|
| From: | Jack Hill |
| Subject: | Re: Telemetry on by default kitty |
| Date: | Wed, 16 Jun 2021 01:28:38 -0400 (EDT) |
| User-agent: | Alpine 2.21 (DEB 202 2017-01-01) |
On Tue, 15 Jun 2021, Mark H Weaver wrote: […]
However, I strongly believe that each Guix user should be given the opportunity to make that decision for themselves, i.e. that telemetry, auto-update checks, and more generally unsolicited network traffic should be disabled until the user has given informed consent. What do other people think?
I'm not sure I have too much to add to the discussion, but since I once submitted a patch to disable this type of telemetry⁰, I support the notion that programs should not generate network traffic unless they are asked to do so. As Mark says, it's more than just the two endpoints that can observe the traffic. Even encrypted traffic provides some information.
Perhaps opting-in can be another use case for parameterized packages. We could have our cake and still allow folks to opt-in without having to tediously configure or modify their packages.
On the note of trusting software authors, for me a lot of it is understanding the development process and analyzing if my interests are aligned with those the authors. However, that can be a complicated thing. In general, I'm much more trusting of community projects than ones with corporate sponsors. Track record also counts too, so I'm glad that Bone referred us to the upstream discussion. I'll probably spend more of my time looking for problems in future releases of projects like kitty and audacity¹ than more trusted (to me) projects like goffice.
Even if we're not able to catch everything, auditing source can still be useful. I found an information leak in innernet (not packaged for Guix yet) in part because the authors where kind enough to point it out in a comment². Perhaps auditing/patching is a test that is well suited to combining efforts with folks beyond Guix. That can be either in dedicated projects like Icecat or ungoogled-chromium, or simply by looking at what patches and configuration options other package distributions apply. Of course we can also share anything that we learn.
⁰ https://issues.guix.gnu.org/40360 ¹ https://www.theregister.com/2021/05/14/audacity_telemetry/ ² https://github.com/tonarino/innernet/blob/46d97831094d04fe3ad802a4bf2ac645e09d568c/publicip/src/lib.rs#L3-L4Well, I guess I ended up adding more comments than I thought I would. Hope they're helpful!
Jack
| [Prev in Thread] | Current Thread | [Next in Thread] |