From 7ac063cbcb37db0230f2a1c62b529aed6870cc00 Mon Sep 17 00:00:00 2001 From: "Kali Kaneko (leap communications)" Date: Mon, 12 Mar 2018 14:48:18 +0100 Subject: updated project ideas --- pages/docs/get-involved/project-ideas.md | 183 +++++++++++++++++++++---------- 1 file changed, 123 insertions(+), 60 deletions(-) (limited to 'pages') diff --git a/pages/docs/get-involved/project-ideas.md b/pages/docs/get-involved/project-ideas.md index cf9f379..3816b54 100644 --- a/pages/docs/get-involved/project-ideas.md +++ b/pages/docs/get-involved/project-ideas.md @@ -12,6 +12,65 @@ If you have your own ideas for projects, we would love to hear about it! Bitmask Client Application ======================================= +Generic +--------------------------------------- + +### Port to python 3 + +The current code base is in python2, wich is in a process of being deprecated. Most linux distributions are stopping the support for it and upstream is not doing any new development for it since years. Having support for python3 will also bring us the posibility of using pypy, wich might be a good improvement of speed for the server parts. + +Some work has started on getting the tests to pass on soledad. We already use tox for to run our tests. Getting our CI running both for py2 and py3 is straight forward and from there the first step will be to get the tests running on py3. + +* Contact: meskio +* Priority: high +* Difficulty: medium +* Skills: python2 & 3, six library + + +VPN +---------------------------------------- + +### Gateway selection + +Currently, the background bitmask daemon allows for gateway selection, but the current UI doesn't expose this. Consuming the information that the backend exposes, new widgets should be created in the Bitmask UI to allow the user to select the gateways, display different flags depending on the one that's being used, or display the gateways in a map. + +* Contact: kali, meskio +* Priority: high +* Difficulty: easy +* Skills: JavaScript. + +### Graph traffic statistics + +The VPN service provides usage stats in a json document. A new widget is needed that plots both upload and download traffic along time, and also clearly displays when VPN is switched off. + +* Contact: kali, meskio +* Priority: high +* Difficulty: easy +* Skills: JavaScript. + +### OpenVPN usage improvements + +Bitmask VPN works fine, but has many parameters configured statically like tcp and IPv4. It will be nice to acknowledge if the provider supports tcp and/or udp, try first (if supported) with udp and fallback into tcp if it can't connect. The providers can only provide IPv4 addresses to connect to, having support to stablish connections into the providers using IPv6 will be a nice thing to have. + +The current firewall blocks all the IPv6 traffic from being routed over the VPN. There is new sources of privacy leaks from using IPv6 that were not existing into IPv4. It will be desirable to have some support for IPv6 in Bitmask VPN, allowing it and investigating what kind of firewall is needed to prevent IPv6 leaks. + +Some ideas to improve security of the current VPN settings also involve coordinated changes between the platform and the client, so changes should be tested coordinatedly in both sides. Some topics in this category in the roadmap are: improving the ciphersuit selection, require a minimum tls version, renegotiate tls keys more often, blocking outside dns and implementing obfuscation and other circumvention measures against VPN blocking. + +* Contact: meskio, kali, micah +* Priority: medium +* Difficulty: medium +* Skills: python, networking, openvpn, iptables + + +### iOS port of Bitmask + +A basic port of Bitmask to iOS needs to mimick the behavior of the Android app: downloading configuration information from providers, building the OpenVPN command, and setting up the VPN. + +* Contact: kali, meskio +* Priority: low +* Difficulty: medium +* Skills: iOS development. + Email --------------------------------------- @@ -40,11 +99,29 @@ Soledad Client [[Soledad]] is our synchronized, client-encrypted, searchable database. It is written in Python, based on the Python implementation of U1DB (U1DB has similar features to Soledad, but has no encryption). There is also a C version of U1DB called libu1db. This project would be incrementally replace portions of the Python implementation with a version that can be compiled in order to make binding available on Android and iOS. -* Contact: drebs +* Contact: drebs, kali * Difficulty: Hard * Priority: High * Skills: C/C++, using crypto libraries correctly, test driven development. +### Soledad standalone app + +Soledad has been coded with the use-case of email as its primary goal. However, it is a generic encrypted and syncable storage, that could be useful to a wider community. In order for soledad to be useful, there are some parts that need to be decoupled from other pieces of the LEAP Platform (including a lightweight implementation of the token-based srp authentication system that can be configured in the