LWN: Comments on "A little surprise in the Ubuntu motd"

A little surprise in the Ubuntu motd

pabs — Mon, 24 Jul 2017 07:40:35 +0000

Subgraph OS and Kodachi are a couple more.

A little surprise in the Ubuntu motd

pabs — Sun, 23 Jul 2017 23:49:19 +0000

There aren't any privacy focussed Debian blends yet, but there are derivatives, including Tails and Whonix as well as Debian-based Qubes VMs.

A little surprise in the Ubuntu motd

liw — Sun, 23 Jul 2017 19:30:52 +0000

It may not be in the Debian Policy document, but "phone home" type behaviour is usually considered to be a bug, in my experience. As an example see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792580 (chromium).

A little surprise in the Ubuntu motd

gracinet — Sun, 23 Jul 2017 19:18:49 +0000

> If you think privacy is so important that it outweighs all other considerations, then Debian just isn't for you. There are other distributions that do focus on that, and they are more suitable for such a purpose.

Including Debian derivatives or blends, if I'm not mistaken, right ?

A little surprise in the Ubuntu motd

yoe — Sun, 23 Jul 2017 16:53:01 +0000

The bit you quote is about *building* a package from source, not about *using* the built package, and is there more because lack of that flies in the face of things like reproducibility and the guarantee of free software; it has nothing to do with privacy and phoning home.

> Indeed, Debian developers can't be trusted to care about your privacy. If you google for "phones home" site:bugs.debian.org, most of the found bugs aren't RC.

I repeat: this is not because we don't care about privacy, but instead because privacy is not our focus. Privacy is a laudable goal, but not one a general-purpose distribution like Debian can pursue without becoming a distribution that *only* the privacy-conscious will want to use. For that reason, while phone home issues may be considered bugs in some cases for Debian, they are not usually considered release-critical.

If you think privacy is so important that it outweighs all other considerations, then Debian just isn't for you. There are other distributions that do focus on that, and they are more suitable for such a purpose.

A little surprise in the Ubuntu motd

jwilk — Sun, 23 Jul 2017 12:13:13 +0000

There is policy against some kinds of phoning home. From §4.9 (Main building script: debian/rules):

For packages in the main archive, no required targets may attempt network access.

It's a bit embarrassing that it had to be written down. Apparently the implicit “you must not do stupid shit” policy was not enough.

Indeed, Debian developers can't be trusted to care about your privacy. If you google for "phones home" site:bugs.debian.org, most of the found bugs aren't RC.

A little surprise in the Ubuntu motd

yoe — Sat, 22 Jul 2017 20:24:06 +0000

> The Debian Social Contract paragraph 4 implies that Debian promises to respect the privacy of its users.

Only if you read words that aren't there.

> While the Debian Policy Manual does not explicitly mention phone-home violations, the Debian Policy Manual is not the definition of Debian policy, but an incomplete attempt to document the most important parts of it.

Close, but no. Policy defines the rules on which there is consensus and no controversy, and which can be clearly put into language. It is indeed not complete, but that has less to do with importance than with practicality.

> Lintian defines detectable privacy breach issues as having a "serious" severity (the highest possible severity). The only reason it doesn't automatically reject packages with privacy breach issues is because the risk of false positives in its detection method.

It defines detectable and avoidable privacy issues as such, because it's generally a good idea to avoid it if you can. However, there is no part of Debian that defines phoning home as a MUST NOT, because it's not what Debian focuses on, and it's not a practical goal that we can reach without intensive patching of upstream software, which is generally frowned upon -- and that *is* defined in policy.

A little surprise in the Ubuntu motd

Jonno — Sat, 22 Jul 2017 07:47:12 +0000

> maybe in your part of Debian it is an absolute MUST NOT, but in my part of Debian it is not. Last I checked, Debian policy did not forbid phone-home privacy violations of any kind.

The Debian Social Contract paragraph 4 implies that Debian promises to respect the privacy of its users.

While the Debian Policy Manual does not explicitly mention phone-home violations, the Debian Policy Manual is not the definition of Debian policy, but an incomplete attempt to document the most important parts of it.

