangement "host your own homeserver"?)
> Wasn't there already some agreement with them in order for them to have decided to use Matrix on the Librem 5 -- or is there no such revenue-sharing arrangement?
We were hoping they would funnel $ from the Librem 5 campaign to help support Matrix, and there was an agreement to do so if the campaign reached a given threshold. So far we haven't seen anything, but live in hope.
This seems to be to basically be the logical conclusion of profitable FLOSS software, no? The entire software stack is free and open-source; what the end-user is paying for is an attached service, like the infrastructure hosting/bandwidth, cloud storage, software support, updates, etc.
The challenge, at least in my neck of the woods, is that all the independent ISPs got purchased by bigger players who aren't exactly in a rush to be innovative.
However...
What I personally think is really interesting here is the bundle. I don't want to pay $10/month for a Twitter clone. I don't want to pay it for VPN. I don't want to pay it for email, or file storage, or contact manager, or payment system.
But as a bundle?
$10/month to actually solve all of my digital privacy concerns?
That's a rather appealing proposition. I'm not sold Librem One truly solves this, for all the reasons in this HN thread. But I think the idea that I could make a single Netflix-sized monthly payment to simply solve privacy across-the-board is something I could get behind. And I'm cheap AF.
They're onto something.