|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Big Brother OpenBSD
I recently discovered that I am being tracked while installing OpenBSD.
This is not new, but I am very annoyed and dismayed that there is no "opt out" feature in the OpenBSD installer. And that the collection of user data by OpenBSD is not openly discussed in the installation documentation. http://jan.exss.de/openbsd-bb.html Here is a script that retrieves some of the information stored at OpenBSD (129.128.5.191): (Change the architecture, i386, to match your own system) Code:
#! /bin/sh # Show the info that OpenBSD collected on you during the last installation curl http://129.128.5.191/cgi-bin/ftplist.cgi?path=/pub/OpenBSD/5.4/i386 |
|
||||
Huh?
That link is just the list of OS distribution mirrors, showing URL and location for ease of mirror selection by users. See http://www.openbsd.org/ftp.html for a list of download mirrors sorted by type (FTP, HTTP, RSYNC, and AFS). |
|
||||
The history of the file you questioned is available from the www CVS repository -- here is its log:
http://www.openbsd.org/cgi-bin/cvsweb/www/ftplist |
|
|||
Quote:
http://www.openbsd.org/cgi-bin/cvswe...oot/install.sh http://www.openbsd.org/cgi-bin/cvswe...ot/install.sub During an install, (bsd.rd), ones ip address, timezone setting, last choice of openbsd ftp server and architecture are sent to an OpenBSD website in Calgary. http://article.gmane.org/gmane.os.op...+installations Last edited by comet--berkeley; 13th March 2014 at 04:52 PM. Reason: add links to install.sh and install.sub |
|
||||
Thank you, comet--berkeley. That improves my clarity of understanding, and to aid discussion, your concern is apparently this, from install.sh:
Code:
# If we managed to talk to the ftplist server before, tell it what # location we used... so it can perform magic next time if [[ -s $SERVERLISTALL ]]; then _i= [[ -n $installedfrom ]] && _i="install=$installedfrom" [[ -n $TZ ]] && _i="$_i&TZ=$TZ" [[ -n $method ]] && _i="$_i&method=$method" [[ -n $_i ]] && ftp -Vao - \ "http://129.128.5.191/cgi-bin/ftpinstall.cgi?$_i" >/dev/null 2>&1 & fi Code:
install_files "$_url_base" "$_file_list" # Remember where we installed from installedfrom=$_url_type://$_server_ip/$_server_dir # Bake a package path if we installed from a mirror if [[ -n $_mirror ]]; then PACKAGE_PATH=$(print -r -- "$installedfrom" | sed -E "/\/(snapshots|[0-9]\.[0-9])\/($ARCH)\/*$/!d s!!/\1/packages/$(arch -s)/!;q") else PACKAGE_PATH= fi Quote:
Personally, I'm not too concerned that there is a recording of my public facing IP addresses that shows that I've run an OpenBSD installation script; anyone querying my bastion firewalls will discover I'm running the OS; I don't run services in "stealth" mode -- I use PF block rules with the return option -- and don't fear the fingerprints the OS and its services provide. I expect all of the mirror servers log accesses locally but that is data stored by each mirror and not consolidated as in this collection.I find myself thinking that this collection of metadata might have been better publicized, and that an "opt out" capability should be implemented. This data could be interpreted as PII in many jurisdictions, and the Project therefore acting in the dual roles of Data Collector and Data Processor. We can certainly discuss this, and if there is consensus, perhaps one (or more) of us can develop a patch that provides both notification and "opt out" capability, for consideration by deraadt@ and the other developers who implemented and support the feature. Last edited by jggimi; 13th March 2014 at 05:42 PM. Reason: typo |
|
|||
Quote:
Quote:
Why should I expect that my information is being gathered in the first place? Last edited by comet--berkeley; 14th March 2014 at 03:48 PM. Reason: add link to jan.exss.de page |
|
|||
Quote:
There actually is a work-around way of "opting out".
Last edited by comet--berkeley; 14th March 2014 at 04:10 PM. Reason: suggest unplugging the ethernet |
|
|||
There was one thread about it in @misc: http://marc.info/?t=126645269500001&r=1&w=2
Chances are it's not going anywhere as Theo sees it as a useful feature. I don't think it's a bad thing, but a little bit of disclosure would have been nice. Debian does something similar for packages where the installer asks you if you want to submit statistics for the packages you've installed on your system. http://popcon.debian.org/README |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Brother MFC-5895CW driving me crazy | jggimi | OpenBSD General | 21 | 1st July 2012 12:47 AM |
Freebsd and Brother HL-2032 laser printer | da1 | FreeBSD General | 6 | 12th March 2009 03:09 AM |