absence of couchdb or the LEAP webapp). Once this is done, it would be very easy to code a demo application that showcases how the Soledad library can be used. Interesting project ideas are either a password manager, or an address book (see the section "New Services"). + +* Contact: kali, drebs +* Difficulty: medium +* Priority: High +* Skills: python, Qt, test driven development. + +### JSON1 extension backend for SQLCipher + +After U1DB was written, SQLite featured a JSON extension. This would greatly simplify the sqlite backend for Soledad, since we can store json documents directly into sqlite, and create complex indexes without the ned to use intermediate tables. + +* Contact: drebs, kali +* Difficulty: hard +* Priority: High +* Skills: SQL, python or c. + Linux --------------------------- @@ -52,7 +129,7 @@ Linux The Bitmask client application is entirely ported to Debian, with every dependency library now submitted to unstable. However, many of these packages are not in other flavors of linux, including RedHat/Fedora, SUSE, Arch, Gentoo. -* Contact: kali, micah, ivan +* Contact: kali, micah * Difficulty: Medium * Skills: Linux packaging @@ -60,28 +137,10 @@ The Bitmask client application is entirely ported to Debian, with every dependen The Bitmask client application is entirely ported to Debian, with every dependency library now submitted to unstable. However, many of these packages are not in *BSD. -* Contact: ivan +* Contact: kali * Difficulty: Medium * Skills: BSD packaging -Mac OS -------------------------- - -### Proper privileged execution on Mac - -We are currently running openvpn through cocoasudo to run OpenVPN with admin privs, we should not depend on a third party app and handle that ourselves. The proper way to do this is with [Service Management framework](https://developer.apple.com/library/mac/#samplecode/SMJobBless/Introduction/Intro.html). - -* Contact: ivan, kali -* Difficulty: Medium -* Skills: Mac programming - -### Prevent DNS leakage on Mac OS - -Currently, we block DNS leakage on the OpenVPN gateway. This works, but it would be better to do this on the client. The problem is there are a lot of weird edge cases that can lead to DNS leakage. See [dnsleaktest.com](http://www.dnsleaktest.com/) for more information. - -* Contact: kali, ivan -* Difficulty: Medium -* Skills: Mac programming Windows ------------------------------- @@ -90,7 +149,7 @@ Windows The bundle needs to be a proper signed application in order to make it safer and more usable when we need administrative privileges to run things like OpenVPN. -* Contact: ivan +* Contact: kali, meskio * Difficulty: Easy to medium * Skills: Windows programming @@ -98,7 +157,7 @@ The bundle needs to be a proper signed application in order to make it safer and Right now we are building OpenVPN with a manifest so that it's run as Administrator. Perhaps it would be better to handle this with User Account Control. -* Contact: ivan, kali +* Contact: kali, meskio * Difficulty: Medium * Skills: Windows programming @@ -106,7 +165,7 @@ Right now we are building OpenVPN with a manifest so that it's run as Administra Currently, we block DNS leakage on the OpenVPN gateway. This works, but it would be better to do this on the client. The problem is there are a lot of weird edge cases that can lead to DNS leakage. See [dnsleaktest.com](http://www.dnsleaktest.com/) for more information. -* Contact: kali, ivan +* Contact: kali, meskio * Difficulty: Medium * Skills: Windows programming @@ -114,15 +173,15 @@ Currently, we block DNS leakage on the OpenVPN gateway. This works, but it would We dropped Windows support because we couldn't keep up with all the platforms, Windows support should be re-added, which means making sure that the gpg modules, Soledad and all the other components are written in a proper multiplatform manner. -* Contact: ivan, drebs +* Contact: kali, drebs * Difficulty: Easy to Medium * Skills: Windows programming, Python ### Create proper Windows installer for the bundle -We are aiming to distributing bundles with everything needed in them, but an amount of users will want a proper Windows installer and we should provide one. +We are aiming to distributing bundles with everything needed in them, but an amount of users will want a proper Windows installer and we should provide one. There is some previous work involving building a bitmask installer from within linux, using docker, wine and MinGW. -* Contact: ivan, kali +* Contact: kali * Difficulty: Medium * Skills: Windows programming @@ -130,7 +189,7 @@ We are aiming to distributing bundles with everything needed in them, but an amo All the python modules tend to be built with migw32. The current Windows bundle is completely built with migw32 for this reason. Proper Windows support means using Visual Studio (and in our case, the Express edition, unless the proper licenses are bought). -* Contact: ivan +* Contact: kali * Difficuty: Medium to Hard * Skills: Windows programming @@ -138,18 +197,27 @@ All the python modules tend to be