s.k. wrote:RuneAduio stays high competitive
Yeah I still prefer the RuneAudio UI in comparison with the alternatives (Volumio, Moode, ...).
But a big worry is lack of security updates. The official downloads include by now very old Arch versions with known vulnerabilities in wifi and bluetooth, use outdated versions of SSL and so on. Yet there is no warning about that on the download pages or installation instructions. The first forum posts for later version (0.4 beta and 0.5 beta) do not say if they include those and other patches or instruct users on how to patch the system.
From a security POV there are only two acceptable paths forward IMHO: either
1 stick with releasing a whole custom OS image (Arch or some other distro) but then take on the responsibility to release timely updates that patch new vulnerabilities also in the bundled networking code that lies outside of RuneAudio itself. Or
2 switch to using a vanilla OS distribution (Raspbian?) and refactor RuneAudio to install as a package. Users would then install and update the OS including all the packages for networking, security and so on in the standard way. As soon as for example a wifi patch is released users can apply it without having to worry that it destroys their whole RuneAudio setup. They separately install and update RuneAudio through the package manager or through a UI button that performs a git pull in the background.
While approach 1 can seem easier for newcomers (just download this one image and write it to a SD card!) approach 2 seems over time much easier for users who don't want a device making their whole LAN vulnerable.
I don't know if there in 2018 is some under the hood reason that makes approach 2 impossible for these kinds of music boxes (custom changes to lower levels of the OS are necessary?). Would be interesting to hear more about that. But perhaps I should make a separate thread about that.