Should the default value of url-user-agent include a version number? What about the specific case of package.el?

Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 5076 bytes --]

Hi emacs-devel,

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18812 added a url-user-agent setting to Emacs, but it only partly addressed feature request. The original suggestion was:

> The url.el functions for making HTTP requests set the User-Agent header
> to "URL/Emacs" which is not very descriptive. It would be helpful to
> include the Emacs version, at least.

I'm bringing this up again, as I do think it would be useful to have a more informative User-Agent string. The new system is very useful for customization, but it does not address the original issue. The two main advantages that I see for a more informative User-Agent string are these:

* Package archives could work around issues with old versions of package.el (for example, 24.3 is somewhat dependent to the order in which dependencies are listed).
* Package authors could get per-version and possibly per-platform statistics. Backwards compatibility is not always easy, so knowing which Emacs versions your users are on would be very useful, in particular to know when to drop support for an old version.

These use cases were raised in https://github.com/melpa/melpa/issues/3493, in particular. Interestingly, they don't necessarily suggest that we should change url-user-agent; instead, wouldn't it be best for different parts of Emacs to use different user-agent strings? In particular, should eww and package.el really use the same User-Agent string? We could instead introduce separate a package-user-agent variable, and possibly an eww-user-agent variable; this would be in line with what other programs do: it's uncommon to advertise only the library used to access the web (in our case, ‘URL’) in a User-Agent string, instead of the actual User-Agent.

Generally speaking, I would be in favor of always advertising the current Emacs version, and the OS, instead of only advertising it for package.el: this would be in conformance with RFC 7231 (see below), and with what many other browsers do (but fixing this issue by introducing a package-user-agent string would work as well, and might alleviate some concerns that were expressed in the original bug thread). Some expressed privacy concerns about this, but other parts of Emacs already advertise this information fully (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13) Emacs/25.1.50 (gnu/linux)"). Has there been complaints about Gnus doing that?

Are there reasons to prefer a very generic User-Agent string? Do these reasons also apply to a package.el-specific one?

Cheers,
Clément.

> 5.5.3.  User-Agent
>
>    The "User-Agent" header field contains information about the user
>    agent originating the request, which is often used by servers to help
>    identify the scope of reported interoperability problems, to work
>    around or tailor responses to avoid particular user agent
>    limitations, and for analytics regarding browser or operating system
>    use.  A user agent SHOULD send a User-Agent field in each request
>    unless specifically configured not to do so.
>
>      User-Agent = product *( RWS ( product / comment ) )
>
>    The User-Agent field-value consists of one or more product
>    identifiers, each followed by zero or more comments (Section 3.2 of
>    [RFC7230]), which together identify the user agent software and its
>    significant subproducts.  By convention, the product identifiers are
>    listed in decreasing order of their significance for identifying the
>    user agent software.  Each product identifier consists of a name and
>    optional version.
>
>      product         = token ["/" product-version]
>      product-version = token
>
>    A sender SHOULD limit generated product identifiers to what is
>    necessary to identify the product; a sender MUST NOT generate
>    advertising or other nonessential information within the product
>    identifier.  A sender SHOULD NOT generate information in
>    product-version that is not a version identifier (i.e., successive
>    versions of the same product name ought to differ only in the
>    product-version portion of the product identifier).
>
>    Example:
>
>      User-Agent: CERN-LineMode/2.15 libwww/2.17b3
>
>    A user agent SHOULD NOT generate a User-Agent field containing
>    needlessly fine-grained detail and SHOULD limit the addition of
>    subproducts by third parties.  Overly long and detailed User-Agent
>    field values increase request latency and the risk of a user being
>    identified against their wishes ("fingerprinting").
>
>    Likewise, implementations are encouraged not to use the product
>    tokens of other implementations in order to declare compatibility
>    with them, as this circumvents the purpose of the field.  If a user
>    agent masquerades as a different user agent, recipients can assume
>    that the user intentionally desires to see responses tailored for
>    that identified user agent, even if they might not work as well for
>    the actual user agent being used.
>


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Stefan Monnier]

> (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13)
> Emacs/25.1.50 (gnu/linux)").  Has there been complaints about Gnus
> doing that?