built with migw32. The current Windows bundle We have support for Windows 32bits, 64bits seems to be able to use that, except for the TAP driver for OpenVPN. So this task is either really easy because it's a matter of calling the installer in a certain way or really hard because it involves low level driver handling or something like that. -* Contact: ivan +* Contact: kali * Difficulty: Either hard or really easy. * Skills: Windows programming Android ---------------------------------------------- +### Customization and branding for selected VPN providers. + +Some providers might want to customize the look and feel of the android app, so that they can publish an application that is pre-configured to connect to their gateways. In order to do this, we need to create a build setup that allows customiziation for different providers. From the current application, the provider selection and onboarding steps also need to be removed. An specific donation option would also be needed. + +* Contact: cyberta, meskio +* Difficulty: easy +* Priority: medium +* Skills: Android programming + ### Dynamic OpenVPN configuration Currently the Android app chooses which VPN gateway to connect to based on the least difference of timezones and establishes a configuration for connecting to it by a biased selection of options (port, proto, etc) from the set declared by the provider through the API. For cases where a gateway is unavailable or a network is restricting traffic that our configuration matches (e.g. UDP out to port 443), being able to attempt different configurations or gateways would help finding a configuration that worked. -* Contact: parmegv +* Contact: cyberta * Difficulty: Easy * Skills: Android programming @@ -175,25 +243,11 @@ Installer and Build Process ### Reproducible builds with Gitian for bundles -We rely on a group of binary components in our bundles, these include libraries like boost, Qt, PySide, pycryptopp among many others. All these should be built in a reproducible way in order to be able to sign the bundles from many points without the need to actually having to send the bundle from the main place it gets built to the rest of the signers. This will also allow a better integration with our automatic updates infrastructure. +We rely on a group of binary components in our bundles, these include libraries like zmq, Qt, PySide, or openssl, among many others. All these should be built in a reproducible way in order to be able to sign the bundles from many points without the need to actually having to send the bundle from the main place it gets built to the rest of the signers. This will also allow a better integration with our automatic updates infrastructure. -* Contact: ivan +* Contact: kali * Difficulty: Medium to hard -### Automatic dependency collector for bundle creation - -The bundles are now used as a template for new versions, the first bundle was basically built by hand, adding one dependency after the other until it all worked. We would like to automate this process completely, since new dependencies tend to be added at certain points. One possibility would be to use PyInstaller dependency recollection code, another would be to use some of Python's module introspection to recursively collect dependencies. - -* Contact: ivan, kali -* Difficulty: Medium to hard - -### Lightweight network installer - -The bundles are big. It would be great if we could reduce its size, but that's not always possible when you are providing so many different things in one application. One way to work around this would be to have a really tiny application that runs Thandy, has the proper certificates and has a tiny lightweight UI so that the user can install the bundle's packages one by one and even pick parts that the user might not want. Just want to run Email? Then there's no need to download OpenVPN and all the chat and file sync code. - -* Contact: ivan -* Difficulty: Medium -* Skills: C/C++, Python New Services ---------------------------------- @@ -202,7 +256,7 @@ New Services There are multiple password keepers that exist today, but they don't necessarily have a way to sync your passwords from device to device. Building a Soledad backed password keeper would solve all these problems implicitly, it's only a matter of UI and random password generation. -* Contact: drebs, ivan, elijah +* Contact: drebs, elijah * Priority: Low * Difficulty: Easy to medium * Skills: Python @@ -211,7 +265,7 @@ There are multiple password keepers that exist today, but they don't necessarily This idea is basically a simple note pad application that saves all its notes as Soledad documents and syncs them securely against a Soledad server. -* Contact: ivan, kali, drebs +* Contact: kali, drebs * Priority: Low * Difficulty: Easy to medium * Skills: Python @@ -224,7 +278,7 @@ Miscellaneous The idea is to allow or require tokens in the new user signup process. These tokens might allow to claim a particular username, give you a credit when you sign up, allow you to sign up, etc. * Dependency: