Hello Purism community members,
I would appreciate your general thoughts and opinions on the ‘best practice’ ‘highest risk mitigating’ method of running a proprietary software package where no other open-source options presently exist. I am transitioning as much of my work flow to PureOS / Librem 14 however I cannot avoid the need to run the following (as examples) on the odd occasion:
Rockwell Automation’s Studio 5000 Logix Designer (native to Windows 10)
National Instruments LabView 2021 (a native Red Hat Linux version is available as RPMs)
Some community members may recognise the above as industrial automation applications and whilst I support and have contributed to the open source 4Diac industrial automation project, there are times where the need to use these tools is unavoidable
Possible methods I can think of are:
-A virtual instance of Windows 10 running in Boxes on PureOS with as many interfaces between virtual and real OS disabled
-WINE style runtime directly on PureOS (Logix Designer)
-Alien conversion of RPMS to DEBS then installed directly on PureOS (LabView)
-WINE / Alien solution but in a sandboxed virtual instance of PureOS in Boxes
-Just don’t do it full stop and get another computer to run these applications only (however I really don’t want to give another $ to big tech)
Looking forward to hearing your opinions / similar dilemmas.
Does the program in question require an internet connection?
Initially both packages use an internet connection for licence activation, however there are offline activation methods, so internet connectivity is not essential.
As I mainly use the software to review and create automation projects, only project files need to be exchanged between the software and the outside world. Occasionally the need arises to connect the software directly via ethernet (TCP/IP) to a target device (controller or I/O chassis).
I’d throw it in a VM remove the network adapter when not needed and attach a second virtual disk to move the files back and forth between VM and host and call it a day.
There are plenty of ways to do this, and the best solution is the one you actually use. After all if you just give up and go back to running the software locally it doesn’t matter how secure an alternative was that you didn’t stick with. I personally find VM’s to be quite convenient, I know others that hate them and would rather use other container solutions and I know still others that would rather have the convenience of running locally but with other software monitoring for misbehavior.
For what it’s worth, I use Virtual Machine Manager not boxes. I tried boxes and had worse performance, that may be something unique to my setup, but it’s my experience.
Would your methodology also apply to LabView in my example where although a linux binary is available but because the product is closed source and has dependancies on proprietary device drivers it too should be installed only into it’s own VM running an instance of PureOS, rather than risk running it directly on the host?
I will also take a look at Virtual Machine Manager.
That would be my recommended solution, yes.
Thanks, sounds like a sensible approach.
I would suggest running all that in Qubes OS. It has the best isolation between the VMs and allows precise firewalling of the VMs. I find its UX better than VirtualBox and alike, because virtualization is a part of the main Qubes goal and the UX is made specifically for that.
You could also give $ to Purism here
MANMAN on the HP was also propreietary, but they shipped the source code with the software. If you needed a tweak you could roll your own. So you also needed a FORTRAN compiler.
Since one had to pay for it, would that have made it “OSS” without the “F”?
Thanks for your input, can I experiment with Qubes OS in a virtual machine first, or because it is a hypervisor does it need to be installed on bare metal?
Yes, have already purchased a Librem 14 and its on the way, just hoping to make it the one stop shop that can run everything including these proprietary programs. Would be terrible having to get a Microsoft Surface etc etc just to run Studio 5000! if it can be safely run atop PureOS or Qubes on the Librem.
@SILectrix Qubes is designed to run on bare metal. There may be a way to get it to run in a VM, but I can’t imagine it would work out well, especially for a new user.
fwiw… I highly recommend Qubes… yeah, there is a learning curve but it is manageable and it allows you to mitigate many things that would be dangerous on just about any other platform (dodgy USB devices, sketchy email attachments, questionable applications, etc.).
Keep sensitive files stored in virtual machines that have no network connection. Connect USB drives to a VM that has no administrative control of your computer and no network access. Qubes will even allow you to run Windows safely.
Surf the web with a “disposable” virtual machine that gets destroyed every time you shutdown and starts up each time like a freshly installed OS with your browser configured just like you want it. Disposable VMs are like having an infinite supply of brand new socks and razors each morning.
@flopsy This looks like a nice elevator pitch for Qubes, thanks
If you want to try Qubes, it’s recommended to install it on a USB stick, instead of the hard drive. This may be slow however. Nested virtualization is not supported or recommended.
If you have to run proprietary software, then I IMHO PureOS security is not enough.
Booting Qubes from USB sounds like a good way to experiment. I have just received my new Librem 14, with PureOS preinstalled, so will do most of my day to day work in PureOS and will evaluate Qubes running Logix Designer and LabView, with the intention of moving over to it full time.