From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id oKEFCRqMyWB0NwEAgWs5BA (envelope-from ) for ; Wed, 16 Jun 2021 07:28:58 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id SEyABBqMyWBOQQAAB5/wlQ (envelope-from ) for ; Wed, 16 Jun 2021 05:28:58 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C858C1EA7B for ; Wed, 16 Jun 2021 07:28:57 +0200 (CEST) Received: from localhost ([::1]:41636 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ltO6i-0001zq-SH for larch@yhetil.org; Wed, 16 Jun 2021 01:28:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:55884) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltO6Z-0001yR-MF for guix-devel@gnu.org; Wed, 16 Jun 2021 01:28:47 -0400 Received: from minsky.hcoop.net ([104.248.1.95]:33878) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ltO6X-0000WB-Qz for guix-devel@gnu.org; Wed, 16 Jun 2021 01:28:47 -0400 Received: from marsh.hcoop.net ([45.55.52.66]) by minsky.hcoop.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1ltO6Q-0000lH-Ok; Wed, 16 Jun 2021 01:28:38 -0400 Date: Wed, 16 Jun 2021 01:28:38 -0400 (EDT) From: Jack Hill X-X-Sender: jackhill@marsh.hcoop.net To: Mark H Weaver Subject: Re: Telemetry on by default kitty In-Reply-To: <878s3an2uv.fsf@netris.org> Message-ID: References: <87fsxm7s69.fsf@disroot.org> <87eed695yb.fsf@nckx> <87czsq7oyl.fsf@disroot.org> <87bl8a92r4.fsf@nckx> <83e3ea6de4daa14a81c826d9200941719abe2f82.camel@student.tugraz.at> <877diy7c7w.fsf@disroot.org> <2e8ede06b4786e4604269b9a7a4a5f04b154040e.camel@student.tugraz.at> <05c05536dde5660ada17b9f4dc8dc041272c1a4a.camel@student.tugraz.at> <878s3an2uv.fsf@netris.org> User-Agent: Alpine 2.21 (DEB 202 2017-01-01) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="925712948-1261277972-1623821318=:2109" Received-SPF: pass client-ip=104.248.1.95; envelope-from=jackhill@jackhill.us; helo=minsky.hcoop.net X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, Leo Prikler Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623821337; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=zEohrnFXV3kWwMzg73fsEBlAUD0R68xRD0+xvAhU0jM=; b=nR9c75OHonTz55X51PukG/vJPHbs2mxv62CJNUQqA4gKBHZFj7m/WmjXED0ap1QZO7mcKz RZ6Qt+TuSJ+7ry0F+nWl4ITbkO2bXJ+dxOAhS6PngIXFVL4uSC9BrqiPkBmTAMVo18eM+s hMvpjDPiMYXk/UB8rXG/OioPtZx+InihyeslUxBezP5C7BPwcXXl5hT42UagB9ku4Io8bN Ug3TAzbgRJzmRMQmambHhtDe2/hBXVjmE9Bbe+YXrU7TU+eeB91wGVDxCc0EosKlRQEVTZ kK+lJMnrtTyHlVWVbypaPuT42Fz91KZjy79HizAyv+1KR1KnHAe5JkEuev/3Ig== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623821337; a=rsa-sha256; cv=none; b=BcvIxrCoZ7GgkCG/7uhqvobssEbSvBwtRvneeF8yjkEe1Twd5yrPQqkY33qGruSRjN6fjo uxAcv75fA4zJyzTx+6G/gZezDgoMs+/ibl+wCixhfLLlgaAttUj9D/Q0wrBfITIOKV+gu7 XcRHfpq+PZE9LgEj2DKyRm+1RmHvMNQlZmpSlY9KL36gmSGJr1KboGo/7mg4Uhk4Dq1qhT 1hElJcMXnGA3Nkl1RK8lC4dZVkzWSQuyRcvOxck4dX9pFoE2NBZAhq3dqDEX5a9tZL4OJ5 CANnMxXxAGuLMhaHqSBJ8joHwpSDYtnjgo8kjLdj9ewoCp6ADrPOw3JYy08Hxg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: C858C1EA7B X-Spam-Score: -1.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: NxbhxY0E7TE8 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --925712948-1261277972-1623821318=:2109 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT On Tue, 15 Jun 2021, Mark H Weaver wrote: […] > However, I strongly believe that each Guix user should be given the > opportunity to make that decision for themselves, i.e. that telemetry, > auto-update checks, and more generally unsolicited network traffic > should be disabled until the user has given informed consent. > > What do other people think? I'm not sure I have too much to add to the discussion, but since I once submitted a patch to disable this type of telemetry⁰, I support the notion that programs should not generate network traffic unless they are asked to do so. As Mark says, it's more than just the two endpoints that can observe the traffic. Even encrypted traffic provides some information. Perhaps opting-in can be another use case for parameterized packages. We could have our cake and still allow folks to opt-in without having to tediously configure or modify their packages. On the note of trusting software authors, for me a lot of it is understanding the development process and analyzing if my interests are aligned with those the authors. However, that can be a complicated thing. In general, I'm much more trusting of community projects than ones with corporate sponsors. Track record also counts too, so I'm glad that Bone referred us to the upstream discussion. I'll probably spend more of my time looking for problems in future releases of projects like kitty and audacity¹ than more trusted (to me) projects like goffice. Even if we're not able to catch everything, auditing source can still be useful. I found an information leak in innernet (not packaged for Guix yet) in part because the authors where kind enough to point it out in a comment². Perhaps auditing/patching is a test that is well suited to combining efforts with folks beyond Guix. That can be either in dedicated projects like Icecat or ungoogled-chromium, or simply by looking at what patches and configuration options other package distributions apply. Of course we can also share anything that we learn. ⁰ https://issues.guix.gnu.org/40360 ¹ https://www.theregister.com/2021/05/14/audacity_telemetry/ ² https://github.com/tonarino/innernet/blob/46d97831094d04fe3ad802a4bf2ac645e09d568c/publicip/src/lib.rs#L3-L4 Well, I guess I ended up adding more comments than I thought I would. Hope they're helpful! Jack --925712948-1261277972-1623821318=:2109--