Re: fwupd / LVFS and user privacy

[Richard Hughes <hughsient@gmail.com>]

On 12 May 2018 at 21:08, M.Hanny Sabbagh <mhsabbagh@outlook.com> wrote:
> Since I am being subscribed to this, I just would like to elaborate that the mentioned article remains 100% correct and true.

Lets agree to disagree there.

> Additionally, in the comments which are being referred to as "refuted the article" are same ones which confirms that fwupd collects following data upon each firmware download:
> - IP address.
> - Client user-agent.
> - Timestamp.
> - Linux distribution name.
> - Linux distribution version.

It's somewhat hard to provide files to users on the Internet without
them downloading the file using HTTP-over-IP, which means the
destination does get the user-agent and IP address of the host.
Although I've tried to explain this several times to you, please be
aware that the millions of people downloading the metadata
automatically are not logged in this way, as I've previously explained
the CDN does not keep logs. Only when you download firmware do we
store this data, and then it's done for the practical reasons outlined
in the privacy policy.

> Even Red Hat disables it by default, so I see no reason for Debian to not follow.

You talk about Red Hat as if it wasn't me who maintains the fwupd
package in RHEL, and I was the person who disabled it in RHEL 7.x. In
Fedora (where I also maintain fwupd) we have it turned on by default,
as we don't have the same set of requirements and the benefit of
shipping millions of security updates massively outweighs the
perceived customer privacy issue. We do let customers mirror the LVFS
firmware internally, and there is functionality in the LVFS and fwupd
to make this easy and still secure.

> As a user, I definitely would recommend disabling fwupd by default on Linux distributions

That's up to the distribution to decide themselves. I think I've
wasted enough time on the FOSS post thing already.

Richard.