CVM Update/Q&A

joepie91

New Member
Since everybody and their dog have started writing VPS panels, I figured I might as well provide an update on CVM, answering some frequently asked questions.

Is CVM still being developed?

Yes.

Why isn't it done yet?

As the amount of donations I received for CVM were nowhere near covering my living expenses, I had to take on other paid open-source work to keep a roof above my head. This means that a significant chunk of my time is now invested there, and not in CVM.

Aside from this, I've had various things slowing me down; focus issues, having to move, etc.

So what will happen now?

There are no plans to abandon CVM, or change its course.

I currently have a stable income from the other work I took on. This is (barely) enough to cover my living expenses. I am currently renting and not squatting, which means I won't have to move unexpectedly - this greatly helps for my peace of mind :)

I've developed a very specific todo list application to help me get rid of my focus issues, and get more things done. So far, I've noticed an incredible increase in focus, productivity, and overall happiness. Most of my todo list currently consists of CVM-related tasks, so development will move along fairly quickly from now on - my estimate is that while a large chunk of my time goes to aforementioned paid open-source work, I can still put about 30-40% of my development time into CVM.

I've also forced myself to start using a proper branch model in the version control; this should make things less messy and speed up development as a result. The repository, as always, can be followed here (be sure to look at the correct branch).

When will it be done?

Historically speaking, I've been terrible at giving ETAs and actually meeting them. I won't be giving a hard deadline this time - I'd just end up going past it anyway.

As my todo list application is relatively new, I'm still in the process of compiling a full list of what has to be done in CVM. When I have a more complete list, I'll post my CVM todo items in here frequently to give an idea of the progress.

Will it support Xen/KVM/etc.?

The plans for this are still the same as they originally were - the initial version will feature OpenVZ support, and support for KVM and Xen will be added later on. Other virtualization platforms will be considered after that.

How can I send you suggestions/questions/etc.?

Either post in this thread, e-mail me at [email protected], or file a ticket in the GitHub repository (in case of feature requests or suggestions). I'll update this post as new questions are asked and answered.

I also want to emphasize that I provide a 48-hour security patch guarantee. If a vulnerability of some sort is reported to me with enough information to figure out where it is, I guarantee to have a security patch available within 48 hours of the initial report. This obviously does not apply to things that are physically impossible for a human to do in 48 hours, such as rewriting an entire panel - in this case, it will be fixed as soon as humanly possible.

Be sure to send vulnerability reports to [email protected] If I don't hold up to this guarantee, feel free to post everywhere about how I don't take security seriously :)

EDIT: My OTR/GPG keys can be found here.

Conclusion

The last year has been quite challenging for me - I've had a lot of things in my personal life to deal with, quite a lot of distractions, and quite a few large changes. I'm still here, still writing open-source code, and still really wanting to finish CVM - not just the first version, but as a continuously developed project.

Then, a last note to those that are currently working on their own panel: please do realize that writing a proper VPS panel entails a lot of challenges, and one hack or controversy could mean your project is dead in the water. A VPS control panel is one of those things where security is just so vital that you can't afford to compromise on it; don't make the mistake of cutting corners or thinking "oh, I'll fix that vulnerability later". I wish you best of luck, but ensure that you know what you're doing.

 - Sven
 
Last edited by a moderator:

Lee

Retired Staff
Verified Provider
Retired Staff
Since everybody and their dog have started writing VPS panels, I figured I might as well provide an update on CVM, answering some frequently asked questions.
I get this, however it's just another incomplete panel like every other being touted at the moment.  By the time anyone get's one of these panels finished this whole issue with Solus will have blown over and nobody will be interested.

Aside from that I am sure I read this evening as I was browsing that you actively encouraged a DDoS against Buyvm, if that was correct you are hardly an advert for trust when it comes to something as important as this.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
I get this, however it's just another incomplete panel like every other being touted at the moment.  By the time anyone get's one of these panels finished this whole issue with Solus will have blown over and nobody will be interested.

Aside from that I am sure I read this evening as I was browsing that you actively encouraged a DDoS against Buyvm, if that was correct you are hardly an advert for trust when it comes to something as important as this.
Where did he say this?  I've known joepie91 a really long time and it just doesn't seem like something he would do.  But, I could be wrong.
 

joepie91

New Member
I get this, however it's just another incomplete panel like every other being touted at the moment.  By the time anyone get's one of these panels finished this whole issue with Solus will have blown over and nobody will be interested.
Providers have known that there are (security) issues with SolusVM for a long time, it just wasn't considered an urgent issue because nothing was being exploited in the wild. This was also one of the primary reasons for starting development on CVM; the security aspect.

Whether people will 'be interested' or not is irrelevant to me. I'm not trying to jump on a bandwagon and I'm not trying to turn a profit from this. My reason for developing CVM is and has always been offering a secure VPS panel for those that were unhappy about the other existing panels for any reason. I don't doubt that after the SolusVM issues have 'blown over', there will still be providers (or individuals?) that would want to use CVM.

Consider why I've started developing CVM over a year ago, and not just since the whole shitstorm around SolusVM - my goal is not to make CVM popular, my goal is to make it good and freely available for anyone that wishes to use it.

Aside from that I am sure I read this evening as I was browsing that you actively encouraged a DDoS against Buyvm, if that was correct you are hardly an advert for trust when it comes to something as important as this.
This was discussed with Aldryic (and others present in the same channel) on IRC last night, and the topic was brought to a close. I don't really feel like explaining the entire situation here as it's virtually guaranteed to completely derail the thread, but the summary is that I have never had the intention to actually get Frantech attacked or to harm them. If you'd like to know the entire story behind it, send me a PM and I'll gladly explain it to you.

EDIT: Also, CVM is open-source. You can audit the source code yourself and/or have someone else audit it for you.
 
Last edited by a moderator:

Lee

Retired Staff
Verified Provider
Retired Staff
Fair enough and I am not jumping on you in particular however it was admittedly convenient to raise it in this thread that whilst Solusm clearly has it's issues nobody seems to be bringing a polished alternative to the table. 

If anything I cringe at the solutions some appear to be offering right now!
 
Last edited by a moderator:

ErrantWeb-Travis

New Member
Verified Provider
Sounds good, I like the way you are going about this and keeping people updated. I think it will turn out to be a great panel.
 
Top