Bug#961501: remmina is calling home for update notifications
On Wed, 27 May 2020 08:51:40 +0200 Antenore Gatta wrote: Hi all, patch is on its way. Progress can be tracked on our gitlab [0] Any feedback is much appreciated as it'll easy the resolution of the bug. Thanks! Kind regards Antenore - [0] https://gitlab.com/Remmina/Remmina/-/merge_requests/2066 Thanks for this, I came here to look specifically for a fix for those annoying popups. Glad to see this resolved for the next version!
Bug#961501: remmina is calling home for update notifications
Hi all, patch is on its way. Progress can be tracked on our gitlab [0] Any feedback is much appreciated as it'll easy the resolution of the bug. Thanks! Kind regards Antenore - [0] https://gitlab.com/Remmina/Remmina/-/merge_requests/2066
Bug#961501: remmina is calling home for update notifications
On Di 26 Mai 2020 10:00:56 CEST, Antenore Gatta wrote: [...] Thanks for your understanding on this issue, Antenore. Much appreciated. I prefere to relase a clean and cleaned 1.4.6 version than playing with workaround patches that may introduce other bugs Yeah, I think getting this fixed in the next upstream release is fair enough. Thanks a lot, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpJHCzVGWDyY.pgp Description: Digitale PGP-Signatur
Bug#961501: remmina is calling home for update notifications
Hi Mike, Thanks for your detailed answer. On Monday, May 25, 2020 11:55:00 PM CEST Mike Gabriel wrote: > Debian users expect from Debian, to be a safe harbour, so all package > maintainers are requested to patch out code that does unwanted / > uncontrollable connections to the internet for stats collections and > such. I perfectly understand your point, we are working to fix this and it will take some days of work (in our limited free overnight time). > While I understand the interest in usage statistics, in Debian we > cannot have that part of the phoning-home code. I am sorry. This widget is not about usage statistics, that are already opt-in only. This widget informs the user about new Remmina versions and changes. No more no less. Just to clarify ;-) > > > Remmina on a regular basis verify if there's a new file or if the file of > > the version requested (the PHP parameter) has been changed/updated. > > Thanks for the explanation of the mechanism. > > > We do this to notify users about new versions, especially when there are > > important bugs that have been fixed. > > This is not helpful in a GNU distribution using a conservative-style > release model (not sure if this is the correct term) like Debian does. > Imagine Debian stable and oldstable users being reminded of their > software being out of date on every upstream release. Of course, their > software is out of date, as they use remmina from Debian (old)stable > (not testing/unstable). They get those notifications but cannot do > anything about it (except upgrading to Debian testing). This is a good point. I agree. > > So, also from a usability point of view, those notification windows > will be a disturbance to the users of Debian. > > > Libreoffice does something similar for instance and other software, > > in Debian, > > as well. > > Really? Than this must be considered as a bug. Which other packages > have you observed doing this? Regarding Libreoffice I see is not the case anymore since a long time, sorry. I don't have evidence of other software at the moment, if I find any I'll fill a bug as well. > > > I understand it may be quite annoying and we can add an opt-out option, > > would that be enough? > > Nope. I'd vote for a build-time switch that disables that code. I am > sorry. Another option could be a disabled-by-default (via build-time > option) update notification feature. A new remmina user should not be > bothered by update notification popups they won't be able to install > (because their Debian version won't have that update). Yes, understood. > I hope, you are ok with the above and the strictness of the policy. The news widget does other stuff than just showing the release notes, so we have to take out those functionalities. We need time and in the meanwhile 1.4.5 is already out, so please be flexible for this time. I prefere to relase a clean and cleaned 1.4.6 version than playing with workaround patches that may introduce other bugs > > light+love > Mike Regards Antenore signature.asc Description: This is a digitally signed message part.
Bug#961501: remmina is calling home for update notifications
Hi Mike, Thanks for your detailed answer. On Monday, May 25, 2020 11:55:00 PM CEST Mike Gabriel wrote: > Debian users expect from Debian, to be a safe harbour, so all package > maintainers are requested to patch out code that does unwanted / > uncontrollable connections to the internet for stats collections and > such. I perfectly understand your point, we are working to fix this and it will take some days of work (in our limited free overnight time). > While I understand the interest in usage statistics, in Debian we > cannot have that part of the phoning-home code. I am sorry. This widget is not about usage statistics, that are already opt-in only. This widget informs the user about new Remmina versions and changes. No more no less. Just to clarify ;-) > > > Remmina on a regular basis verify if there's a new file or if the file of > > the version requested (the PHP parameter) has been changed/updated. > > Thanks for the explanation of the mechanism. > > > We do this to notify users about new versions, especially when there are > > important bugs that have been fixed. > > This is not helpful in a GNU distribution using a conservative-style > release model (not sure if this is the correct term) like Debian does. > Imagine Debian stable and oldstable users being reminded of their > software being out of date on every upstream release. Of course, their > software is out of date, as they use remmina from Debian (old)stable > (not testing/unstable). They get those notifications but cannot do > anything about it (except upgrading to Debian testing). This is a good point. I agree. > > So, also from a usability point of view, those notification windows > will be a disturbance to the users of Debian. > > > Libreoffice does something similar for instance and other software, > > in Debian, > > as well. > > Really? Than this must be considered as a bug. Which other packages > have you observed doing this? Regarding Libreoffice I see is not the case anymore since a long time, sorry. I don't have evidence of other software at the moment, if I find any I'll fill a bug as well. > > > I understand it may be quite annoying and we can add an opt-out option, > > would that be enough? > > Nope. I'd vote for a build-time switch that disables that code. I am > sorry. Another option could be a disabled-by-default (via build-time > option) update notification feature. A new remmina user should not be > bothered by update notification popups they won't be able to install > (because their Debian version won't have that update). Yes, understood. > I hope, you are ok with the above and the strictness of the policy. The news widget does other stuff than just showing the release notes, so we have to take out those functionalities. We need time and in the meanwhile 1.4.5 is already out, so please be flexible for this time. I prefere to relase a clean and cleaned 1.4.6 version than playing with workaround patches that may introduce other bugs > > light+love > Mike Regards Antenore
