A little surprise in the Ubuntu motd

At the end of June, Zachary Fouts noticed something on his Ubuntu system that surprised him a bit: an entry in the "message of the day" (motd) that looked, at least to some, like an advertisement. That is, of course, not what anyone expects from their free-software system; it turns out that it wasn't an ad at all, though it was worded ambiguously and could be (and was) interpreted that way. As the discussion in the bug Fouts filed shows, the "ad" came about from a useful feature that may or not have been somewhat abused—that determination depends on the observer.

It is a longstanding Unix tradition to print a message of the day when users log in; in ages past, administrators would often note upcoming software upgrades and/or maintenance downtime that way. Typically that message has come from the /etc/motd file, but Ubuntu has long had a way to dynamically generate messages from local system information (e.g. number of package updates or reboot needed) using scripts in the /etc/update-motd.d/ directory. In Ubuntu 17.04, a new script was added that reaches out to a URL and grabs what it finds there to display as the motd.

The default configuration is that this "motd-news" feature is enabled and that it will check https://motd.ubuntu.com for updates. That check is not done at login time, but is periodically done (every twelve hours or so) and the result is cached. At the time of this writing, the message there is reminding users that Ubuntu 16.10 reaches its end of life (EOL) on July 20. But at the time Fouts filed the bug, it had a much different message:

 * How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow,
   Keras & React Native on Ubuntu
   - https://ubu.one/HBOubu

In the bug, Fouts said that the news item was targeted poorly: "Instead, https://motd.ubuntu.com should show relevant items to those that use Ubuntu Server (relevant security issues, etc), instead of items for desktop users." Others were quick to wonder whether it was an ad of some sort. Andrew Starr-Bochicchio was disappointed to see it:

He pointed to the /etc/default/motd-news file as a way to disable the feature for those who wanted to do that. Others followed suit; Mikko Tanner said: "Advertising has absolutely no place in motd." No one really defended the content itself, though several commenters considered it to be a mix-up of some kind. Simos Xenitellis asked: "Is it really necessary to conflate this into some conspiracy to display ads in the Ubuntu Server motd?" The post being "advertised" is actually technical in nature and has little to do with the "Silicon Valley" TV show (the app that is built was evidently featured in an episode), but it does namedrop Ubuntu. That is presumably why it was chosen to appear as part of the news stream.

Ubuntu Product Manager Dustin Kirkland, who is the author of the original dynamic motd as well as the new motd-news feature, soon arrived in the bug thread (after commenting in a related Hacker News thread). In a lengthy comment, he explained how motd-news works along with some history and functioning of the dynamic motd feature he developed back in 2009. He described how Ubuntu is using the feed and how it can be configured to consult a local URL to get news items that would be displayed instead of (or in addition to) the official feed. There are several categories of messages that will be added, including internet-wide problems (such as Heartbleed) or important information about Ubuntu itself (like an EOL date reminder). But there is a third category:

While Kirkland was not apologizing for the news item—he clearly believes it is a reasonable use of the facility—he did say that new messages would be reviewed by the ubuntu-motd team before going live. He invited those reading to submit their own messages to the repository for potential inclusion in the motd-news stream.

Some still objected to fun facts being intermingled with critical information such that users could not get one without also getting the other. Timothy R. Chavez suggested splitting out fun facts into their own stream that could be disabled by default for server installations. Markus Ueberall thought that applying tags to the messages would allow the client side to decide what it displays, which would presumably alleviate the concerns.

But Kirkland does not see a problem with the message: "Moreover, the HBO link wasn't even an advertisement!" He wondered whether those complaining were also opposed to paid Google search results and to the Google Doodles that appear on its home page. Those are imperfect analogies at best, of course. Some disagreed with Kirkland's characterization of the news item, however; Nicola Heald said:

Beyond the advertising angle, though, is a question of privacy. The "user agent" string used to contact the motd-news server sends a small amount of potentially sensitive information, including the uptime for the server, according to Chavez. It is believed that the uptime might be used to determine what news item to return (e.g. if the system has been up so long it could not have applied a particular update), but it is not clear whether that information is tracked by Canonical. It is a fairly minor privacy breach, potentially, but one that concerns a few, including Fouts, the original reporter, who had some further thoughts:

So far, there is no indication of any plans to change things. Kirkland changed the importance of the bug to "Wishlist" and its status to "Opinion" on June 29. He seemed to indicate that more care would be taken in choosing fun facts in the future (perhaps reviewing the wording to reduce the perception that it is an ad), but the feature itself will not be changing.

While there is some element of a "sad Twitter storm in a tea cup" regarding the bug, as Xenitellis put it, there are some reasonable concerns that it has surfaced. Clearly the news item in question was aimed at doing a bit of marketing regarding Ubuntu—people have varying reactions to that kind of message, especially in unexpected locations. And, while it is hard to imagine that Canonical has some nefarious plan that uses system uptimes, sending that kind of information anywhere seems like it should be opt-in. Overall, that seems to be the failing here: getting permission before making these kinds of changes. There are a number of ways that could be fixed, of course, but it would seem that Ubuntu/Canonical are not particularly interested in doing so, at least yet.