search

solokeys / solo1

Solo 1 firmware in C
https://solokeys.com/
Other
2.28k stars 273 forks source link

Document non Open Source parts #596

Closed hoijui closed 2 years ago

hoijui commented 2 years ago

I think it would be important to document this, plus potential security risks, related both to non-OS and in risks in general, in a prominent spot on the website, or at least in the FAQ. What parts are not Open Source, both Hardware and Software/Firmware wise (e.g. the main chip), why that is so, how much/little of a problem it is, and what could maybe be done about it in the future.

I am very grateful for your work in this field, it is sorely needed, and very important, thank you! :-)

I think that with such info, you would gain more trust among the huge range of partly- to mid-sophisticated potential users. It could also make customers potentially stick with you for longer, if they see you are honest about such things, and through the same text can see, that you are working on improvements already. You could also point out at the same time, that you are still better then any proprietary products at least in this and that.

Personal, related anecdote

For many in my social circles, I am "the tech guy". They ask me about such products, what I think about it. They initially thing it is perfect, because fully open source. I then have to look at it, and find out.. the chip is not. personally, I do not know enough, how much of a problem that is or not, which surely you do! I then tell them: "this and that is not open source, and I do not know how much of a problem that is, but .. it is NOT fully open source.". They then are confused: whom else could they ask, if the tech guy does not know? and why did they write it is fully open source, if it is not? seems shady ...

And I am sure, this happens thousands of times for other tech guys, which all will do a worse job in evaluating your product then you could do.

nickray commented 2 years ago

The hardware is open source in the sense of the usual understanding of "open source hardware", as certified by OSHWA: https://certification.oshwa.org/list.html?q=solokeys. By this it is meant that the product can be recreated with openly available components (e.g., no restricted secure elements or the like). There are currently no chips suitable for a security product in the sense that you may have hoped for, such as RISC-V or Tropic Square. The designs are published (Solo 1, Solo 2), using a CERN license.

As for software/firmware, it is all dual MIT/Apache2 licensed, documentation is CC-BY-SA.

nickray commented 2 years ago

Moving this into discussions as it's not a firmware issue.