On Mo, 07.01.19 22:54, Tom Gundersen (teg(a)jklm.no) wrote:
On Mon, Jan 7, 2019, 7:31 PM Matthew Miller
> On Mon, Jan 07, 2019 at 06:24:14PM +0100, Lennart Poettering wrote:
> > > * The Fedora community cares about privacy and is adverse to tracking
> > > measures. We don't want to track; just count.
> > Uh, so what's the story there? i mean, if you pass over the uuid you
> > make clients trackable, regardless if you want to make use of that or
> > not...
> Not if we don't keep them for long. One idea is to rotate them fairly
> frequently. But this is mostly a statement of intent and might be more
> how we build the backend than about what we force in the client.
You could move the rotation to the client by hashing the UUID with a
timestamp of sufficiently coarse granularity (a week?) before submitting it.
Then you make sure that all UUIDs submitted by a given machine during a
given time window are the same, but UUIDs submitted in different windows
are not related, and you don't have to trust the server to respect your
Yes, Tom's proposal makes sense. Calculate the UUID you submit as
HMAC(machined_id, CONCAT(fixedappuuid, unixtime/432000))
machine_id = the id from /etc/machine-id
fixedappuuid = some fixed compiled-in uuid you make up for dnf
unixtime = UNIX time, seconds since 1970
(432000 is the seconds in 5 days, just as an example)
This way the uuid submitted is changed automatically both when the
machine ID is reset and every 5 days.
Of course, I still think the NTP (or http ping check) approach is
nicer overall, since it doesn't smell so awfully like "we track users".
Lennart Poettering, Red Hat