Lintian defines detectable privacy breach issues as having a "serious" severity (the highest possible severity). The only reason it doesn't automatically reject packages with privacy breach issues is because the risk of false positives in its detection method.

A little surprise in the Ubuntu motd

yoe — Fri, 21 Jul 2017 23:35:19 +0000

maybe in your part of Debian it is an absolute MUST NOT, but in my part of Debian it is not. Last I checked, Debian policy did not forbid phone-home privacy violations of any kind.

A little surprise in the Ubuntu motd

farnz — Thu, 20 Jul 2017 08:45:22 +0000

Even back then, HBO was a non-entity over here - the equivalent was Sky Movies. To recognise HBO, you need to be attuned to American TV culture; either because you're a serious fan of shows that HBO produces (and thus are aware of fansites telling you that this is a HBO production), or because US cable TV was significant to you for other reasons (lived in the US, worked in the industry etc).

A little surprise in the Ubuntu motd

k8to — Thu, 20 Jul 2017 00:03:04 +0000

HBO was far far more relevant in the early days of cable TV, when it was "How you watched movies that were not 8+ years old at home". Lately, it's pretty ignorable.

A little surprise in the Ubuntu motd

satbyy — Thu, 13 Jul 2017 19:00:22 +0000

Yes, but IIRC such screensavers are moved to xscreensaver-data-extra and xscreensaver-gl-extra packages, which are not installed by default. So it's users prerogative to install such phone-home packages.

A little surprise in the Ubuntu motd

farnz — Thu, 13 Jul 2017 15:49:01 +0000

Round my neck of the woods, where US TV content is often bought in by local firms, those are usually known as Sky shows, not HBO shows. If you don't watch any of them, and therefore haven't seen the HBO branding in the credits, you could well not realise that they're not Sky productions.

I'm only aware of HBO because I used to work in the broadcasting industry; had HBO never been a potential customer of my employer, I'd probably not be aware of their existence.

A little surprise in the Ubuntu motd

jschrod — Thu, 13 Jul 2017 14:59:39 +0000

> FYI I have no idea what an HBO is ...

HBO is the company that produces Game of Thrones, True Blood, The Sopranos, Sex and the City, Six Feet Under, The Wire and a gag of other widely acclaimed TV series.

I assume you have heard of them, even if you don't look TV. (I look TV very seldom, and still have heard of them -- in fact, for some of the series named above I have no idea about their content -- nevertheless, it's quite hard to miss any reporting about this pop-cultural phenomen.)

A little surprise in the Ubuntu motd

Wol — Thu, 13 Jul 2017 14:36:56 +0000

FYI I have no idea what an HBO is ...

And acronyms - especially TLAs, often have multiple meanings. The number of times I've seen a familiar TLA in an unfamiliar setting and wondered what on earth it meant ...

To me, I'd guess an HBO was a H... Buy Out, some financial term ...

Cheers,
Wol

A little surprise in the Ubuntu motd

Wol — Thu, 13 Jul 2017 14:32:55 +0000

Which causes major comprehension problems. I speak English natively (that's English, not American), so the reference to "Silicon Valley" would completely flummox me as I would understand it as a place. I've never heard of the TV series.

That's one of the reasons foreign call centres are so unpopular - not only do foreign accents (even if the English is impeccable) make them hard to understand, but the cultural understanding is missing. I have no trouble understanding a strong Scottish accent despite it being very different from mine, but some of the worst experiences I've had have been when I've had no trouble at all understanding the words, but the meaning escaped me completely. (Or the guy at the other end had the same problem in reverse ...)

Cheers,
Wol

A little surprise in the Ubuntu motd

kzar — Tue, 11 Jul 2017 16:47:37 +0000

> The right way to solve it would be to inject HSTS headers for whitelisted sites, but I'm not sure if an extension can even do that…

Yes, while I've not tried it with that particular header Chrome extension can inject headers into responses. For an example have a look at this https://github.com/adblockplus/adblockpluschrome/blob/45f...

