On Mon, Jan 7, 2019 at 4:55 PM Bruno Wolff III <bruno(a)wolff.to> wrote:
On Mon, Jan 07, 2019 at 16:41:46 -0500,
John Harris <johnmh(a)splentity.com> wrote:
>On Monday, January 7, 2019 4:31:29 PM EST Bruno Wolff III wrote:
>> If the strings aren't checked when they are received, they could be
>> anything.
>> The system varient also has the same issue. You shouldn't trust
>> the clients supplying this information.
>
>If we are just using this UUID to count machines, it doesn't matter what the
>UUID is. Just that it's different between machines.
Yes, if they are not so long as to break the software and no public report
has the actual strings so the project doesn't get embarrassed and no one who
has to look at the strings is easily offended, then it isn't a problem.
The system varient is probably a bit different of a case. Unexpected varients
could end up in public reports depending on things are designed. It might
be good to throw out any data which has unexpected varients in it.
I think the only useful data we could get from unknown variants would
be "the number of times we see an unknown variant". So I think
throwing it away and just incrementing a counter of "the number of
times people have tried to poison the data" is probably reasonable.