On self-hosting the project

by Michael Tremer, August 1, 2019

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Donate

Something that I cannot highlight often enough, but never did in writing is, that the IPFire Project is entirely self-hosted. We host all services for our developers and users ourselves. We do not use any big services from any third-parties and never share any user-data.

This is quite important to myself and others in the team, because it has many implications that are not very easy to see: IPFire is being used by many individuals and organisations with a higher need for security. They are a regularly targeted. Although this is not a problem for the average user of IPFire, it still helps to keep a low-profile wherever possible.

Actually not our rack

A change that we recently introduced was that pakfire only downloads updates over HTTPS. We encouraged our mirror servers to add HTTPS if they did not already support it and made sure that nobody who is able to intercept traffic on the way is able to figure out which version of IPFire is being used and which add-ons have been installed. A small thing, but it protects quite important pieces of information.

As you will have noticed, we have mirrors which we don't all host ourselves. There is a main mirror run by the project, but all others are being operated by large universities with loads of bandwidth and other people.

We host our emails ourselves so that security vulnerabilities cannot be seen by somebody else before they reach us - in case there are any. We run a VoIP server which is able to encrypt calls when the endpoints support it. We run our own Jabber server for easy and secure communication between each other. Our forum data is stored on our own SSDs as is everything else.

Avoiding large corporations

In this blog post, I do not have the time to talk about why we avoid each and every one of them, but I think that you can come up with enough reasons for some of them.

We do not use GitHub - although we mirror our code there; we do not use PayPal any more. We do not have our email in Google Mail or host our community anywhere else. Nobody has control over our domain names and many things more...

They are all subject to one and the same jurisdiction we have little knowledge about and no influence on. Other projects had to defend themselves against some of those businesses or changes of policy that had to be carried out by them and that did usually not end well. We are a small project and do not have enough weight that we can put up against them if we needed to. On the other hand, we deal with security and the privacy of individuals that have a heightened need of it. Things that are simply incompatible.

It's a lot of effort

All this is a lot of work. But we think that it is worth it. It makes our lives a lot easier in the long term by being able to customise all services as we need them. It makes our lives also easier because we have built the security into our services and we do not have to spend an extra thought on that.

We also gained a lot of experience in running many services without using automatic tools that run them. We wrote loads of scripts and thousands of lines of configuration. As a reward for this, we have full control over everything we are running.

I hope that I and others will find some time to talk about individual services, why they exist and what makes them special. I think there is so many outstanding features that we are running that are basically invisible, but quite vital to achieve the goals pointed out above.