I never liked it, but admittedly, I never complained about it.


        Stefan


PS: I could go along with package.el sending the Emacs version in the
user-agent (tho I don't think the OS info belongs there and AFAIK most
ELPA packages don't care about the OS either).

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Sebastian Wiesner]

> Am 24.03.2016 um 20:03 schrieb Stefan Monnier <monnier@iro.umontreal.ca>:
> 
>> (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13)
>> Emacs/25.1.50 (gnu/linux)").  Has there been complaints about Gnus
>> doing that?
> 
> I never liked it, but admittedly, I never complained about it.

May I ask why you do not like this behaviour? What stands against it?

>        Stefan
> 
> 
> PS: I could go along with package.el sending the Emacs version in the
> user-agent (tho I don't think the OS info belongs there and AFAIK most
> ELPA packages don't care about the OS either).

Not many do care, for sure, but to those that do this information is all the more important.

Speaking on behalf of Flycheck we'd love to have statistics about OS distribution among our
users, so much that I thought about adding opt-in Google Analytics tracking to Flycheck for
this purpose.  Currently we have literally no idea what people use and how much effort we 
should put into support for particular systems (Windows specifically), and we have no way to
find out.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Stefan Monnier]

>>> (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13)
>>> Emacs/25.1.50 (gnu/linux)").  Has there been complaints about Gnus
>>> doing that?
>> I never liked it, but admittedly, I never complained about it.
> May I ask why you do not like this behaviour? What stands against it?

That's just a leak of private information.
Of course, when compared to the crapload of private info most systems
send out at any opportunity nowadays, this is very minor, obviously.


        Stefan

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Lars Magne Ingebrigtsen]

Stefan Monnier <monnier@iro.umontreal.ca> writes:

>> (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13)
>> Emacs/25.1.50 (gnu/linux)").  Has there been complaints about Gnus
>> doing that?
>
> I never liked it, but admittedly, I never complained about it.

Well, in emails you also have the From header (etc), so the added
privacy of not having a User-Agent string is pretty slim.

When talking to web servers, things are very different.

-- 
(domestic pets only, the antidote for overdose, milk.)
   bloggy blog: http://lars.ingebrigtsen.no

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Stefan Monnier]

> Well, in emails you also have the From header (etc), so the added

Don't get me started on this one.


        Stefan

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 779 bytes --]

On 03/24/2016 03:03 PM, Stefan Monnier wrote:
> PS: I could go along with package.el sending the Emacs version in the
> user-agent (tho I don't think the OS info belongs there and AFAIK most
> ELPA packages don't care about the OS either).

Thanks for your reply, Stefan :)

OS info would be useful too, I think. I spent a very significant amount of time last January tracking down a bug affecting Flycheck (which, thanks to Eli's incredible efficiency, was solved in no time after I reported it; thanks Eli!). Having data on how many people were likely to be affected by this bug would have been very useful in knowing whether the effort was worth it; especially as it prevented me from working on features that would have benefited users of free operating systems.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 1007 bytes --]

On 03/24/2016 04:42 PM, Lars Magne Ingebrigtsen wrote:
> Stefan Monnier <monnier@iro.umontreal.ca> writes:
> 
>>> (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13)
>>> Emacs/25.1.50 (gnu/linux)").  Has there been complaints about Gnus
>>> doing that?
>>
>> I never liked it, but admittedly, I never complained about it.
> 
> Well, in emails you also have the From header (etc), so the added
> privacy of not having a User-Agent string is pretty slim.

Not that slim :) For example, your User-Agent string tells me that you're using Emacs' master branch instead of emacs-25 ;)

> When talking to web servers, things are very different.

