On Sun, Aug 9, 2015 at 6:42 AM, sajolida <sajolida@???> wrote:
> Austin English:
>> On Aug 8, 2015 11:30 AM, "intrigeri" <intrigeri@???> wrote:
>>>
>>> I essentially agree with everything that sajolida said (and thanks for
>>> the fast reply!).
>>>
>>> Just a nitpick or two:
>>>
>>> sajolida wrote (08 Aug 2015 13:32:29 GMT) :
>>>> 2. Change the body into:
>>>
>>>> "Both the host operating system and the virtualization software are
>>>> able to monitor what you are doing in Tails.
>>>
>>>> Additionally, only free virtualization software should be trusted.
>>>
>>> It feels a bit patronizing to tell people what they should trust (we
>>> do kinda the same on the virtualization doc page, but at least there
>>> it's written "we believe [...] to be trustworthy", which makes the
>>> subjective PoV clear).
>
> I had the same concern but wanted to see if my proposal triggered the
> same for you :)
>
>>> I'd prefer an approach in which we give people the means to make
>>> a security decision, by warning about the specific risks of non-free
>>> virtualization software (as we do already, as quoted above, in the
>>> general virtualization case; and as we do already on the
>>> virtualization doc page).
>>>
>>> Also, it feels weird to warn specifically about non-free
>>> virtualization software, but not about non-free operating systems,
>>> once we've made the step to assume that users of free OS use free
>>> virtualization software (FTR, I think it's a OK assumption to simplify
>>> this discussion).
>
> Sure.
>
>>> So, I think we should merely give a hint here about the specific risks
>>> of non-free virtualization software, and leave it to the existing
>>> great doc page to explain the specifics, as it already does.
>>>
>>> The only modification to that doc page that seems necessary to take
>>> all this into account then would be something like:
>>>
>>> Only run Tails in a virtual machine if the host operating system
>>> is trustworthy.
>>>
>>> with:
>>>
>>> Only run Tails in a virtual machine if the host operating system
>>> and virtualization software are both trustworthy.
>
> Applied on master in 827a16d. I didn't feel like it was needed to go
> through the all review and merge process as I pasted your phrasing
> basically.
>
>>>> Consider using <a
>>>> href='https://www.virtualbox.org/'>VirtualBox</a> instead.
>>>
>>> I'd rather move this one to the doc page about virtualization (linked
>>> below), which will give us more room to warn agains the non-free
>>> extension pack that's featured quite prominently on their download
>>> page. That would be the second modification needed there, to make it
>>> consistent with what Austin English is implementing.
>>>
>>> Thoughts?
>
> Ok, so adjusting my last proposal we could:
>
> 1. Change the title into "Warning: non-free virtual machine detected!"
>
> 2. Change the body into:
>
> "Both the host operating system and the virtualization software are
> able to monitor what you are doing in Tails.
>
> Additionally, only free software, both as operating system and
> virtualization software, can be trustworthy.
> <a
> href='file:///usr/share/doc/tails/website/doc/advanced_topics/virtualization.en.html#security'>Learn
> more...</a>
>
> That's better, no?
That phrasing sounds awkward to me. How about:
"Both the host operating system and the virtualization software are
able to monitor what you are doing in Tails.
Only free software can be considered trustworthy, for both the host
operating system and the virtualization software.
<a href='
file:///usr/share/doc/tails/website/doc/advanced_topics/virtualization.en.html#security'>Learn
more...</a>
Still not perfect, but it's an awkward sentence to try to phrase.
--
-Austin