General questions on front / backend

[whackashoe]

Hello,

First off, this sounds like a very interesting project. I'd like to know a bit more information on the project. Some questions off the top of my head:

• What should onioncloud assume for the website backend? ror, django..?
• Conversely, what should it assume for frontend? Bootstrap, foundation, custom?
• What functions should onioncloud expect to provide? Obviously I can assume registration yada yada, but should ze docker instances allow customization as far as software installation goes?

When stating "different application execution environments", is this referring to a selection of various docker base stacks, or a sort of one size fits all base per instance? E.g.: docker instances that contain python, ror, apache, php, java, or separate ones more pick and choose?

Thanks -Jett

[Miserlou]

Hey Whackashoe! Thanks for writing!

OnionCloud is still just a concept, I am looking to secure a bit of funding to expand it into a working prototype.

What should onioncloud assume for the website backend? ror, django..?

I'm a Django programmer, so probably Django for any kind of interface to the thing, although that's not really the important bit.

Conversely, what should it assume for frontend? Bootstrap, foundation, custom?

Normally I work with Bootstrap but I'm not looking the looks over Bootstrap3 so far, and I've been wanting to give Foundation a try. Actually, I've had my eye on this one: http://purecss.io/ which is pure CSS and very small, which could be important if the service will have a hidden service frontend (most Tor clients disable JavaScript, rendering some bootstrap sites pretty broken.)

Again, this isn't the important bit at the moment, just getting applications to deploy is the most important part right now - everything else is just chrome.

What functions should onioncloud expect to provide? Obviously I can assume registration yada yada, but should ze docker instances allow customization as far as software installation goes? When stating "different application execution environments", is this referring to a selection of various docker base stacks, or a sort of one size fits all base per instance? E.g.: docker instances that contain python, ror, apache, php, java, or separate ones more pick and choose?

I think there will probably be standard containers for each supported environment - like an Ubuntu LTS VM with the correct basic dependencies for each operating environment, defined by a configuration file in source control. Down the line, I suppose it could integrate with something like https://index.docker.io/

Does that make sense? I'm open to discussions.

[whackashoe]

Hey, thanks for the response.

Are you open to any work being done on this repo prior to any funding? I have had a similar idea for hosting like this, so I am fairly excited other people want to do this in an open way.

I've used foundation a fair bit and have to say it works quite well (inc. with no-js). Purecss also looks pretty cool, I like to perpetuate the idea of no-js with tor; and with recent events that idea has been confirmed as I'm sure you know.

I've been playing with docker a bit, one thing I am a bit concerned about is the security implications of container-ization, which I am sure with a bit of reading I can put my mind to rest (a little bit) on. I've made a some progress with a dock and running web server on it, if I get a crappy barebones setup for hidden service do you want a pull request err do you have one built already?

I'm really interested in hearing your thoughts on the security for users. On one hand, there are possibly some items you wouldn't want hosted. On the other, there is no (afaik) decent way to enforce this other than having some sort of trail for users, or monitoring the diffs. It seems like a difficult balance.

[Miserlou]

Are you open to any work being done on this repo prior to any funding? I have had a similar idea for hosting like this, so I am fairly excited other people want to do this in an open way.

Absolutely! I will only be able to contribute during my (scarce) 'free time', however. But yes, I would prefer this to be operated as a traditional open source project with a distributed group of volunteers working on the project together.

I've been playing with docker a bit, one thing I am a bit concerned about is the security implications of container-ization, which I am sure with a bit of reading I can put my mind to rest (a little bit) on.

I think this is going to be the interesting part of the project for the moment. This is certainly something which needs to be discussed by the larger community (fortunately there is a nice little community forming around Docker already), and I think a presentation with a PoC will spur lots more serious discussion than with nothing at all. Docker itself still claims not to be production-ready: http://blog.docker.io/2013/07/docker-0-5-0-external-volumes-advanced-networking-self-hosted-registry/#production_ready - although there are many people who claim to. Fortunately, Docker is really just an advanced wrapper around LXC, which has been available since 2007 and is used in production by the likes of Google at a massive scale. I believe the core concept to be solid. Figuring out how exactly Tor fits in to the picture is another challenge entirely, however.

I've made a some progress with a dock and running web server on it, if I get a crappy barebones setup for hidden service do you want a pull request err do you have one built already?

Pull request would be great!

I'm really interested in hearing your thoughts on the security for users. On one hand, there are possibly some items you wouldn't want hosted. On the other, there is no (afaik) decent way to enforce this other than having some sort of trail for users, or monitoring the diffs. It seems like a difficult balance.

I'm going to kick this can down the road for the moment.

For now, OnionCloud is simply an open source software project designed to allow people to easily run and operate their own anonymous PaaS. There are two end users here: organizations and individuals who wish to run OnionCloud instances as an easy way to host a multitude of their own applications, and end users, who simply want to host applications on an existing OnionCloud instance. I'm currently interested in the former since my company, OpenWatch, may at some point in the future choose to operate an OnionCloud instance for our own public and private applications. However, we need to consider both cases.

Anybody will be able to start an OnionCloud. If somebody chooses to offer one with public facing accounts, how they choose to administer that is up to them. If I were to operate one, I would want to have the ability to purge users who facilitate in the production of child pornography // human trafficking // war crimes // bronies // etc., however, there is a much more idealistic set of Tor users who support 100% internet freedom, even if that includes CP and other unpleasantness. They would also be able to run an OnionCloud.

Turning OnionCloud into a public-facing service is currently beyond the scope of the project at this stage, but certainly a phase which we should be considering, and as technologists we have a moral responsibility to ensure that there are safeguards against human suffering, even at this stage. This can either appear in the form of technology, design, policy, or human dynamics (OnionCloud High Council, AnonWoofie, democracy, discourse, etc.)

I think that's a discussion for another issue though! :)

[whackashoe]

Alright, well thanks for answering some of my questions- that's all I've got for now. This cleared up a lot of questions, especially your last few paragraphs. Cheers.