Indeed, and the spec suggests that we should include an Emacs version number there. Plus, we already include a lot more information when asking people to send bug reports; the same information, though of course with much less details, would be useful to get a clearer picture of the user base of a package.

Cheers,
Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 166 bytes --]

On 03/24/2016 04:47 PM, Stefan Monnier wrote:
>> Well, in emails you also have the From header (etc), so the added
> 
> Don't get me started on this one.

:)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Sebastian Wiesner]

Am 24.03.2016 um 21:36 schrieb Stefan Monnier <monnier@iro.umontreal.ca>:
> 
>>>> (Stefan, for example, your emails are tagged with "Gnus/5.13 (Gnus v5.13)
>>>> Emacs/25.1.50 (gnu/linux)").  Has there been complaints about Gnus
>>>> doing that?
>>> I never liked it, but admittedly, I never complained about it.
>> May I ask why you do not like this behaviour? What stands against it?
> 
> That's just a leak of private information.

I must admit that I find it hard to agree.  I do not see how the OS, or the Emacs version, or 
the combination of both could be used to identify you as a person.  But if the can't, why
would you consider this information private?  And even if it could, doesn't it pale beside
the information that is necessarily send to the archive (e.g. your IP, a partial list of
the packages you're using, etc.)?

I think that our desire as package maintainers to learn how and where their packages are
used is legitimate.  It helps us to direct our efforts and our time to those enviroments
that matter and to make informed choices about what degree of backwards compatibility we
should offer.  In the absence of any concrete risk, I tend to value our desire higher 
than the interest of users to keep data private that can only be used for anonymous usage 
statistics.

Now, I understand that I'm biased, and that your priorities may be fundamentally different
from mine.  But I believe that the availability of some halfway solid statistics would
improve our ability to make informed decisions about our packages.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Stefan Monnier]

>>>> I never liked it, but admittedly, I never complained about it.
>>> May I ask why you do not like this behaviour? What stands against it?
>> That's just a leak of private information.
> I must admit that I find it hard to agree.  I do not see how the OS,
> or the Emacs version, or  the combination of both could be used to
> identify you as a person.

Your medical records are considered private information, not because
they would allow someone to identify you, but because they say things
about you which not everyone should know.

> And even if it could, doesn't it pale beside the information that is
> necessarily send to the archive (e.g. your IP, a partial list of the
> packages you're using, etc.)?

AFAIK we don't send a partial list of the packages we're using.

> I think that our desire as package maintainers to learn how and where
> their packages are used is legitimate.

Of course.  But being legitimate doesn't trump other concerns.  It has
to be weighed against the consequences.


        Stefan

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 375 bytes --]

On 03/24/2016 05:27 PM, Stefan Monnier wrote:
> Your medical records are considered private information, not because
> they would allow someone to identify you, but because they say things
> about you which not everyone should know.

Note that anonymized medical records are generally not considered private; only sensitive. See e.g. the MIMIC2 database.

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Steve Purcell]

As a MELPA maintainer, I'd be very keen to be able to provide users and
package authors with package downloads stats broken down by emacs
version and/or platform.

I don't personally see any tangible privacy concerns with this proposal;
it would be fine for this specific use case to set a more informative
User-Agent header only for requests initiated by package.el if that's an
issue.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[John Wiegley]

>>>>> Sebastian Wiesner <swiesner@lunaryorn.com> writes:

> I must admit that I find it hard to agree. I do not see how the OS, or the
> Emacs version, or the combination of both could be used to identify you as a
> person. But if the can't, why would you consider this information private?

One might not want RMS to know they're using OS X, for example? :)  Oops!!

