Webconverger 12

The Webconverger project released its latest update on April 7. The distribution is targeted at web kiosk usage, providing only a minimal OS and the packages required to run a modern browser. Version 12.x includes several significant changes, however, including support for installing to disk (rather than offering live-mode only), a commercial configuration and update service, and hosting the entire OS in a Git repository.

Webconverger in a nutshell

By "kiosk" usage, the project means something rather specific. It is designed to support intermittent, anonymous users in an environment where system administrators are hard to come by. The examples listed on the project's commercial support page include unrestricted environments like libraries and public gathering spots, plus businesses with more specific needs (like retail banks or doctors' offices). In all cases, it is important that the user's private information be wiped as soon as the session ends, and that the kiosk cannot be altered to change browser or OS settings. The expectation is that with any sort of problem, from a power loss to a browser crash, the system will reboot quickly into a known good state.

Historically that has meant running only in live-mode, from a read-only medium such as a CD or a USB flash drive that is physically inaccessible to the user. The OS uses DHCP to configure networking, and boots into a session running the minimalist dwm window manager along with a version of Firefox customized with kiosk-oriented extensions. The underlying OS is based on Debian Live, and is compiled to run on 486 processors to offer maximum compatibility with older hardware.

The freely available version of Webconverger offers no persistent customization; it will boot to a pre-configured home page inviting you to sign up for the Webconverger remote configuration service. The service allows subscribers to choose a custom start page, adjust or disable the length of the session-resetting timeout, and to remove the address bar chrome to prevent users from navigating off into the wild. The service is Webconverger founder Kai Hendry's mechanism for supporting development; it works by contacting the the Webconverger configuration server at boot time and sending a machine ID code (generated from the BIOS UUID and network interface MAC address), then retrieving the customization details if the account is paid up.

However, you can also specify a range of options at the boot prompt, including the all of the aforementioned customizations available for subscribers, plus display settings, WiFi configuration, internationalization, and debug mode. These options do not survive an unattended reboot, though. If you want your kiosk to start up in something other than the default configuration (including the Webconverger sign-up form as a home page), then your choices are manually rebuilding the ISO and changing the default bootloader options, or signing up for the paid configuration service. You might find other users on the mailing list who have walked down the manual-rebuild road, but the project offers no support for this option.

Firefox is currently the only browser offered (technically, the package is Debian's Iceweasel, but the Webconverger documentation is not strict about the name). The kiosk-mode features are implemented in a suite of open source extensions authored by the Webconverger team: webconverger removes the menu bar and disables keyboard access to many of the Firefox configuration tools, while webcnoaddressbar and webcfullscreen simply remove the address bar and start the browser in full-screen mode, respectively.

A few add-ons and auxiliary packages round out the "web experience" — including the Adobe Flash plug-in and a PDF reader. Although Webconverger attempts to preserve user privacy by disabling browsing history and wiping all private data after each session, it is obviously possible for users to visit unsafe sites, recklessly avoid SSL, or expose themselves to attack by other means. The distribution attempts to guarantee security by having no superuser account and running from read-only media, but the guarantee is essentially machine-level security; a privacy tool like HTTPS Everywhere is not part of the experience.

What's new

The April 7 release is numbered 12.3, and is a minor update to the 12.x series that debuted at the end of March. Downloadable ISO images weigh in at 450MB. The biggest change in this release series is the addition of a hard-disk install option. Obviously such an option dramatically shifts the security profile, since flipping the reset switch and rebooting from read-only media is no longer the simple recovery option.

The project's strategy for securing the system under these circumstances is to maintain the entire OS in a GitHub-hosted Git repository. On an installed system, there is a .git directory (in /) pointing to the official repository. An updater script periodically checks for commits in the repository with a specific tag, and fetches them. At the next reboot, the updated files are merged into the filesystem.

The state of update verification is a little unclear, though. A blog post from April 9 indicates that for now the updater does not verify signatures on the commits, but that the feature has been added to development builds. However, the 12.3 release notes (from April 7), say that the updater runs signed code, and that it checks to see that the signing keys have not been revoked before doing so. Whatever the exact state of the security retooling is, the project does attempt to make it clear that a hard disk install cannot be regarded as being as secure as a live system, and warns concerned users to stick with the live option.

The other noteworthy change in 12.x is that Firefox has been updated to the 10.0.3 Extended Support Release (ESR) version. The ESR versions of Firefox are Mozilla's attempt to designate certain releases for one full year of security and critical updates — in contrast to the now six-week lifespan of Firefox releases for everyone else. The program is the result of Mozilla's Enterprise Working Group, a forum the project established to cooperate with enterprise IT and other large-deployment users who were unhappy with cost and headaches that the rapid-release-cycle was predicted to generate.

Many web kiosks might fall under the same IT rules as large enterprises; they are designed to run unattended, and re-installing a browser every six weeks certainly means more work. The interesting wrinkle is that Webconverger itself has historically released several updates per year. In an email, Hendry said that Webconverger is shifting its focus to following the ESR releases — although, he added, that plan hinges on what happens with the upstream distribution. "We do not have a fixed position really, we are looking for a stable, secure and up-to-date HTML5 browsing experience ultimately."

Kiosk mode is not for everyone; the browser-only OS model envisioned by Mozilla's Boot-to-Gecko and Google's ChromeOS is for a lightweight, persistent environment that centers on the browser. Webconverger is for institutions who need to make the web accessible to strangers for a few minutes at a time. It has its limitations — for example, although it is possible to manually tweak and rebuild the ISO (such as to add new or different add-ons), the project offers no support for such endeavors. It is focused solely on the boot-it-and-forget-it model, with an eye towards attracting paying customers. Perhaps some users will put a peculiar new spin on the primary use-case, such as deploying it as an instant-on option for a secondary OS.

But for the most part, web kiosks are likely to remain an island unto themselves. At least they have a free software project devoted to their care. It is regrettable that the project does not support customization, though — it is certainly within Webconverger's rights to push everyone towards its paid service, and other distributions (such as RHEL) do exactly the same thing. But the project may want to look over its shoulder now and then; RHEL has clones and competitors picking up business from those who don't care for Red Hat's corporate pricing, and kiosk customization is a lot simpler to duplicate than an enterprise support service.