

Ring: Free software for distributed and secured communication - martgnz
http://ring.cx/en

======
mosselman
Empty promises and no screenshots.

When I click through on one of the blog posts I see:

"Advanced users can also help to correct problems: we welcome contributions.
We expect people to tell us what needs to be corrected, but they can also do
it and submit their patches. This is the way it worked with SFLphone and it
works pretty well."

So you have no idea IF there are any problems, or do you know that there ARE
problems, but you assume they will be corrected soon? If any of the above then
how can you state "Ring gives you a ... an unmatched level of privacy."?

I am sorry to be negative about something that seems like it has our privacy
at heart, but promising privacy when it might not be there at all is reckless.
We in the first world have issues like "I don't want my e-mails scanned by
companies" or "I don't want companies to see what I write", but in other parts
of the worlds you can be killed if the wrong piece of communication falls in
certain hands. So it is pretty important to get it right. You (Ring) provide
no information on the site about the state of the code, reviews being done,
etc.

~~~
Elv13
Ring-KDE announcment: [https://elv13.wordpress.com/2015/05/07/announcing-ring-
a-dis...](https://elv13.wordpress.com/2015/05/07/announcing-ring-a-
distributed-and-secure-multimedia-communication-platform/)

(I am one of the developer, ask me anything)

EDIT: There is screenshots on that page

~~~
madez
As I asked in my direct comment on this submission:

What are the advantages compared to Tox?

I see one advantage of Tox compared to Jitsi. Account management is
decentralized on Tox and federated on the protocols Jitsi supports.

Are there plans to support Tox as a backend?

~~~
Elv13
As of now we have no plan to support Tox. We initially evaluated this and
decided against. Ring is based on open standards such as SIP (rfc3261),
TLSv1.2 (rfc5246), SRTP (rfc3711), vCards (rfc6350) and many more.

We are also inter-operable with existing SIP infrastructure such as corporate
phone system and classical phone provider with optional SIP accounts. We will
continue to be as standard compliant as we can rather than create/support yet
another custom communication protocol. What Ring bring to this existing mesh
of technologies is the ability to connect people using a decentralized peer-
to-peer network.

~~~
madez
Support for non-obsolete and secure standardized protocols seems to me to be a
good thing.

    
    
        As of now we have no plan to support Tox. We initially evaluated
        this and decided against.
    

I'm rather interested in the reasons of this decision.

    
    
        Ring is based on open standards (...).
    

Tox is open as well.

However, I see a difference between the protocols you've given and Tox: Tox is
not standardized.

    
    
        What Ring bring to this existing mesh of technologies is the
        ability to connect people using a decentralized peer-to-peer network.
    

This technology for peer-to-peer discovery is also not standardized, I assume.

So, why creating your own protocol instead of using Tox for this?

~~~
Elv13
> This technology for peer-to-peer discovery is also not standardized, I
> assume.

DHT has been used in the wild for more than a decade now, it is very well
understood. SIP over DHT idea has also been studied[1] academically for a long
period of time, even if it was never really implemented in commercial
products. Finally, our P2P "protocol" is still using the standards mentioned
above for cryptographic identity and other negotiation details, so there is
very little that isn't fully standard.

[1] Example:
[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.183...](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.183.4313&rep=rep1&type=pdf)
(not used for the current Ring implementation)

~~~
madez

        DHT has been used in the wild for more than a decade now,
        it is very well understood.
    

Tox also uses DHT for contact discovery [1].

Does Ring support communication without having to register any type of account
on any third-party server?

[1]:
[https://jenkins.libtoxcore.so/job/Technical_Report/lastSucce...](https://jenkins.libtoxcore.so/job/Technical_Report/lastSuccessfulBuild/artifact/tox.pdf/)

~~~
Elv13
No server account are required, it is what DHT is for. However, if you do have
a server SIP account, we also support them. This is all about interoperability
with existing infrastructure.

~~~
madez
I see value in the support of server accounts.

However, the DHT-based account-less p2p part seems to redoing work Tox has
done.