-- 
John Wiegley                  GPG fingerprint = 4710 CF98 AF9B 327B B80F
http://newartisans.com                          60E1 46C4 BD1A 7AC1 4BA2

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

I think url should do what IceCat does: send a user-agent string that
is widely encountered on the net, to thwart identification of users.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 724 bytes --]

On 04/04/2016 03:26 PM, Richard Stallman wrote:
> I think url should do what IceCat does: send a user-agent string that
> is widely encountered on the net, to thwart identification of users.

Does it really do that? Where is it documented?
On my machine, it seems to consistently send "Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0".

In any case, I don't think this point is relevant to the package.el part of this discussion. It's trivial for GNU ELPA and GNU MELPA to track their users: they can just serve arbitrary code that Emacs will blindly run. Thus, if you don't trust them enough to send them your version of Emacs, then you probably shouldn't be talking to them in the first place.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > > I think url should do what IceCat does: send a user-agent string that
  > > is widely encountered on the net, to thwart identification of users.

  > Does it really do that? Where is it documented?
  > On my machine, it seems to consistently send "Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0".

It is not clear which one you are talking about.  Are you talking
about IceCat?  If so, yes, that user-agent string is designed to equal
what many other machines on the net actually send.

  > In any case, I don't think this point is relevant to the package.el part of this discussion.

Isn't url-user-agent used for ALL sites?  If so, the question of what to use
is not part of a package.el discussion.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 1062 bytes --]

On 04/05/2016 03:53 PM, Richard Stallman wrote:
> It is not clear which one you are talking about.  Are you talking 
> about IceCat?  If so, yes, that user-agent string is designed to
> equal what many other machines on the net actually send.

I meant IceCat. It sends its precise version, and it reveals that I'm using Firefox. 

>> In any case, I don't think this point is relevant to the package.el
>> part of this discussion.
> 
> Isn't url-user-agent used for ALL sites? If so, the question of what
> to use is not part of a package.el discussion.

Sorry, I don't understand your message. Part of this thread is about using a different user-agent string for package.el. Here is an excerpt from my original message:

>>> ... instead, wouldn't it be best for different parts of
>>> Emacs to use different user-agent strings? In particular, should eww
>>> and package.el really use the same User-Agent string? We could
>>> instead introduce separate a package-user-agent variable, and
>>> possibly an eww-user-agent variable

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 441 bytes --]

On 04/05/2016 04:20 PM, Clément Pit--Claudel wrote:
> On 04/05/2016 03:53 PM, Richard Stallman wrote:
>> It is not clear which one you are talking about.  Are you talking 
>> about IceCat?  If so, yes, that user-agent string is designed to
>> equal what many other machines on the net actually send.
> 
> I meant IceCat. It sends its precise version, and it reveals that I'm using Firefox.

(I should say "a Firefox derivative")


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > I meant IceCat. It sends its precise version, and it reveals that I'm using Firefox. 

Are you sure?  I don't think so.  I think that string is entirely made up.
That is what Ruben told me.

I am sorry if I misunderstood the context of this.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 1145 bytes --]

On 04/06/2016 12:56 AM, Richard Stallman wrote:
> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> 
>   > I meant IceCat. It sends its precise version, and it reveals that I'm using Firefox. 
> 
> Are you sure?  I don't think so.  I think that string is entirely made up.
> That is what Ruben told me.

I was wrong to say precise version; it seems that it sends its major version only :) 

Icecat 31 sends this:
  Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Icecat 38 sends this:
  Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0

Additionally, IceCat of course leaks the fact that you're using LibreJS, which probably goes a long way towards identifying IceCat. I wonder if profiling the list of websites that SpyBlock is blocking would give further information. If that's not enough, differences in behaviour between successive versions of LibreJs can probably help in pinpointing a precise version.

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Additionally, IceCat of course leaks the fact that you're using
  > LibreJS, which probably goes a long way towards identifying
  > IceCat.

There is no help for that.  We have to block the nonfree software.

   > I wonder if profiling the list of websites that SpyBlock is
   > blocking would give further information.

Who knows?  But, once again, we have to block these forms of surveillance.

