as the person who pushed for the alpine core team (now TSC) to adopt a policy of rejecting telemetry features in alpine-packaged software, i have opinions on flathub 🙃
-
as the person who pushed for the alpine core team (now TSC) to adopt a policy of rejecting telemetry features in alpine-packaged software, i have opinions on flathub
mostly i am concerned that pushing users to use vendor-provided builds distributed on flathub may be exposing users to harmful software misfeatures like telemetry in ways that they would not if those same users installed packages from a distribution which patches out these misfeatures as a matter of policy
i wish that flathub would explicitly ban telemetry and check for telemetry features during their review processes. i would be more likely to recommend flatpak in more cases if they did.
-
as the person who pushed for the alpine core team (now TSC) to adopt a policy of rejecting telemetry features in alpine-packaged software, i have opinions on flathub
mostly i am concerned that pushing users to use vendor-provided builds distributed on flathub may be exposing users to harmful software misfeatures like telemetry in ways that they would not if those same users installed packages from a distribution which patches out these misfeatures as a matter of policy
i wish that flathub would explicitly ban telemetry and check for telemetry features during their review processes. i would be more likely to recommend flatpak in more cases if they did.
my philosophy here effectively boils down to a simple position: your computer should not be a rat.
-
my philosophy here effectively boils down to a simple position: your computer should not be a rat.
to be clear: this policy only applies to software that has default-on telemetry. if it asks the end user if they consent to telemetry sharing, we don’t particularly care about that (as long as it is respecting user consent anyway, otherwise it’s a release-critical bug…)
-
to be clear: this policy only applies to software that has default-on telemetry. if it asks the end user if they consent to telemetry sharing, we don’t particularly care about that (as long as it is respecting user consent anyway, otherwise it’s a release-critical bug…)
my point here is that distributions sometimes do curation that upstream does not want, because the distribution is acting in the interests of its user base, while flathub is more about allowing upstreams to distribute their own builds.
do distributions need to curate all software? of course not.
but i would trust the alpine build of firefox to respect my privacy moreso than the flathub one, because i know that we patch firefox to be compliant with our telemetry policy, and i know flathub does not have any such policy.
-
my point here is that distributions sometimes do curation that upstream does not want, because the distribution is acting in the interests of its user base, while flathub is more about allowing upstreams to distribute their own builds.
do distributions need to curate all software? of course not.
but i would trust the alpine build of firefox to respect my privacy moreso than the flathub one, because i know that we patch firefox to be compliant with our telemetry policy, and i know flathub does not have any such policy.
but why should a distribution care about telemetry?
distributions are advocates for user concerns, including and especially user privacy. or, at least in the idealized world, they would be using their role as curator in this way.
why do we, as curators, care about browser telemetry? well, the world is backsliding into fascism, and if your browser shares with its telemetry service that you searched for “misoprostol”, then your door might get kicked in.
as curators we have a responsibility to reduce harm potential.
-
but why should a distribution care about telemetry?
distributions are advocates for user concerns, including and especially user privacy. or, at least in the idealized world, they would be using their role as curator in this way.
why do we, as curators, care about browser telemetry? well, the world is backsliding into fascism, and if your browser shares with its telemetry service that you searched for “misoprostol”, then your door might get kicked in.
as curators we have a responsibility to reduce harm potential.
in the world we have built, data can be easily weaponized. that is enough reason to care about defanging telemetry functionality in software.
for example, for the average windows 11 user searching for “misoprostol” on a new copilot-enabled computer we have the following leaks:
* microsoft edge telemetry noting that you searched for “misoprostol”
* microsoft bing telemetry also noting this when you searched for it using edge (since bing is the default)
* microsoft windows copilot taking a screenshot of you searching for misoprostoland of course digital forensic tools misinterpret the data they find too, and that can become very problematic: https://www.digital-detective.net/digital-evidence-discrepancies-casey-anthony-trial/
so in this hypothetical situation, the trump kangaroo court arrests you after a miscarriage… you’re just screwed.
-
A abekonge@venner.network shared this topic