A little surprise in the Ubuntu motd

jschrod — Sun, 09 Jul 2017 23:41:04 +0000

The prefix "HBO's" may point out to a halfway attentative reader that it has something to do with TV.

Well, maybe not, if one doesn't know what "HBO" is -- but than one has different communication problems because then this is a different planet than most other IT affine persons live on.

(FTR: I do not live in the USA and have no idea what kind of HBO production this is.)

A little surprise in the Ubuntu motd

flussence — Sun, 09 Jul 2017 00:33:43 +0000

HTTPS Everywhere has a serious flaw in that particular use case - it's too slow and bloated, which combined with the asynchronous extension loading on Chromium (and I'd expect it to start doing the same on Firefox soon) causes some nasty races. More than once I've seen the browser open and fully load HTTP pages before the extension “warms up”.

The right way to solve it would be to inject HSTS headers for whitelisted sites, but I'm not sure if an extension can even do that…

A little surprise in the Ubuntu motd

lkundrak — Sat, 08 Jul 2017 20:40:12 +0000

>the motd message under discussion looks completely cryptic for me

- * How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow,
+ * How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow, fnord.

A little surprise in the Ubuntu motd

ssmith32 — Sat, 08 Jul 2017 18:48:42 +0000

And if you don't mind the network traffic "start where I left off" (i.e. open the tabs I had open on close), is a perfectly sane default - and with https-everywhere enabled, it won't be sending out unencrypted info, if that's your worry.

I don't know why this isn't the default - just from a pure usefulness standpoint, it drives me a bit batty to lose all my tabs on restart...

A little surprise in the Ubuntu motd

mirabilos — Fri, 07 Jul 2017 20:26:21 +0000

Interesting. Feel free to report the bug (I do not use xscreensaver so I cannot comment) as serious issue.

A little surprise in the Ubuntu motd

joey — Fri, 07 Jul 2017 16:24:50 +0000

Some years ago I was surprised when my Dad knew about some blog post from planet.debian.org. It turns out that Debian's xscreensaver is modified to download its RSS feed and displays it from time to time amoung the other screensavers.

So, you might want to fix that phone-home privacy violation in Debian, I suppose..

A little surprise in the Ubuntu motd

laarmen — Fri, 07 Jul 2017 12:26:32 +0000

I think here they refer to a TV Series titled Silicon Valley.

A little surprise in the Ubuntu motd

niner — Fri, 07 Jul 2017 11:50:48 +0000

But Silicon Valley is a place, not a person or an organisation. So how can a place build anything?

A little surprise in the Ubuntu motd

flussence — Fri, 07 Jul 2017 03:32:51 +0000

I've found that Firefox starts up slightly faster and significantly less CPU-hungrily if I take away its network access while it's loading.

The worst culprit at startup is the new tab page where mousing over the page thumbnails generates a traffic storm directly to those sites, which makes it pretty easy for someone snooping your unencrypted DNS traffic to know a) that you have the NTP screen open and b) your most visited sites. I bet someone could probably come up with some insane side-channel analysis to figure out where on the screen each is (i.e. relative ordering by view count) by the timing of the requests.

A little surprise in the Ubuntu motd

NightMonkey — Thu, 06 Jul 2017 23:56:17 +0000

Free-range, even.

A little surprise in the Ubuntu motd

jbicha — Thu, 06 Jul 2017 22:57:29 +0000

To offer the firmware update, the helper script runs automatically in the background on a regular basis.

To speed up installing the firmware, maybe the script downloads the firmware before asking you whether to install it.

A little surprise in the Ubuntu motd

debacle — Thu, 06 Jul 2017 21:26:01 +0000

The list is impressive. I'm a little bit disappointed, that the Debian firefox package does not have all the settings correctly preconfigured.

A little surprise in the Ubuntu motd

epa — Thu, 06 Jul 2017 12:48:58 +0000

I remember Fedora's storm in a teacup over "Beefy Miracle" a few years back. Could the moral be that hot dogs and Linux distributions do not mix?

