[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fwupd / LVFS and user privacy

Your reply here actually agrees with what I just said:

> downloading the metadata
automatically are not logged in this way, as I've previously explained
the CDN does not keep logs. Only when you download firmware do we
store this data, and then it's done for the practical reasons outlined
in the privacy policy.

I didn't even mention the metadata, I was talking about firmware download. So yes, when a user downloads a firmware you keep this metadata, what I am saying is that there should be a notification displayed ahead of time for users to know about such thing, then there will be no problem. I am talking about firmware downloading process, not the metadata.

I don't know what Debian could think about this and whether they have similar requirements or not in terms of "privacy issues", my job was just to highlight the issue and then everyone is free to do whatever they want. I definitely agree that having an easy firmware updating process for millions of devices is a good thing and shouldn't be stopped, but displaying a tiny message ahead of time will solve the issue for everyone, just like the 3rd-party closed-source repositories message in Fedora (latest Fedora 28).

Regards.

Regards.

________________________________________
From: Richard Hughes <hughsient@gmail.com>
Sent: Sunday, May 13, 2018 0:20
To: M.Hanny Sabbagh
Cc: kardan; debian-efi@lists.debian.org; Richard Hughes
Subject: Re: fwupd / LVFS and user privacy

On 12 May 2018 at 21:08, M.Hanny Sabbagh <mhsabbagh@outlook.com> wrote:
> Since I am being subscribed to this, I just would like to elaborate that the mentioned article remains 100% correct and true.

Lets agree to disagree there.

> Additionally, in the comments which are being referred to as "refuted the article" are same ones which confirms that fwupd collects following data upon each firmware download:
> - IP address.
> - Client user-agent.
> - Timestamp.
> - Linux distribution name.
> - Linux distribution version.

It's somewhat hard to provide files to users on the Internet without
them downloading the file using HTTP-over-IP, which means the
destination does get the user-agent and IP address of the host.
Although I've tried to explain this several times to you, please be
aware that the millions of people downloading the metadata
automatically are not logged in this way, as I've previously explained
the CDN does not keep logs. Only when you download firmware do we
store this data, and then it's done for the practical reasons outlined
in the privacy policy.

> Even Red Hat disables it by default, so I see no reason for Debian to not follow.

You talk about Red Hat as if it wasn't me who maintains the fwupd
package in RHEL, and I was the person who disabled it in RHEL 7.x. In
Fedora (where I also maintain fwupd) we have it turned on by default,
as we don't have the same set of requirements and the benefit of
shipping millions of security updates massively outweighs the
perceived customer privacy issue. We do let customers mirror the LVFS
firmware internally, and there is functionality in the LVFS and fwupd
to make this easy and still secure.

> As a user, I definitely would recommend disabling fwupd by default on Linux distributions

That's up to the distribution to decide themselves. I think I've
wasted enough time on the FOSS post thing already.

Richard.
Reply to: