On Mon, 6 May 2013 08:32:40 +0200
Lukas Zapletal <lzap(a)redhat.com> wrote:
On Fri, May 03, 2013 at 03:30:39PM -0600, Kevin Fenzi wrote:
> Right, but then this information is security sensitive...
> User installed httpd-x.y-Z on YYYY-MM-DD, but on looking you don't
> see them installing the security update that was released after
> that -> target.
> Or even, user installs foo, foo is insecure and is dropped from
> fedora, you might know that they have it still installed and can
> leverage that.
> Or you see that user does security updates every friday, so you know
> they might be vulnerable thursdays.
> Also, you may see users install something, but we have no way of
> knowing if they try it and hate it and remove it right after.
All true, that's the reason why IP address will never be available
from the data.
Sure, if you can see the anonized logs you can still figure out your IP
address hash easily, so that could allow you to see for example what
other people behind your same NAT/company are installing.
There's lots of weird corner cases here, which is why we decided it
wouldn't work last time we visited it. ;(
> Also, the way our mirroring works, they can get the package from
> mirror at all, so we may not see patterns that are there if we could
> see logs of all mirrors instead of just one.
Yeah, I did not realized that - this is quite limiting. Taking NAT
issue into account, I don't think anymore it is good source of