Continuing the discussion from Tor project support of Whonix:
I have also been thinking about how to strengthen our Whonix community for a while. I am going to present my ideas below and please feel free to share your insights, too.
What Whonix needs most right now?
In my opinion, contributors are the most valuable resource to an open source/free software project. It is even more important than donation. This is because when a person is driven and motivated by the incentive interest, his/her productivity and creativity can exceed several well-paid workers adding up together. Just looking at those familiar and lovely faces in the Whonix, you will understand how energetic a contributor can be.
My guess is there are potentially a lot of people who really would love to contribute to the Whonix community. One critical problem to them may be Whonix is not very contributor friendly right now. @Tibo 's question on how to contribute to Whonix also reflects the problem.
How to make Whonix more contributor friendly?
onionshare, as an open-source project, has a very high contribution rate comparing to other projects. It is not an coincident that it is contributor friendly at the same time. From my personal experience, I was able to use one afternoon to read the code and do a contribution even though I had never used it before. It is unfair to compare it directly with Whonix because of the scale difference between the two projects. But the concluded secret to its success in the post will benefit Whonix, too:
I did learn a lot from onionshare especially in terms of making a project contributor-friendly. I have concluded what I learned as follows and I would really appreciate if there is anything you would like to share on this:
Being responsive and constructive to issue
- politely ask people who report the issue if they can help with that
- let them do not panic because you will be able to help them
Being responsive and constructive to PR
- what @mig5 has been doing (at least) in this PR is exemplary
Provide a BUILD.md to guide developers to setup the environment:
- how to get source code
- how to install needed dependencies
- how to test the application
- how to build a package
Low coupling design and code
Low coupling design and Low coupling code make it much easier to add additional features on the existing one (my first commit on this PR https://github.com/micahflee/onionshare/pull/610/commits/b2c310f2e01ba192b9c78f51313c33bbc0002579 has only one line deleted which indicates onionshare has done an excellent job on this.)
Provide a dev_script to “[l]oad onionshare module and resources from the source code tree” so that tester does not have to spend time building it and then testing it for every single change.
Robust unit tests to expose most of the problem immediate (helping contributor with the debugging)
Apart from the points mentioned above, there are many other things that could help Whonix becomes more contributor friendly.
Better Contribution Guide
I consider presenting people with a better guide to contribute, is the first priority to make it contributor friendly. I have been preparing and will release a guide on the Whonix workflow and this is part of the discussion.
A full picture of Whonix
Potential contributors and even users may also need a more general picture on how Whonix works to understand the beauty of its design. This demonstration can be done by a problem-driven article. For examples:
- Tor Browser is only one step away from de-anonymization --> then you may use a system that rejects all the non-Tor connections.
- The rejection of non-Tor traffic is controlled by an application which can be disabled once the system got root-privilege compromise --> Then how about two VMs for isolation.
- Tor bundled application in Whonix-Workstation and the Tor installed in Whonix-Gateway will create a Tor-over-Tor situation --> Then disabled the stacked-Tor by providing wrapper in Whonix-Workstation.
- Tor Applications in Whonix-Workstation need to talk to the Tor control port --> Then we need to filter the messages from Whonix-Workstation since it should not be trusted.
- There is identity correlation attack --> Whonix helps you with stream isolation for popular applications by default.
Better package description
The questions above can also be used in the packages introduction on Github. Whonix uses a script to auto-generate Github introduction, however, there are many redundant parts making the README of each package not easy to read. It is true that having some redundant parts is much better than leaving it blank, but it will definitely attract more people to look into the packages on Github if we could provide a well-written introduction and may be even a GIF picture in the README in the future.
A Whonix people page
A Whonix people page will make people feel their work is appreciated and let them have a much stronger sense of belonging to a community. The people page will also help people get familiar with the community members quickly and know who they should talk to when having a problem/idea.
To clarify, Whonix does have a maintainer list in Whonix wiki. But it is not like what Tor and Qubes have:
Google Summer of Code and Outreachy
I just realized that Whonix could apply for the GSoC and Outreachy itself and GSoC policy may even prefer Whonix than those more famous projects. We should definitely take these opportunities.
How to make Whonix more well-known
We noticed that even some people who use Tails had never heard of Whonix. To increase the popularity of Whonix, I came up with the following ideas.
Recommendation from well-known people
It would be nice if people can publicly support Whonix and we quote their words to promote Whonix, like what Qubes does on its homepage. However, I also understand that recommending a project can be a huge responsibility and people will think twice before doing it.
Non-stopping commiting to the project may not be as noticeable as doing a release to the people outside of the community. We may consider doing more small release frequently than doing a huge release after a long time (like Whonix 13 -> 14).
Slashdot, Hacknews and blogging
When we do a release, submitting an article (probably just part of a Whonix Blog) to the Tech/Geek news will help draw more attention to our project.
Making Whonix support different languages may increase the user base greatly, which will in turn increase the potential contributor base.
How to make Whonix organization structure healthier
Avoid single point failure
@Patrick as the lead developer of Whonix has been involving into and taking care of almost every single part of the Whonix. The forum statistic shows that Patrick is the “most replied to” person for most of the contributors. However, considering the resource a human being can spend, this centralized communication and working mode is not sustainable with the growing of the community. The centralized communication mode will also put Whonix at risk of single point failure. Currently, let’s say, if Patrick suddenly stepped down, it may take a long time for Whonix to recover.
Luckily, many efforts has been made towards this goal. The exemplary interaction and collaboration between @torjunkie and @0brand have shown us working pairs or groups will help Whonix community to be more decentralized. I am also glad to hear that Patrick will focus on the core development because it will make Whonix less centralized, too.
What’s more, to decentralize Whonix organization, it is also important to let more people get familiar with the entire picture of Whonix so that they can in turn help/mentor other new contributors.