Bruno Wolff III wrote:
Whereas if you collect via yum mirrors, there is a transaction going on
initiated by the user that he benefits from. It seems hard for anyone
to object to your IP getting used for anonymous aggregated stats in such
a case, in fact if I visit any website I expect to have the same done
for my visit from their logs (esp if they are on Google Analytics).
The data can't just be stored as anonymous aggregated data since you need to
check for unique IP addresses. You could do hashing, but that wouldn't buy
very much privacy until ip6 is common. Still it would be nice if Fedora
had an official policy on when the IP data (as opposed to the aggragate data)
would be deleted.
No I'm not sure there is any point "checking for unique IP addresses".
The nature of what the clients are doing with the mirrors is that each
client is only going to pull a package once. So you can do the Geo
stuff on the IP and just keep that, and examine the logs only for GET.*\.rpm
It would be cool to generate a GUID per machine and attach it to yum
download URLs, eg, http://mirror.org/blah/thing.rpm?GUID=123-123-123..
so it is ignored by the server but is present in the logs. But the logs
are still useful without it.
Definitely don't do this.
It doesn't seem necessary on further thought.
Making a new machine check for updates at least once as soon as it saw
the network was up would be a friendly and non-privacy threatening
action that would solve this...
No it wouldn't be friendly. I don't like that yum checks for updates on first
boot before I have a chance to turn it off.
This later turned into a "can I check for updates [y/n]" suggestion
which is hopefully more compatible with your view.
3. Machines behind a local yum cache
Whatever tools are provided to run the yum cache should have the repo
log processing stuff folded into them, and report stats up to Fedora HQ
by default. But a user should be able to turn it off.
Definitely not, but especially not by default.
Well I don't understand why you would say "definitely not" even if the
thing is opt-in.
One of the reasons I like free software is that it doesn't (normally) try to
spy on you.
Currently Fedora is a pretty good fit for me, but if it turns into spyware,
I will be looking at other options. (Though in the short run I would probably
look at respinning the install DVD to include modified packages without the
spyware.)
Hum none of this is "spyware". I just need to look in your mail headers
and I see your IP address: the mirrors already have it anyway. The
other information we discuss is if you took update packages, which and
how many.
-Andy
