Re: percentage of popcon submitters
-----BEGIN PGP SIGNED MESSAGE-----
Russ Allbery wrote:
> what packages on your servers are missing security patches, basically
popularity-contest doesn't submit package versions, so it is not *that* easy to
know whether security updates have been installed or not.
As for what security matters popularity-contest could:
* randomly change the "recent" value of a random number of packages
* submit via https (or ftp+ssl), and/or even encrypt the data with gpg
* have some sort of apt-pinning so that it is possible to indicate that the data
corresponding to a given package(s) or repository (ies) should NOT be sent.
thereby preventing the "I know when you went on VAC because your
xfoo-bar-custom package is marked as old" information leak.
With those security meassures I believe there's a slight chance that a few more
people (or institutions) will install popularity-contest.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----