On Sun, May 02, 2021 at 03:35:48AM +0200, None via users wrote:
I recently got to know that Fedora's DNF creates an UUID to help
keep
track of the number of unique Fedora users.
It does not. I initially proposed this, similar to what openSUSE does, but
the actual implementation does not use a UUID at all. You can read about the
actual implementation here:
https://dnf.readthedocs.io/en/latest/conf_ref.html#options-for-both-main-...
As per my understanding, before implementing this UUID mechanism,
they
obtained their user-base estimate through the use of IP addresses.
That's correct.
I would appreciate it if someone could clarify these concerns of
mine:
- Is the generated UUID based on the hardware configuration of the
Fedora user, or is it a random UUID? (If the user re-installs Fedora,
will the re-generated UUID be alike to the first one, in any way?)
There is no UUID; all sytems of the same general age (1 week, 2-4 weeks,
5-24 weeks, > 24 weeks) with the same release, os_variant, and architecture
are all aggregated together.
- Will the user's UUID be sent to package mirrors each time they
perform
an update/installation of packages? (If so, would this mean that a
malicious mirror could potentially map a user's UUID with all the
associated package-requests?)
No; there is no UUID. Additionally, the countme value is sent once per week
and not with every request.
- Is there any way to opt out of providing data for this user-base
statistical analysis?
Yes; disable "countme" in the DNF repo configs as documented above. I hope
you won't, though, because this information is really helpful to us in
planning, and as you can see is designed to be minimally invasive. The goal
is to count, not track.
Could someone also point to the file in the source-code
(
https://github.com/rpm-software-management/dnf) where this UUID-feature
has been implemented?
https://github.com/rpm-software-management/libdnf/pull/807
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader