On Wed, Nov 22, 2006 at 16:45:26 +0000, Andy Green <andy@xxxxxxxxxxx> wrote: > > No I'm not sure there is any point "checking for unique IP addresses". > The nature of what the clients are doing with the mirrors is that each > client is only going to pull a package once. So you can do the Geo > stuff on the IP and just keep that, and examine the logs only for GET.*\.rpm That's a good point. There shouldn't be a significant number of redownloads of the same package from the same computer, so there isn't a need to worry about IP addresses. > This later turned into a "can I check for updates [y/n]" suggestion > which is hopefully more compatible with your view. Yes, this is much friendlier. > >> 3. Machines behind a local yum cache > >> > >>Whatever tools are provided to run the yum cache should have the repo > >>log processing stuff folded into them, and report stats up to Fedora HQ > >>by default. But a user should be able to turn it off. > > > >Definitely not, but especially not by default. > > Well I don't understand why you would say "definitely not" even if the > thing is opt-in. Yes, you are right. I think the initial opt out had me view this negatively without thinking it through as well as I should. If it was opt in, than it would allow site admins to volunteer the information of they want. The opt in should be both at the end machine and the cache. > Hum none of this is "spyware". I just need to look in your mail headers > and I see your IP address: the mirrors already have it anyway. The > other information we discuss is if you took update packages, which and > how many. I realize that I choose to provide you with IP addresses of machines that I use to send mail to fedora lists or to fill out bugzilla reports. That goes with makign the internet connections and if I want to hide that information I can use tor or not send you email or fill out bugzilla reports. However, when I do an install on a machine there isn't a good reason that I should need to provide a public IP address for that machine in order to do the install. I might for instance do downloads at one machine and then use them on several machines in different physical locations. I consider any software that makes network connections back to the supplier for reasons not part of the function the software is providing to me to be spyware since it is supplying my IP address to the provider. The issue isn't so much the damage that I would be likely to incur, but rather how I view the Fedora project with respect to trust. Right now I trust them fairly highly. Based on my impression of several high profile Red Hat employees, I think it would be unlikely that a TLA could convince Red Hat to secretly put back doors into their products. I don't believe that is true of most software companies. While the odds of me being affected by this are very low, I want to support companies that I feel are supporting freedom. (I'm probably more at risk of marketting getting my data and annoying me with sales propositions.)
