On Aug 8, 2015 11:30 AM, "intrigeri" <intrigeri@???> wrote:
>
> Hi,
>
> I essentially agree with everything that sajolida said (and thanks for
> the fast reply!).
>
> Just a nitpick or two:
>
> sajolida wrote (08 Aug 2015 13:32:29 GMT) :
> > 2. Change the body into:
>
> > "Both the host operating system and the virtualization software are
> > able to monitor what you are doing in Tails.
>
> > Additionally, only free virtualization software should be trusted.
>
> It feels a bit patronizing to tell people what they should trust (we
> do kinda the same on the virtualization doc page, but at least there
> it's written "we believe [...] to be trustworthy", which makes the
> subjective PoV clear).
>
> I'd prefer an approach in which we give people the means to make
> a security decision, by warning about the specific risks of non-free
> virtualization software (as we do already, as quoted above, in the
> general virtualization case; and as we do already on the
> virtualization doc page).
>
> Also, it feels weird to warn specifically about non-free
> virtualization software, but not about non-free operating systems,
> once we've made the step to assume that users of free OS use free
> virtualization software (FTR, I think it's a OK assumption to simplify
> this discussion).
>
> So, I think we should merely give a hint here about the specific risks
> of non-free virtualization software, and leave it to the existing
> great doc page to explain the specifics, as it already does.
>
> The only modification to that doc page that seems necessary to take
> all this into account then would be something like:
>
> Only run Tails in a virtual machine if the host operating system
> is trustworthy.
>
> with:
>
> Only run Tails in a virtual machine if the host operating system
> and virtualization software are both trustworthy.
>
> > Consider using <a
> > href='https://www.virtualbox.org/'>VirtualBox</a> instead.
>
> I'd rather move this one to the doc page about virtualization (linked
> below), which will give us more room to warn agains the non-free
> extension pack that's featured quite prominently on their download
> page. That would be the second modification needed there, to make it
> consistent with what Austin English is implementing.
>
> Thoughts?
>
> Cheers,
> --
> intrigeri
I agree with putting the details in the wiki, VirtualBox makes it a bit too
easy to install their nonfree version imo, and I think it would be
imprudent to recommend VirtualBox without explaining that to users.