[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

fwupd / LVFS and user privacy


I stumpled about this article[1] about LVFS which tells that fwupd.org
is hosted on Amazon EC2. However a traceroute tells me fwupd.org answers
from a scaleway cloud which belongs to the French Iliad
telecommunications company[2]. According to a merge request the site is
planned to be migrated to the Linux Foundation[3]. Please give me a
hint about the current situation and if there is a timetable for
the migration.

There are several claims regarding privacy issues so I opened a bug
report[4] to sort them out and check if fwupd is really affects user's

The article also mentions a QA team auditing the .cab files. I would be
glad to receive more information how this process works and if the
reports are publicly visible.

Also I am confused about this blog post by System76[5], especially the
opt-in to collect user's data without their knowledge:

> We had intended to use LVFS in the future, but that is no longer the
> case; there are too many problems with the project.
> If you want to use LVFS, disable the data collection. There’s no need
> for it. Understand that the first instinct of the project leaders was
> to unnecessarily opt-in data collection from user installations.
> Understand that you’re electing for your distribution to communicate
> with third party servers. The more servers your distribution
> communicates with out of the box (especially as root), the more
> surface area there is for vulnerabilities. Heavily scrutinize any
> addition of a third-party server for updates.
> Understand that if you are a company specializing in Linux-only
> devices and considering using LVFS, you are handing your private
> sales data to LVFS. We suggest hosting LVFS on your own servers.

Thanks for your work!


[2] https://en.wikipedia.org/wiki/Iliad_SA

[3] https://github.com/hughsie/fwupd/pull/444

[4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898479


Reply to: