Open Sourcing the Casa Node
In order to improve security for Casa customers we plan to open source as much of our trust-critical code as possible.
As a first big step, today we are open sourcing the code for the Casa Node. We are also announcing the first parts of a responsible disclosure and bug bounty program.
Also, we recognize that certain types of code (interpreted rather than compiled) is easily copyable by users with minimal technical skills, so it doesn’t make sense to keep the repositories for that code closed. Information wants to be free, so we might as well lend it a helping hand.
There are a wide variety of roles that open-source projects can assume; Casa is not currently trying to build an open source project that has the potential to take on a life of its own and supersede us as an organization. Rather, we aim to provide a product that is user friendly, reputable, and secure. We believe that making the Casa Node code publicly available will result in a more robust and trustworthy platform, thus fueling faster adoption.
We are pleased to announce open sourcing of the following repositories that are used by Casa Nodes:
Casa Node API — the middleware that provides an interface between the web dashboard and the crypto network nodes running on the device.
Casa Node Dashboard — the web application with which users interact to manage their Casa Node.
Casa Node Manager — responsible for configuring and launching docker instances to run the various services on the device.
Casa Node Updater — the software responsible for managing updates for the rest of the Casa software running on the device.
We are happy to have people reuse, extend, and improve the code. As such, the Casa Node repositories will be released under the extremely permissive MIT License.
While the code is open-sourced, the Casa name, Casa logo and other corporate marks will of course remain copyright of Casa Inc.
Note that most development will not occur directly in these public repositories for several reasons:
- So that we can build features privately and announce them when ready.
- Some commits may not be feature complete.
- Some commits may contain information that is not for public consumption, including the identities of the developers.
We maintain several private branches for each code repository:
- develop — Active development occurs on this branch.
- release _<version>— Development for bug fixes happens here. We also bump versions and update the changelog on this branch.
- master — We merge commits from a given release branch into master once it’s ready for deployment.
The public open source repositories will only have one long-lived branch — master. When a release is ready, we’ll squash all of the commits on the private master branch and perform a single “release” merge commit into the public master branch, then we'll tag it with the release version.
As a result, the development flow will look something like this:
Note that pull requests to the public repositories are welcome! We are excited to begin collaborating more with open source contributors and also to enable others to learn from our work.
Our continuous integration system will notice when a new version has been tagged on the public repository, and it will run docker image builds (for ARM and x86 CPU architectures) from it. These docker images will be pushed to our public Docker Hub account, which will then be seen by the Updater service that is running on any currently operating nodes. That service will prompt the user via a dashboard notification that a new update is available, and provide a link to the changelog.
(Coming soon) Casa Node operators will be able to verify the code that their node is running by inspecting the git checkout inside of a running container. So, for example, if you wish to verify the Casa Dashboard code:
docker exec -it dashboard bash
Copy the recent commit hash and search for it in the Dashboard repository.
This will be possible once we update our build process to create git checkouts of the new open source repositories rather than simply copying the source files.
Responsible Disclosure and Bug Bounty Program
Today we are also announcing a responsible disclosure and bug bounty program. You can read about our responsible disclosure process on our web site.
We will pay out bounties for the responsible disclosure of severe vulnerabilities that threaten a user’s privacy or funds. We’re also setting up a disclosure program on HackerOne that will go live soon.
Building a DIY Node
If you want to run the Casa Node software on your own hardware, you can run the docker images directly from our DockerHub. Note that building your own images from sources is not easy. The build process is quite complex and involves several code repositories.
We have designed the Casa Node to be user friendly for people who are running the software on a device, but haven’t spent much time simplifying the build & installation process.
We are currently exploring ways to make it easier to build your own device. Our primary goal for open-sourcing today is for security, but stay tuned for future updates on ways to build a device yourself.
Why Purchase a Casa Node?
If it is possible to use open source code to build a node “for free,” why would you pay to buy one that is preassembled?
Get the best support .
By purchasing a node, you aren’t just buying a hardware device. You’re also paying for troubleshooting help from Casa’s team of experts. While we designed the Casa Node to be as user friendly as possible, there are still plenty of things that can go wrong such as network configuration issues, hardware failures, and software failures with the underlying services.
If you build your own node and something goes wrong, you're on your own.
If you buy from Casa, our support team will work with you 1-on-1 until everything is working perfectly.
Time is money .
Not everyone has the skills or the free time to build the hardware and software required to run a node. While we’re open sourcing all of the software that runs on the device during normal operations, there's a lot of additional QA work in building and validating both the code and the hardware during the manufacturing process. We have a money-back guarantee on our assembly and setup, but we can't guarantee your own process.
Plug-and-play convenience .
There's no command-line use required if you buy direct from Casa. Just plug in the device and load the setup screen in your web browser.
Exclusive products for Casa Node buyers.
Casa Node buyers will get exclusive access to a broader set of new products in 2019. Buying a Casa Node is not just buying a device, it's becoming a part of a community. We're excited to share more details soon!
How to Purchase a Casa Node
If you’d like self-sovereignty in a box, order a Casa Node today!
We’re excited to bring easy Bitcoin & Lightning Network access to everyone!
Follow Casa on Twitter for news on Lightning, key management, and more.