Why not use their efforts and experience? They offer their core separately and
Ring could be a client for it.

~~~
Elv13
That would duplicate most of our code and we chose not to do so. We currently
have an unified architecture that handle both existing sip infrastructure and
the distributed one. The distributed part is less or more done, it isn't a big
part of the code (about 4% according to a quick rexgex) compared to SIP. We
currently use an open network model, but will switch to a closed one based on
the cryptographic chain of trust in the coming weeks. That about all there is
to it, everything else is SIP/ICE/UPnP/TLS/RTP.

~~~
Elv13
> You wouldn't have had to write that code if using Tox were chosen in the
> first place.

First of all, it is important to understand that Ring is based on SFLphone.
Our team have over 10 years of experience (and code) working with the existing
SIP infrastructure. Have an inter-operable SIP based decentralized network is
really the whole point of doing what we do.

> Can you give more details on this? (please note that this section talk about
> features in development, it can still change)

The classical phone network is an open system. Everybody call call everybody,
some for emails. This can cause some issues, such as tele-marketing and scam
(+ spam, called "SPIT" in the VoIP community). Some other IM networks (MSN
messenger, Skype, in fact, most of them) use the opposite. You can only open
communication with people who are whitelisted. Traditional SPAM methods are
mostly useless on most VoIP media such as voice and images as there is no
"ahead of time" processing (everything is RTC). A distributed server-less
network also cannot ban accounts, there is none. With IPv6, an IP based
blocklist is also impossible.

There is a bunch of ways to fix those issues. One is to build a validation
network be asking the peers you currently trust to validate new persons. The
downside of this is some serious anonymity issues. You basically tell the
world who is calling you. The second option is to use a chain of trust. There
is multiple ways this can be implemented. First, it can be done on the DHT
itself. You only talk to nodes that are signed by a certificate authority you
whitelisted and use TLS revocation and other protocol features to manage a
pseudo-clean distributed closed-network from which intruders are banned. The
second way is to use the full "global" DHT, but only allow calls signed by a
trusted authority. For example, this allow a small startup to sign a bunch of
certificates, place them on the DHT and let employees call each other. This
network will be about as insulated from unwanted external calls as a private
SIP server.

Obviously, those 3 strategies are complementary and can be combined to
eliminate SPIT and to a certain extent third party meta-data collection.

~~~
Elv13
In all honesty, the decision was taken by the project sponsor and is final. We
built this
[https://github.com/savoirfairelinux/opendht](https://github.com/savoirfairelinux/opendht)
and it is already used by some other projects distributed outside of Savoir-
faire Linux. So far things look well for OpenDHT so I don't think Savoir-faire
Linux will change its mind of the decision at this point. I know you think
this is a duplicated effort, but it might not be as true as you think. I
respect and understand your frustration, but the decision is final.

However, do you have a link about the Tox 4chan DOS? A quick Google search
failed to turn interesting results.

~~~
madez

        the decision is final
    

I think here is a misunderstanding. First, if you feel offended, then please
note that I didn't mean to. Second, what decision are you talking about?

You stated that the technology used by Ring to combat unwanted communication
is still not finalized. I asked you

    
    
        How about talking with them about the problem to join efforts?
    

I'm not asking you to throw away all what you've done in the area of DHT-based
p2p communication and to start to use Tox. However, how about talking to them,
since they fought the same battle? Maybe they have valuable ideas or
experiences. Or you might help them with your ideas.

    
    
        However, do you have a link about the Tox 4chan DOS?
    

I have no interesting link available. I'd suggest to take a look at their
nospam ID's or to ask them.

On a more general note, I think defining some decision as final to silence
criticism is deeply harmful. You might want to consider that.

