Your message dated Tue, 20 Dec 2011 18:02:45 +0100
with message-id <[email protected]>
and subject line Re: Bug#640024: phones home
has caused the Debian Bug report #640024,
regarding phones home
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
640024: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640024
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: calibre
Severity: normal
Tag: security
LWN noticed that calibre phones home on startup.
http://lwn.net/Articles/456504/
Here is the relevant code:
URL = 'http://status.calibre-ebook.com/latest'
NO_CALIBRE_UPDATE = '-0.0.0'
VSEP = '|'
def get_newest_version():
br = browser()
req = mechanize.Request(URL)
req.add_header('CALIBRE_VERSION', __version__)
req.add_header('CALIBRE_OS',
'win' if iswindows else 'osx' if isosx else 'oth')
req.add_header('CALIBRE_INSTALL_UUID', prefs['installation_uuid'])
version = br.open(req).read().strip()
return version
Auto-updating is of dubious value on Debian. But more importantly,
this is a privacy violation involving a UUID that is specific to
a given machine being posted (in the clear even) to a remote server
whenever a user uses a program.
--
see shy jo
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Hello Joey,
Joey Hess [2011-09-01 12:00 -0400]:
> def get_newest_version():
> br = browser()
> req = mechanize.Request(URL)
> req.add_header('CALIBRE_VERSION', __version__)
> req.add_header('CALIBRE_OS',
> 'win' if iswindows else 'osx' if isosx else 'oth')
> req.add_header('CALIBRE_INSTALL_UUID', prefs['installation_uuid'])
> version = br.open(req).read().strip()
> return version
>
> Auto-updating is of dubious value on Debian. But more importantly,
> this is a privacy violation involving a UUID that is specific to
> a given machine being posted (in the clear even) to a remote server
> whenever a user uses a program.
Sorry about the late response, I wanted to respond back then but
apparently this got lost somewhere between my brain and my MTA.
The Debian packages have the auto-update functionality disabled (by
default anyway, you can explicitly call it with calibre
--update-check, but then YAFIYGI). Of course the auto-update would not
actually work, as the package is installed system-wide and the user
can't change it. Above code path with get_newest_version() is never
reached with debian/patches/no_updates_dialog.patch.
So this has never been a real issue, closing the bug.
Thanks, and enjoy the end-of-year holidays!
Martin
--
Martin Pitt | http://www.piware.de
Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
--- End Message ---