On Tue, 15 Jun 2021, Mark H Weaver wrote:
[…]
However, I strongly believe that each Guix user should be given the
opportunity to make that decision for themselves, i.e. that telemetry,
auto-update checks, and more generally unsolicited network traffic
should be disabled until the user has given informed consent.
What do other people think?
I'm not sure I have too much to add to the discussion, but since I once
submitted a patch to disable this type of telemetry⁰, I support the notion
that programs should not generate network traffic unless they are asked to
do so. As Mark says, it's more than just the two endpoints that can
observe the traffic. Even encrypted traffic provides some information.
Perhaps opting-in can be another use case for parameterized packages. We
could have our cake and still allow folks to opt-in without having to
tediously configure or modify their packages.
On the note of trusting software authors, for me a lot of it is
understanding the development process and analyzing if my interests are
aligned with those the authors. However, that can be a complicated thing.
In general, I'm much more trusting of community projects than ones with
corporate sponsors. Track record also counts too, so I'm glad that Bone
referred us to the upstream discussion. I'll probably spend more of my
time looking for problems in future releases of projects like kitty and
audacity¹ than more trusted (to me) projects like goffice.
Even if we're not able to catch everything, auditing source can still be
useful. I found an information leak in innernet (not packaged for Guix
yet) in part because the authors where kind enough to point it out in a
comment². Perhaps auditing/patching is a test that is well suited to
combining efforts with folks beyond Guix. That can be either in dedicated
projects like Icecat or ungoogled-chromium, or simply by looking at what
patches and configuration options other package distributions apply. Of
course we can also share anything that we learn.
⁰ https://issues.guix.gnu.org/40360
¹ https://www.theregister.com/2021/05/14/audacity_telemetry/
²
https://github.com/tonarino/innernet/blob/46d97831094d04fe3ad802a4bf2ac645e09d568c/publicip/src/lib.rs#L3-L4
Well, I guess I ended up adding more comments than I thought I would. Hope
they're helpful!
Jack