token-based signup in webapp API. -* Contact: elijah, ivan +* Contact: elijah * Difficulty: Easy * Skills: Python @@ -232,21 +286,21 @@ The idea is to allow or require tokens in the new user signup process. These tok One thing that we really need is a team of people that is constantly updating their versions of the code and testing the new additions. Basic knowledge of Git would be needed, and some really basic Python. -* Contact: mcnair, elijah, ivan +* Contact: mcnair, elijah * Difficulty: Easy to medium, depending on the QA team that is managed. ### Translations Do you speak a language that's not English? Great! We can use your help! We are always looking for translators for every language possible. -* Contact: ivan, kali, ivan +* Contact: kali, meskio * Difficulty: Easy ### Support for OpenPGP smart cards A really nice piece of hardware is OpenPGP smart cards. What would be needed is a way to save the generated key in the smart card instead of in Soledad (or both, should be configurable enough) and then migrate the regular OpenPGP workflow to support these change. -* Contact: ivan, drebs +* Contact: drebs * Difficulty: Medium ### Device blessing @@ -261,7 +315,7 @@ Add the option to require a one-time code in order to allow an additional device There are situations where the service provider you are using through the bitmask client might want to notify some event to all its users. May be some downtime, or any other problems or situations. There should be an easy way to push such notifications to the client. -* Contact: ivan, elijah +* Contact: elijah * Difficulty: Easy * Skills: Python @@ -269,7 +323,7 @@ There are situations where the service provider you are using through the bitmas Some users might be in situations where being caught with software like OpenVPN is illegal or basically just problematic. There should be a quick way to wipe the existence of the whole bundle and your identity from provider. -* Contact: ivan, kali, ivan, elijah +* Contact: kali, elijah * Difficulty: Easy * Skills: Python @@ -282,18 +336,18 @@ Soledad Server ### Add support for quota -Soledad server only handles authentication and basic interaction for sync, it would be good to have a way to limit the quota each user has to use and enforce it through the server. +Soledad server only handles authentication and basic interaction for sync. The recent blobs implementation has a very basic implementation of user quotas, but it needs to be made more efficient and cover some corner cases. -* Contact: ivan, drebs +* Contact: drebs, kali. * Priority: Medium -* Difficulty: Medium +* Difficulty: easy * Skills: Python ### Add support for easier soledad server deployment Currently Soledad relies on a fairly complex CouchDB setup. It can be deployed with just one CouchDB instance, but may be if you are just using one instance you might be good enough with SQLite or other easy to setup storage methods. The same applies to authentication, may be you want a handful of users to be able to use your Soledad sever, in which case something like certificate client authentication might be enough. So it would be good to support these non-scalable options for deploying a Soledad server. -* Contact: ivan, drebs +* Contact: drebs * Priority: Low * Difficulty: Medium * Skills: Python @@ -302,11 +356,20 @@ Currently Soledad relies on a fairly complex CouchDB setup. It can be deployed w Bootstrapping Soledad and being able to sync with it is not a necessarily easy task, you need to take care of auth and other values like server, port, user id. Having an easy to use command line interface application that can interact with Soledad would ease testing both on the client as on the server. -* Contact: ivan, drebs +* Contact: drebs * Priority: Low * Difficulty: Easy * SKills: Python +### Pluggable authentication system + +Currently, soledad depends on couchdb and the LEAP platform to be deployed. For testing purposes, and for lightweight deployments, a simpler token-based authentication system would be very useful. + +* Contact: drebs, kali +* Priority: medium +* Difficulty: easy +* Skills: python, twisted. + ### Federated Soledad Currently, each user's Soledad database is their own and no one else ever has access. It would be mighty useful to allow two or more users to share a Solidad database. This would allow us to use Soledad for a shared calendar, for example. @@ -381,7 +444,7 @@ Sometimes simple push notifications aren't enough, you may want to mail a newsle ### Add support for quota -Description: Once the Soledad server quota enforcement code is in place, it would be good to have the ability to configure the quota for a user and check the user's quota via the webapp. +Description: Once the Soledad server quota enforcement code is in place (there is some preliminar implementation in soledad using blobs), it would be good to have the ability to configure the quota for a user and check the user's quota via the webapp. * Dependency: Soledad server quota enforcement. * Contact: azul, elijah -- cgit v1.2.3