A little surprise in the Ubuntu motd

jwilk — Thu, 06 Jul 2017 10:23:05 +0000

Firefox is a total privacy disaster:

https://support.mozilla.org/en-US/kb/how-stop-firefox-mak...

And this list isn't even complete. It doesn't mention captive portal detection, and who knows what else.

A little surprise in the Ubuntu motd

mirabilos — Thu, 06 Jul 2017 10:07:46 +0000

Yes, this is quite a problem as well; a similar bug was reported to Debian, and I tend to just force browsers to load about:blank or similar when started (local, static content with no automatic network connection, in any case, which is why the various default (upstream) Firefox start pages are a no-go either).

A little surprise in the Ubuntu motd

mirabilos — Thu, 06 Jul 2017 10:06:27 +0000

> I'll give an example of a not-a-bug

Your example is no different from a shell script with a wget command in it that the user runs.

The motd thing, on the other hand, is automatic *and* enabled by default, which moves it *quite* into the problematic domains.

A little surprise in the Ubuntu motd

lamby — Thu, 06 Jul 2017 09:06:48 +0000

May I suggest a small, artisanal distribution called Debian?

A little surprise in the Ubuntu motd

fujimotos — Thu, 06 Jul 2017 05:19:32 +0000

Also Mozilla is doing the same thing on their default homepage (about:home).
This page has a little area to show messages and these texts are loaded dynamically via AJAX.

Their messages are equally cryptic. Here is an example:

> Cat videos are a universal form of communication. Learn more about what the Web can
> give us with Mozilla Webmaker and our global Maker Party.

I just don't understand why Ubuntu/Fedora/Mozilla are trying to send something like this
to their users.

A little surprise in the Ubuntu motd

jkingweb — Thu, 06 Jul 2017 01:20:05 +0000

Phew. I thought it was just me. I'm also not American, and English is likewise not my first language, but my command of English is pretty decent.

I was having a lot of diffulty reading advertisement (or, indeed, anything) from the text, and I wondered if I was just dumb.

A little surprise in the Ubuntu motd

zuki — Thu, 06 Jul 2017 01:19:24 +0000

"How A built B using C" is a fairly standard pattern. Even if I have no idea what A, B, and C are, I can guess that it's some off-topic bit of trivia.

A little surprise in the Ubuntu motd

zuki — Thu, 06 Jul 2017 01:17:09 +0000

Yeah, I had the same reaction. It seems to a much ado about nothing. When my Fedora Magazine feed has an article Controlling Windows with Ansible I don't jump to any conclusions.

And making this opt in is also not without costs — either you need to know about the feature and expressly request it, so in effect most people won't have it, or you ask, so the installer needs to ask everybody one more stupid question ("do you want to tell the ubuntu servers that you installed ubuntu, even though they already know it because you periodically check for updates?"). I think making this opt-out and including a bit of "off topic" messages is completely appropriate.

A little surprise in the Ubuntu motd

jbicha — Wed, 05 Jul 2017 23:42:22 +0000

> a security-relevant release-critical bug

It's not a "security" bug. It might not be release-critical. Sometimes this kind of thing is not even a bug.

I'll give an example of a not-a-bug: A computer offers to update the firmware in a connected device. If the user agrees to update the firmware, the server providing the firmware knows that a user at that IP address has a device that uses that firmware.

I don't see why a user should be upset at that behavior but at the same time browse the Internet. For instance, the operators of LWN.net know (or can reasonably be assumed to know) what web browser (and what version) I am using to access this article and (probably) my home IP address. But this isn't unique to LWN; I share all that information (and a bit more) with every website I visit because of how the Internet works.

Does that mean that we should remove all web browsers from Debian as a "security update"? That would fix some security and privacy concerns, but Debian wouldn't be a very useful system to most people then.

A little surprise in the Ubuntu motd

k8to — Wed, 05 Jul 2017 21:05:28 +0000

The message, by itself, makes almost no sense.

That Ubuntu decision makers choose to not care that they are transmitting weird nonsense to server administrators in a privacy leaking communication stream is really unfortunate.