The Webconverger project released its latest update on April 7. The distribution is targeted at web kiosk usage, providing only a minimal OS and the packages required to run a modern browser. Version 12.x includes several significant changes, however, including support for installing to disk (rather than offering live-mode only), a commercial configuration and update service, and hosting the entire OS in a Git repository.
Webconverger in a nutshell
By "kiosk" usage, the project means something rather specific. It is designed to support
intermittent, anonymous users in an environment where system administrators
are hard to come by. The examples listed on the project's commercial support page include
unrestricted environments like libraries and public gathering spots, plus
businesses with more specific needs (like retail banks or doctors'
offices). In all cases, it is important that the user's private
information be wiped as soon as the session ends, and that the kiosk cannot
be altered to change browser or OS settings. The expectation is that with any sort of problem, from a power loss to a browser crash, the system will reboot quickly into a known good state.
Historically that has meant running only in live-mode, from a read-only
medium such as a CD or a USB flash drive that is physically inaccessible to
the user. The OS uses DHCP to configure networking, and boots into a
session running the minimalist dwm
window manager along with a version of Firefox customized with kiosk-oriented extensions. The underlying OS is based on Debian Live, and is compiled to run on 486 processors to offer maximum compatibility with older hardware.
The freely available version of Webconverger offers no persistent
customization; it will boot to a pre-configured home page inviting you to
sign up for the Webconverger remote configuration service. The service
allows subscribers to choose a custom start page, adjust or disable the
length of the session-resetting timeout, and
to remove the address bar chrome to prevent users from navigating off into
the wild. The service is Webconverger founder Kai Hendry's mechanism for
supporting development; it works by contacting the the Webconverger configuration server at boot
time and sending a machine ID code (generated from the BIOS UUID and
network interface MAC address), then retrieving the customization details
if the account is paid up.
However, you can also specify a range of options at the boot prompt, including the all of the
aforementioned customizations available for subscribers, plus display
settings, WiFi configuration, internationalization, and debug mode. These
options do not survive an unattended reboot, though. If you want your
kiosk to start up in something other than the default configuration
(including the Webconverger sign-up form as a home page), then your choices
are manually rebuilding the ISO and changing the default bootloader
options, or signing up for the paid configuration service. You might find
other users on the mailing list who have walked down the manual-rebuild
road, but the project offers no support for this option.
Firefox is currently the only browser offered (technically, the package
is Debian's Iceweasel, but the Webconverger documentation is not strict
about the name). The kiosk-mode features are implemented in a suite of open source extensions authored by the Webconverger team: webconverger removes the menu bar and disables keyboard access to many of the Firefox configuration tools, while webcnoaddressbar and webcfullscreen simply remove the address bar and start the browser in full-screen mode, respectively.
A few add-ons and auxiliary packages round out the "web experience"
— including the Adobe Flash plug-in and a PDF reader. Although
Webconverger attempts to preserve user privacy by disabling browsing
history and wiping all private data after each session, it is obviously
possible for users to visit unsafe sites, recklessly avoid SSL, or expose
themselves to attack by other means. The distribution attempts to
guarantee security by
having no superuser account and running from read-only media, but the
guarantee is essentially machine-level security; a privacy tool
like HTTPS Everywhere is
not part of the experience.
7 release is numbered 12.3, and is a minor update to the 12.x series that debuted at the end of March. Downloadable ISO images weigh in at 450MB. The biggest change in this release series is the addition of a hard-disk install option. Obviously such an option dramatically shifts the security profile, since flipping the reset switch and rebooting from read-only media is no longer the simple recovery option.
The project's strategy
for securing the system under these circumstances is to maintain the entire OS in a GitHub-hosted Git repository. On an installed system, there is a .git directory (in /) pointing to the official repository. An updater script periodically checks for commits in the repository with a specific tag, and fetches them. At the next reboot, the updated files are merged into the filesystem.
The state of update verification is a little unclear, though. A blog post from April 9 indicates that for now the updater does not verify signatures on the commits, but that the feature has been added to development builds. However, the 12.3 release notes (from April 7), say that the updater runs signed code, and that it checks to see that the signing keys have not been revoked before doing so. Whatever the exact state of the security retooling is, the project does attempt to make it clear that a hard disk install cannot be regarded as being as secure as a live system, and warns concerned users to stick with the live option.
The other noteworthy change in 12.x is that Firefox has been updated to the 10.0.3 Extended Support Release (ESR) version. The ESR versions of Firefox are Mozilla's attempt to designate certain releases for one full year of security and critical updates — in contrast to the now six-week lifespan of Firefox releases for everyone else. The program is the result of Mozilla's Enterprise Working Group, a forum the project established to cooperate with enterprise IT and other large-deployment users who were unhappy with cost and headaches that the rapid-release-cycle was predicted to generate.
Many web kiosks might fall under the same IT rules as large enterprises;
they are designed to run unattended, and re-installing a browser every six
weeks certainly means more work. The interesting wrinkle is that
Webconverger itself has historically released several updates per year. In
an email, Hendry said that Webconverger is shifting its focus to following
the ESR releases — although, he added, that plan hinges on what
happens with the upstream distribution. "We do not have a fixed
position really, we are looking for a stable, secure and up-to-date HTML5
browsing experience ultimately."
Kiosk mode is not for everyone; the browser-only OS model envisioned by
Mozilla's Boot-to-Gecko and Google's ChromeOS is for a lightweight,
persistent environment that centers on the browser. Webconverger is for
institutions who need to make the web accessible to strangers for a few
minutes at a time. It has its limitations — for example, although
it is possible to manually tweak and rebuild the ISO (such as to add new or different add-ons),
the project offers no support for such endeavors. It is focused solely
on the boot-it-and-forget-it model, with an eye towards attracting paying
customers. Perhaps some users will put a peculiar new spin on the
primary use-case, such as deploying it as an instant-on option for a
But for the most
part, web kiosks are likely to remain an island unto themselves. At least
they have a free software project devoted to their care. It is regrettable
that the project does not support customization, though — it is
within Webconverger's rights to push everyone towards its paid service, and
other distributions (such as RHEL) do exactly the same thing. But the
project may want to look over its shoulder now and then; RHEL has
clones and competitors picking up business from those who don't care for
Red Hat's corporate pricing, and kiosk customization is a lot simpler to
duplicate than an enterprise support service.
to post comments)