Thank you for your information.

~~~
Elv13
I am sorry if my message caused misunderstanding. In no way am I trying to
silence criticism. You must understand, we had this discussion last year and
choose to go our way willingly. We are aware Tox exist and everything. While
you may see this as NiH syndrome (and you may be partially right), we chose to
write a base DHT library, of which few exist open source one exist on the
market right now, and go from there. We have been working for quite some time
on this are are happy with the current state of affair. It is just that it is
getting late and this discussion start to feel like "Microsoft should use
WebKit". In no way I wish to sound offending or anything. It is simply that in
the end, we are way too far down the path we willingly took to start re-
architecturing everything. I agree that we share some objective with Tox. I
also think that competition is a good thing. While communication network are
sometime seen as natural monopolies, but it has been proved over and over
again that they are not.

~~~
madez
I really appreciate your honesty.

    
    
        this discussion start to feel like "Microsoft should use WebKit".
    

I'm not asking you to use Tox, but to look at what they are doing and to talk
to them. Microsoft is for sure looking at what WebKit is doing.

Yes, competition is a good thing. But you should also learn from your
competition, right?

Thank you.

------
JoachimS
Fairly thin on description on what it actually is. But according to the
botttom of the page this is SFLphone:

[http://en.wikipedia.org/wiki/SFLphone](http://en.wikipedia.org/wiki/SFLphone)

~~~
leni536
Seems to be the case:

[https://projects.savoirfairelinux.com/projects/ring/wiki](https://projects.savoirfairelinux.com/projects/ring/wiki)

However the interesting part is the new decentralized "DHT calls". I wonder
how well it works.

------
unicornporn
There's a fair amount of criticism brought up here, but I'd like to say that
there are bunch of things that looks very promising, at least in the OS X
version. Lots of software like this sucks terribly from a usability
perspective, but here you have a nice web page (yeah, you need screenshots), a
beautiful icon and a usable GUI.

What I'd REALLY like to see is a way to share one or multiple folders of files
with my private darknet. If that's possible or not with the technology you
use, I don't know. I've been missing a WASTE[1] like communication tool for as
long as I can remember.

I guess one of your "competitors" will be Tox. But going to
[https://tox.im/](https://tox.im/) I still can't just download a client
without going to a messy wiki and get nightly binaries. How many casual users
know what a binary is?

[1] [https://en.wikipedia.org/wiki/WASTE](https://en.wikipedia.org/wiki/WASTE)

------
mrmondo
First time I've seen anything on .cx since 'the goat', interesting choice of
domain.

~~~
krrrh
Years ago the Christmas Island registry used to give away free domain
registration for open source projects. it used to be really common for
projects like this one.

------
mtrn
Pity, I get a 403 on [http://gpl.savoirfairelinux.net/ring-
download/mac_osx/ring-n...](http://gpl.savoirfairelinux.net/ring-
download/mac_osx/ring-nightly.dmg).

~~~
PipoloyJo
Hey, I'm the main developper on the Ring OSX client. I've just confirmed the
issue and it's been fixed.

Thanks for your input. We are in alpha release and the website is also a work
in progress.

~~~
mtrn
Thanks!

------
madez
What are the advantages compared to tox?

~~~
dublinben
Or Jitsi. There are plenty of "secure and decentralized" free software
options. Most people just don't use them.

~~~
madez
For account management, Tox offers complete decentralization while Jitsi uses
federation.

------
mironathetin
The download link for Mac does not work for me. Tried this instead:

[http://gpl.savoirfairelinux.net/ring-
download/](http://gpl.savoirfairelinux.net/ring-download/)

Choose a directory from here.

~~~
ssalenik
The link on the website should work now: [http://ring.cx/en/documentation/mac-
osx-installation](http://ring.cx/en/documentation/mac-osx-installation)

------
Zaphot
You don't have permission to access /ring-download/mac_osx/ring-nightly.dmg on
this server.

Lol

~~~
ssalenik
Should be fixed now.

------
fulafel
Why not use a memory safe language?

It looks like this is a real christmas tree of protocol implementations in
C/C++ facing the network.

------
mdumic
Seems legit.

------
jharig23
I tried the windows version. It hung after I entered a username.

------
staticelf
I unfortuantely didn't understand what this was.

