X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.190.25]) by lists.alpinelinux.org (Postfix) with ESMTP id 6C3FA5C4ED8 for ; Fri, 30 Mar 2018 08:26:00 +0000 (GMT) Received: from mx1.tetrasec.net (mail.local [127.0.0.1]) by mx1.tetrasec.net (Postfix) with ESMTP id D7FEE9E2EBD; Fri, 30 Mar 2018 08:25:59 +0000 (GMT) Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: n@tanael.org) by mx1.tetrasec.net (Postfix) with ESMTPSA id 0B2129E2199; Fri, 30 Mar 2018 08:25:58 +0000 (GMT) Date: Fri, 30 Mar 2018 10:25:53 +0200 From: Natanael Copa To: Christine Dodrill Cc: "alpine-devel@lists.alpinelinux.org" Subject: Re: [alpine-devel] What is the policy for telemetry in packages in Alpine's repos? Message-ID: <20180330102553.6f89763c@ncopa-desktop.copa.dup.pw> In-Reply-To: References: X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 23 Mar 2018 02:16:28 +0000 Christine Dodrill wrote: > Hello all, > > I just got a notification from the Caddy[1] project's GitHub page[2] that > the Caddy project is indeed going ahead with their plan to implement > telemetry into the server. As implemented (default on) [3] (search > "telemetry"), it exposes a rather terrifying amount of data including but > not limited to: > > - the number of vhosts you are serving > - the version of Caddy > - the number of TCP(/UDP?) listeners Caddy has open > - the server type of Caddy (in case you compile in the DNS server option) > - OS (linux, windows, etc) > - Architecture (aarch64, ppc64, etc) > - CPU brand name > - Number of logical CPU cores > - CPU AES-NI support > - the number of configuration directives in the loaded configuration > - how many connections are likely or not likely to be TLS-MITM-ed > - its best guess if the user is running this in development or > production based on what ACME servers Caddy is configured to use > - the number of sites being served by Caddy > - how many hits from how many unique user agents Cadey processes > - the number of HTTP requests Caddy processes > - the number of TLS certs Caddy manages > - the number of TLS certs that Caddy manually loads from files > - the number of TLS certs obtained from an ACME server > - the number of TLS certs renewed from an ACME server > - the number of TLS certs revoked from an ACME server > - TLS client hello information [4] (this isn't implemented yet, but they > obviously plan to) > - TLS handshake count > - TLS handshake unique error count > - the number of managed TLS certs currently loaded into ram > - the number of manually loaded TLS certs currently loaded into ram > - the number of self-signed certs Caddy is configured to generate in ram > > This seems a bit much for opt-out telemetry, and made me wonder if Alpine > has any policies about packages with telemetry features in general. If so, > what are they? If not, I think it would be reasonable for telemetry in > alpine programs to be OPT-IN (as in: the user MUST take action to enable > telemetry) or patched out from programs. We don't have any written policies about this, but I would prefer that this kind of thing is an opt-in, and I would be be ok to apply an Alpine specific patch to disable telemetry by default. -nc > > --- > > Christine Dodrill > https://christine.website > > [1]: https://caddyserver.com/ > [2]: https://github.com/mholt/caddy/pull/2079 > [3]: https://github.com/mholt/caddy/pull/2079/files > [4]: > https://github.com/mholt/caddy/blob/52316952a575b01871224e68d4d248c0e2cdf271/caddytls/handshake.go#L103 --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---