What is your purpose in mentioning these points?  What constructive
question do they relate to?

   > If that's not enough, differences in behaviour between successive
   > versions of LibreJs can probably help in pinpointing a precise
   > version.

I doubt any surveillance companies want to go to so much trouble
specifically about LibreJS.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 533 bytes --]

On 04/06/2016 11:23 PM, Richard Stallman wrote:
> What is your purpose in mentioning these points?  What constructive
> question do they relate to?

Sorry if this didn't sound constructive. You wrote:

> I think url should do what IceCat does: send a user-agent string that
> is widely encountered on the net, to thwart identification of users.

So I pointed out that IceCat is probably one of the most easily identifiable browsers out there. In any case, this is probably a discussion for emacs-tangents :)

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Sorry if this didn't sound constructive. You wrote:

  > > I think url should do what IceCat does: send a user-agent string that
  > > is widely encountered on the net, to thwart identification of users.

  > So I pointed out that IceCat is probably one of the most easily
  > identifiable browsers out there.

That was changing the subject.  If IceCat's necessary features provide
a possible way to identify it, that is regretable, but it is a side
issue.

Emacs browsers should send user-agent strings that disguise them
as commonly used browsers.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Vibhav Pant]

ERC exposes emacs' version number in quit messages already:
           "(Quit: ERC (IRC client for Emacs 25.0.50.3))"
So I don't see why there should be an exception for url.

On Fri, Mar 25, 2016 at 4:47 AM, Steve Purcell <steve@sanityinc.com> wrote:
> As a MELPA maintainer, I'd be very keen to be able to provide users and
> package authors with package downloads stats broken down by emacs
> version and/or platform.

That could also be done with adding a `X-Emacs-Version` header to HTTP
requests made to package repositories, if we still don't want to
expose the user
agent.

On Fri, Mar 25, 2016 at 4:47 AM, Steve Purcell <steve@sanityinc.com> wrote:
> As a MELPA maintainer, I'd be very keen to be able to provide users and
> package authors with package downloads stats broken down by emacs
> version and/or platform.
>
> I don't personally see any tangible privacy concerns with this proposal;
> it would be fine for this specific use case to set a more informative
> User-Agent header only for requests initiated by package.el if that's an
> issue.
>



-- 
Vibhav Pant
vibhavp@gmail.com

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > ERC exposes emacs' version number in quit messages already:
  >            "(Quit: ERC (IRC client for Emacs 25.0.50.3))"
  > So I don't see why there should be an exception for url.

IRC and web browsing are different activities and raise different
issues regarding surveillance.  There is no reason to insist a priori
on treating them alike.

-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Clément Pit--Claudel]

[-- Attachment #1.1: Type: text/plain, Size: 458 bytes --]

On 04/10/2016 03:01 PM, Richard Stallman wrote:
> IRC and web browsing are different activities and raise different
> issues regarding surveillance.  There is no reason to insist a priori
> on treating them alike.

Similarly, package retrieval and web browsing are different activities and raise different issues; hence my question about the specific case of package.el.

Richard, are you familiar with the url-privacy-level variable?

Clément.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: Should the default value of url-user-agent include a version number? What about the specific case of package.el?

[Richard Stallman]

[[[ To any NSA and FBI agents reading my email: please consider    ]]]
[[[ whether defending the US Constitution against all enemies,     ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]

  > Similarly, package retrieval and web browsing are different
  > activities and raise different issues; hence my question about the
  > specific case of package.el.

You're right.  I'm sorry I had not noticed that distinction.

  > Richard, are you familiar with the url-privacy-level variable?

No.

Looking at it just now, I think the current default does not
protect privacy enough.


-- 
Dr Richard Stallman
President, Free Software Foundation (gnu.org, fsf.org)
Internet Hall-of-Famer (internethalloffame.org)
Skype: No way! See stallman.org/skype.html.