1. Forum
  2. Usenet
  3. LINUX.DEBIAN.USER

  • Re: popcon use?

    From Dan Ritter@21:1/5 to Lee on Wed Oct 9 23:10:02 2024
    Lee wrote:
    There was this bit in the debian-devel mailing list

    To make this happen for trixie, I don't see how to do it. Anyone having >> the old 'signify' package on their system would get OpenBSD's signify
    instead of the new 'signify-mail' package after an upgrade. Is that
    problem really worth caring about?
    No: popcon == 58.

    If you don't have popcon enabled, why not?

    I have it enabled and I'm not seeing a real downside to having it
    enabled. What am I missing?


    A security policy that requires a good reason to enable contact
    in either direction across a firewall.

    That's a set of boxes between 100 and 1000 that I'm responsible
    for, all running Debian.

    In general, the people who enable popcon are more likely to have
    laptops than desktops, and much more likely to run on a desktop
    than on a server. They are more likely to be in charge of 1-10
    machines, all with haphazard policies, than in charge of a fleet
    of machines with a unified policy.

    -dsr-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Lee on Wed Oct 9 23:20:01 2024
    On Wed, Oct 09, 2024 at 04:09:11PM -0400, Lee wrote:
    If you don't have popcon enabled, why not?

    I have it enabled and I'm not seeing a real downside to having it
    enabled. What am I missing?

    People who don't see it as a good idea to — or don't have the authority
    to — send a list of all their packages and all the binaries within those packages and when they were last used, to a remote site over clear text.

    You can encrypt it but that requires (a) a conscious decision to do so,
    and (b) installing gnupg.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Lee on Thu Oct 10 03:20:01 2024
    Hi,

    On Wed, Oct 09, 2024 at 08:37:48PM -0400, Lee wrote:
    Do you have a link to instructions for encrypting popcon traffic?
    I've already got gnupg installed.

    zless /usr/share/doc/popularity-contest/FAQ.gz

    I've not eorsonally tried it however.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andy Smith@21:1/5 to Lee on Sat Oct 12 01:00:01 2024
    Hi,

    On Thu, Oct 10, 2024 at 02:08:52PM -0400, Lee wrote:
    On Thu, Oct 10, 2024 at 1:00 AM Jeffrey Walton wrote:
    On Wed, Oct 9, 2024 at 7:40 PM Andy Smith wrote:
    [...]
    You can encrypt it but that requires (a) a conscious decision to do so, and (b) installing gnupg.

    Do you have a link to instructions for encrypting popcon traffic?
    I've already got gnupg installed.

    popcon is encrypted by default as of version 1.60, assuming you have
    not changed the default setting. See <https://popcon.debian.org/FAQ>.

    Ah! I haven't re-read that document in so long. I wish I could edit or
    delete my prior post now.

    I suppose I'm depending on the Debian developers to patch all of the
    known software security issues.
    Any help on how to check that assumption?

    With these sorts of things there's not only the need to trust the organisation's competency and motives but also that they are only
    storing what they say they are storing, as a compromise gives the data
    to people with unknown motives.

    I don't know how you would check that they are not storing your IP
    address but only the anonymised id number. Still, I would be prepared to
    trust that Debian discards the IP address data very early on.

    Even so, this collection of packages and time of use of binaries is more
    data than a lot of places would be willing to authorise unless
    absolutely necessary.

    Thanks,
    Andy

    --
    https://bitfolk.com/ -- No-nonsense VPS hosting

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Michel Verdier@21:1/5 to Andy Smith on Sat Oct 12 12:20:02 2024
    On 2024-10-11, Andy Smith wrote:

    I don't know how you would check that they are not storing your IP
    address but only the anonymised id number. Still, I would be prepared to trust that Debian discards the IP address data very early on.

    If you use mail for sending report you can send it via an external server (gmail, etc) to avoid showing your ip. And you if you stay on http you
    can use torify.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Will Mengarini@21:1/5 to All on Tue Oct 15 06:00:01 2024
    * Lee <ler762@gmail.com> [24-10/12=Sat 17:07 -0400]:
    The bit with zless was worth the post. I'd been doing zcat foo.gz | more

    See `man lesspipe` for an even easier approach,
    allowing 'less foo.gz' to Just Work.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)