Duncan Coutts wrote:
On Sun, 2010-04-11 at 18:43 +0200, Maciej Piechotka wrote:
- Privacy problem. I don't want the software to call home with data without asking.
Obviously it is important that the data be anonymous and that we do not send stuff without the user's knowledge. While there is not any directly identifying information in the existing anonymous build reports, one has to be very careful with how much access the server provides to the reports or it may become possible to infer identifying information.
One possibility for mitigating the issues here is to have cabal present the entire message to the user for scrubbing prior to being submitted,[1] similar to how version control systems generally provide a summary of the patch (albeit uneditable) when asking for a patch description. That poses other problems (e.g., reports which are too incomplete to be helpful or which are intentionally erroneous), and doesn't cover everything (e.g., taking advantage of outside knowledge that Duncan is one of the few users on Sparc/Linux), but it helps to solve the declassification problem (i.e., what data the user is willing to reveal to the server). [1] Ideally in a way which allows scripting the scrubbing so folks can just specify preferences once. If we wanted to keep things simple for the implementors, then hooking into $EDITOR and assuming folks know how to script their favorite editor is one approach. Otherwise we'll want a (E)DSL that can be specified in config files. -- Live well, ~wren