On Sun, May 02, 2021 at 03:35:48AM +0200, None via users wrote:
I recently got to know that Fedora's DNF creates an UUID to help keep track of the number of unique Fedora users.
It does not. I initially proposed this, similar to what openSUSE does, but the actual implementation does not use a UUID at all. You can read about the actual implementation here:
https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-and...
As per my understanding, before implementing this UUID mechanism, they obtained their user-base estimate through the use of IP addresses.
That's correct.
I would appreciate it if someone could clarify these concerns of mine:
- Is the generated UUID based on the hardware configuration of the
Fedora user, or is it a random UUID? (If the user re-installs Fedora, will the re-generated UUID be alike to the first one, in any way?)
There is no UUID; all sytems of the same general age (1 week, 2-4 weeks, 5-24 weeks, > 24 weeks) with the same release, os_variant, and architecture are all aggregated together.
- Will the user's UUID be sent to package mirrors each time they perform an update/installation of packages? (If so, would this mean that a malicious mirror could potentially map a user's UUID with all the associated package-requests?)
No; there is no UUID. Additionally, the countme value is sent once per week and not with every request.
- Is there any way to opt out of providing data for this user-base statistical analysis?
Yes; disable "countme" in the DNF repo configs as documented above. I hope you won't, though, because this information is really helpful to us in planning, and as you can see is designed to be minimally invasive. The goal is to count, not track.
Could someone also point to the file in the source-code (https://github.com/rpm-software-management/dnf) where this UUID-feature has been implemented?
https://github.com/rpm-software-management/libdnf/pull/807