I have started reading https://lwn.net/Articles/776327/ which discusses the ideas of Fedora to use per-system UUID to track systems. The suggestion says:
This is what openSUSE does — see https://metrics.opensuse.org/ for live stats.
and also
- openSUSE already uses a UUID in zypper; this is ground already traveled
Can anyone shed some light on the matter? I don’t want to be tracked, even if that is “just counting the systems”.
There was a presentation on this topic a couple of years ago at the openSUSE Conference.
How does that change things?
Also - how can one make sure that the mirror is really a mirror (i.e. not having some of the packages subverted with malware)?
The problem with this is that if SUSE gets both the UUID, the IP address and datetime of access. So this is no longer just “statistics” but becomes ‘personal data’ (as per GDPR). So anything like that should be an opt-in, not enforced for all.
Hi
Well download.opensuse.org will send you to a mirror (since it’s a mirrorbrain server https://en.opensuse.org/MirrorBrain)… remember it’s the download media as in iso images they are counting.
I’m no lawyer (and these are technical forums) so would suggest you take that up with your lawyer if you have concerns.
[QUOTE=malcolmlewis;2897478]Hi
Well download.opensuse.org will send you to a mirror (since it’s a mirrorbrain server https://en.opensuse.org/MirrorBrain)… remember it’s the download media as in iso images they are counting.
[/quote]
I know that download.opensuse.org redirects to a mirror and that it is possible to skip that redirect by selecting the mirror as a source directly. The question is - how does one know that what zypper/yast downloads from the mirror is really a mirror copy and not something else (e.g. malware)? Perhaps this question is not directly related to the topic but still I am interested to know.
I’m no lawyer (and these are technical forums) so would suggest you take that up with your lawyer if you have concerns.
IANAL either but I have read the GDPR and I know how ‘personal data’ and ‘processing’ are defined in it. Although recital 26 says “This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes”, the combination of IP+UUID+timing is a not anonymous data and can surely be used as a fingerprint, and “funding purposes” is different from “statistical or research”. I don’t see any information how this ‘personal data’ is ‘processed’. Hence this thread.
How can I get more information about all this?
Hi
The board or admin{at}o.o would be the place…
@heyjoe: I’ve added ( anyone could have btw ) this thread to https://en.opensuse.org/openSUSE_talk:Board_meetings as an agenda item.
What is admin{at}o.o please? An email address where I should ask?
@Knurpht - thanks. How can we know what happened on that meeting?
Hi
Not going to post an email address 
opensuse{dot}org and either board or admin…
And meeting minutes are posted in the project mailing list… https://lists.opensuse.org/opensuse-project/
Thanks! I will wait for those minutest then and if anything is unclear will write to a**{at}o** 
The repos are signed with GPG. Each RPM comes with a GPG signature, and the “repodata” (metadata of the repo, includes stuff like the list of packages, their checksum, filelist etc.) is also GPG-signed. If a mirror manages to inject malware without breaking the GPG signature, well, then that mirror is not our biggest problem
The GPG key used for the main repos (oss, non-oss, update) gets installed on your system as part of the initial installation so that you/zypper/YaST can validate the signatures. If you use additional repos, zypper/YaST will ask you to accept the key.
Oh, and to start with - we also provide signatures for the ISO files so that you can verify your install media.
AFAIK the only evil thing a mirror can do is a replay attack (= intentionally being outdated) so that you don’t get the latest security updates and stay vulnerable.
Even this is time-limited because the repodata also includes an expiration date. If a mirror has a months-old update repo you’ll get a warning, but if it’s “only” a week old, it will be accepted. (The lifetime/expiration date depends on the repo, and the update repo of course has a shorter expiration timeframe than the Leap oss repo, but I’d have to look up the exact allowed lifetime.)
Hi
Also note to unblock the Piwick site and it’s in German…
Here’s my understanding (which could be wrong):
The repo metadata file is signed with an opensuse key, and that key is checked by zypper/rpm/whatever.
In turn, the metadata file has hashes of the packages. And the packages downloaded are checked against those hashes.
Still waiting for those minutes to be published…
Thanks but these terms are about the website, not about what I am asking for (the OS).
And BTW forums.opensuse.org uses Google Analytics, not Piwik, and there is no way to opt-out of this (except by using uMatrix and/or uBO which is not a way provided by the ‘data controller’ SUSE). So Data protection by design and by default is not quite the case here. Additionally the same Article 25 says:
“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
Tracking with UUID is not necessary for having an up to date OS. No tracking is necessary at all for that. Sharing data with Google is not necessary for having an online forum. Perhaps it should even be mentioned that login through microfocus.com is also a sharing of data with third party, while it can be made on SUSE’s servers. So although the last 2 are not the topic, they are still worth considering.
@cboltz - Thanks for explaining.
[QUOTE=cboltz;2897544]If a mirror manages to inject malware without breaking the GPG signature, well, then that mirror is not our biggest problem
[/quote]
Why not?
The GPG key used for the main repos (oss, non-oss, update) gets installed on your system as part of the initial installation so that you/zypper/YaST can validate the signatures.
If one chooses to use a mirror right from the very installation of the OS (following the advise given by malcolmlewis) - is the GPG key of the mirror the same as the one coming from downloads.opensuse.org and if it should be - what guarantees that it is?
…] replay attack (= intentionally being outdated) …]
…] expiration date …]
Is download.opensuse.org the entity which manages all that? I.e. does it redirect to a particular mirror based on certain security and freshness checks? If anyone feels this is too off-topic please let me know and I will open a separate thread.
Checked against what? I.e. - does zypper have what it compares to hard coded in itself or does it still need to contact opensuse for an original key to compare to?
Use NoScript on FF and block googleanalytics. I do this already for years (in general, not special for the forums) and see no negative effect on the forums uesage…
On Wed 20 Mar 2019 01:26:03 PM CDT, hcvv wrote:
heyjoe;2897579 Wrote:
>
>
> And BTW forums.opensuse.org uses Google Analytics,
Use NoScript on FF and block googleanalytics. I do this already for
years (in general, not special for the forums) and see no negative
effect on the forums uesage…
Hi
All the cruft here is blocked via Raspberry Pi3’s running openSUSE
Leap 15.0 and Pihole DNS, once place to manage rather than individual
machines, plus can blacklist or whitelist sites on the fly…
–
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
SLES 15 | GNOME Shell 3.26.2 | 4.12.14-25.28-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below… Thanks!
Much better: Use NoScript + uMatrix in Firefox.
Important: Remove all “Whitelist” trash in NoScript (disgusting, really) and set default in uMatrix to zero, Null, niente, nothing.
But be careful and keep vomit bags at hand, what you see there is nothing for highly sensitive personalities