Well, hello there. Guess what. Disroot just turned 9! It's awesome to see the little project soon becoming a teen. We need to think of something awesome for the 10th anniversary celebration next August. Time is zipping through quick, so we should already start thinking about what we can do. In the meantime, it's good to see what has been going on in past months on Disroot. As always we keep on being busy bees, so much we did not write anything for a while, breaking our new years resolution. So to keep the post in reasonable size given this long silence, and to restart the posting machine, we will just focus on a review of the goals set for 2024

Lacre - end to end mailbox encryption

@pfm has been doing a ton of refinement of the code this year as well as fixing the last bugs and issues we have been struggling with (mainly with email content parsing which appeared to be an extra problematic issue when considering some odd edge cases). We are currently at the stage, where we could implement Lacre on Disroot email server. In fact as you read this post, Lacre is already operational on Disroot's email server. We've kept it running in the background for last weeks trying to fish out any issues we might miss in the testing setup. We've divided the roll-out plan into three steps:

  • closed alpha - Stage we are currently at. We run Lacre on disroot server without any keys loaded. Since all emails pass through Lacre, we want to make sure we find as much possible edge-cases and errors as we can before any keys from users are loaded.
  • open alpha - Stage where Lacre is implemented on the server but without user facing interface to upload encryption key. This prevents inexperienced users from ruining their mailboxes. Key submission will be possible manually by contacting us via lacre@disroot.org. We want to prevent situation where possible issue may affect larger group of users and want to make sure only people with GnuPG experience make use of Lacre. You can already send your public keys to us. Your emails will be added to a list where we'll be sharing extra information (e.g. if for some reason we have stopped Lacre due to a problem and when we will resume it)
  • open beta - Stage where we enable user facing key submission interface but with giant disclaimer stitched on top. Anyone would be able to submit their encryption keys and make use of Lacre, but we expect only people familiar with PGP to do it. During this stage we would like to gather feedback from users, and work on better onboarding for those who aren't familiar with PGP

This is a great step forward. We are very excited that after 3 years since we have started working on (mainly pfm did, let's be honest) the possibility of proper end to end mailbox encryption is pretty much within the reach for anyone.
We can't and do not want to work with deadlines, promises and ETA's which are hard to achieve in a project like this and just creates extra stress (we experience enough of it with just the daily operations on Disroot). However we do want to get this service to everyone out there. And so rolling in stages brings us closer, while still being cautious about it.
So if you want to be the early bird and like to live on the edge, please drop us a line. We will be happy to answer all your questions and doubts (muppeth has been using lacre on his main email account already :P). You can also attach your public keys in the email (send it to support@ or info@).

Staging server

Staging is a server we've been using as a intermediate test instance of Disroot. It has improved the way we work tremendously. We treat that server as if it's an independent Disroot-like node running in an automated fashion. We try to make sure all tasks needed to deploy and maintain a service is done in an automated way without the need for admin intervention inside the server. Running staging server as a separate instance, is a testing ground of the ultimate goal of providing set of tools enabling us to run multiple platforms like Disroot (Disroot-like nodes) for individuals, non-profits, business and other organizations, as well as give opportunity to anyone out there to make use of our work on their independent on premise setup.
Currently we mainly focus on improving automation and orchestration of the setup. Clean our main production platform from years of custom, manual changes, undocumented setups and overall mess and bring it closer to the reference setup we have been using on staging for the past months. Of course, the main objective of the setup,- being the test ground for upcoming updates - is the primary focus. We have managed to update our deployment procedures, involve the entire team in the process of testing updates and now we are at the stage where some of the more active and involved Disrooters, will be able to join the efforts of testing. Seems like the work on this goal is rather smooth sailing and we are well within the time frame on that one.

Themes

Following the principles behind the staging server, we decided to implement them to our themes too. For a while we have been struggling to keep track of upstream changes to the themes. Though our “themes” are mostly just forks of themes with small changes to colors or little details, it's been a work on its own to keep things up to date. While, improving the process of keeping things easy to track (e.g. keeping all custom changes in separate files), we have also decided to unify the variables and colors used across all of them. The idea is to get to the situation where changing theme's colors could be done by replacing a couple of color values. Up until now, we have not made tremendous progress in this field, but we have done the needed minimum, separating changes from initial themes. This will keep things tidy and easy to track once updates come along. Next step is to unify the variables and element names so that we could implement the idea of central managed custom themes.

Website / Howtos

Work on the new website look has been started. Although it doesn't look like it visually, most of the heavy work has been done. We have the concept in place and we have been implementing it onto the staging site.