Bug#961501: remmina is calling home for update notifications
Hi Antenore, Thanks for the quick reply. On Mo 25 Mai 2020 15:24:44 CEST, Antenore Gatta wrote: Hi Christoph, Upstream developer… I think it's a bit exaggerated to say that is a privacy violation. Debian users expect from Debian, to be a safe harbour, so all package maintainers are requested to patch out code that does unwanted / uncontrollable connections to the internet for stats collections and such. We just get a plain text file from https://remmina.org (e.g. https:// remmina.org/news/remmina_news.php?ver=1.4.5) with the new changelog. While I understand the interest in usage statistics, in Debian we cannot have that part of the phoning-home code. I am sorry. Remmina on a regular basis verify if there's a new file or if the file of the version requested (the PHP parameter) has been changed/updated. Thanks for the explanation of the mechanism. We do this to notify users about new versions, especially when there are important bugs that have been fixed. This is not helpful in a GNU distribution using a conservative-style release model (not sure if this is the correct term) like Debian does. Imagine Debian stable and oldstable users being reminded of their software being out of date on every upstream release. Of course, their software is out of date, as they use remmina from Debian (old)stable (not testing/unstable). They get those notifications but cannot do anything about it (except upgrading to Debian testing). So, also from a usability point of view, those notification windows will be a disturbance to the users of Debian. Libreoffice does something similar for instance and other software, in Debian, as well. Really? Than this must be considered as a bug. Which other packages have you observed doing this? I understand it may be quite annoying and we can add an opt-out option, would that be enough? Nope. I'd vote for a build-time switch that disables that code. I am sorry. Another option could be a disabled-by-default (via build-time option) update notification feature. A new remmina user should not be bothered by update notification popups they won't be able to install (because their Debian version won't have that update). Please consider that for a small project like Remmina is quite important to keep a channel opened with our users, otherwise we keep receiving and answering to the same issues again again, because usual people do not do the effort of searching through our bug tracking system. I fully understand that. People running on old software tend to report old bugs upstream. Please point them to the distribution they use, if they do that. In other projects, I use issue reporting templates that always ask for upstream version, package version and distro + distroversion. To amend the mess a little. We do not track people and the stats is a completely separated system, that is only opt-in. I am sorry, but this won't change the policy here. Thanks for not tracking your users. Much appreciated. So, let's find a solution that makes everybody happy. I hope, you are ok with the above and the strictness of the policy. light+love Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpGPHeBWVslw.pgp Description: Digitale PGP-Signatur
Bug#961501: remmina is calling home for update notifications
Hi Christoph, Upstream developer… I think it's a bit exaggerated to say that is a privacy violation. We just get a plain text file from https://remmina.org (e.g. https:// remmina.org/news/remmina_news.php?ver=1.4.5) with the new changelog. Remmina on a regular basis verify if there's a new file or if the file of the version requested (the PHP parameter) has been changed/updated. We do this to notify users about new versions, especially when there are important bugs that have been fixed. Libreoffice does something similar for instance and other software, in Debian, as well. I understand it may be quite annoying and we can add an opt-out option, would that be enough? Please consider that for a small project like Remmina is quite important to keep a channel opened with our users, otherwise we keep receiving and answering to the same issues again again, because usual people do not do the effort of searching through our bug tracking system. We do not track people and the stats is a completely separated system, that is only opt-in. So, let's find a solution that makes everybody happy. Regards Antenore
Bug#961501: remmina is calling home for update notifications
Package: remmina Version: 1.4.3+dfsg-2 Severity: grave Hi, this is the second time I've gotten an "What's new in Remmina" popup window out of the blue (i.e. not while actually using it, it's just sitting in the background at the moment). I suspect it is calling home, which would be a gross privacy violation. It's not remmina upstream's business if I have the program running or not. Note that the "Send usage statistics silder" is disabled in the screenshot. Please disable that logic in the default install. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (700, 'testing'), (600, 'unstable'), (150, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.5.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de:en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages remmina depends on: ii dbus-x11 [dbus-session-bus] 1.12.16-2 ii libavahi-client3 0.8-1 ii libavahi-common3 0.8-1 ii libavahi-ui-gtk3-0 0.8-1 ii libayatana-appindicator3-1 0.5.4-2 ii libc62.30-8 ii libcairo21.16.0-4 ii libgcrypt20 1.8.5-5 ii libglib2.0-0 2.64.2-1 ii libgtk-3-0 3.24.20-1 ii libjson-glib-1.0-0 1.4.4-2 ii libpango-1.0-0 1.42.4-8 ii libsodium23 1.0.18-1 ii libsoup2.4-1 2.70.0-1 ii libssh-4 0.9.4-1 ii libssl1.11.1.1g-1 ii libvte-2.91-00.60.2-1 ii remmina-common 1.4.3+dfsg-2 Versions of packages remmina recommends: ii remmina-plugin-rdp 1.4.3+dfsg-2 pn remmina-plugin-secret ii remmina-plugin-vnc 1.4.3+dfsg-2 Versions of packages remmina suggests: pn remmina-plugin-exec pn remmina-plugin-kwallet pn remmina-plugin-nx pn remmina-plugin-spice pn remmina-plugin-www pn remmina-plugin-xdmcp -- no debconf information Christoph