After some research we have also decided to not change the CMS currently used for our tutorials and stick with GravCMS. It looks like all other alternative lack some features so there isn't an ideal solution for what we want. And since we can't find anything substantially better, there is no need to waste time migrating to something we won't be 100% happy with. Better spend this time on improving what we have. And there is a ton of things to improve. The theme is one thing, but we also want to change the structure of the tutorials so that things are easier to find and follow in a logical order.

New Authentication

Oh yes. The wheels here are turning well. After some research into few candidates for new authentication system. We have settled for Keycloak as our future identity provider. It's fully open source, community driven but with backing from big organizations such as “Red Hat” or "The Linux Foundation". This ensures the code is well maintained and battle tested. Additionally it is compatible with our existing LDAP authentication so the transition can be less disruptive and always with a failback. Currently we are learning the inner works of the system, implementing the new authentication method to the services on our staging server as well as mapping and testing various scenarios and requirements for internal operations such as registration, user self service, custom requests, etc.

Although the work is moving forward and we are very surprised how easy it is and how much it can improve the life of Disrooters as well as the admin team, we also discovered some sad truth about the state of implementation of openID/oAuth. The majority of xmpp and email clients currently do not support such authentication method and so we will be forced, at least for the time being to use legacy method like LDAP. This means that users that will decide to use xmpp or native E-mail clients (like Thunderbird) will not be able to use two factor authentication on those services. We are thinking of ways to mitigate this issue by a possibility of app passwords or other solutions. But of course, things will take time. Apart of trying to bikeshed some temporary solutions we will try to do our best to lobby client developers to introduce oAuth in their clients, whether by trying to raise funds or find developers.
Even though the implementation won't be all bells and whistles from day one, we proceed according to the plan. We want to deploy the new system as soon as possible as it will bring a number of improvements all around in any case. Stay tuned.

Money, Money, Money

If the last years have taught us anything, it is that Disroot is not just a hobby project anymore but a full time job. We have been blessed with your generosity enabling us to buy new hardware so we can continue providing alternative to corporate services without building it on top rented or corporate cloud offerings and continue providing Disroot for all of you being totally independent. Building a true alternative. We also managed to secure enough funds to part-time pay Muppeth for his efforts. We do realize we are few years too late with that. Disroot requires a team of full-time paid staff not one part-time individual. As awesome as it is though and we are very grateful for this, in the long run it can't be sustainable.

We want to prove that other business models are possible. We want to show that platform like ours (and large amount of our friends running ethical-open-fair alternatives), can become financially independent and sustainable without forced microtransactions, exploitation, data theft, venture capital investment or other shady activity where you become the product. We have made a great step in a good direction, but we need to stress out that financial contributions from you dear Disrooters are crucial for the project to continue. As we always say, if everyone would decide to buy us a cup of coffee a month, we could not only pay full salaries to an entire team but have enough extra to share with open source developers and build even better products. If you haven't yet, consider buying your favorite admin a coffee. This applies even if you don't use Disroot and happen to read this post. Think of your admin who most likely does tedious work after they are done with a dayjob while you're relaxing in front of the TV.

If you have any idea on how we could improve our financial situation, if you are an experienced person in grant applications or could suggest possible solutions, please don't hesitate and drop us a line. We are open to your suggestions and contributions always. The upcoming year will be critical. Let's all show that ethical open and free alternative is possible and a sustainable model.

Updating TOS

Speech and freedom to express yourself are fundamental human rights. Being able to convey our ideas to others openly is important and even more significant is the ability to communicate them with others who disagree with us. That is essential for an healthy society. It is what makes us strong, emphatic and intelligent. As a platform we believe everyone's ideas can bring something to the table so we choose not to close ourselves in a little information bubble. We encourage dialog. However being free to say what you want does not automatically give you the right to be malicious. The fact we can express ourself does not mean insulting others, verbal attacks, harassment and violence towards others is and should be automatically tolerated. Freedom of speech isn't equal to the freedom to be a dick :P It's quite depressing such obvious conclusions need to be said and more importantly guarded within spaces like ours. However reality shows us there are individuals out there that do not understand those common sense concepts and need some guidance in that matter. And so, thanks to @fede, we have created a short set of common sense rules for the platform. You can find our updated TOS here

We wish you all awesome times ahead. For those in the Northern hemisphere, we hope you had a great, sunny and warm summer, and that you are all ready for the darker and colder months that are coming. For those up-side-down (South), we wish you a great hot summer, but not too hot :P.

Truly yours,
Disroot team