alsa-info security/privacy concerns

alsa-info security/privacy concerns

[Wu Fengguang]

Greetings,

The auto-uploading behavior of http://www.alsa-project.org/alsa-info.sh
makes it act like a spyware. This makes some users - including me in
the first try - astonishing and uncomfortable.

I'd like to fix it by
        1) adding user prompt
        2) defaulting to --no-upload and introduce --upload

Before going for the code, I'd like to ask for your opinions,
especially on (2).

Thank you.

Fengguang

Re: alsa-info security/privacy concerns

[Jaroslav Kysela]

On Wed, 7 Jan 2009, Wu Fengguang wrote:

> Greetings,
> 
> The auto-uploading behavior of http://www.alsa-project.org/alsa-info.sh
> makes it act like a spyware.

The script always prompts before the upload action, so user can break it. 
Just read the first dialog.

					Jaroslav

-----
Jaroslav Kysela <perex@perex.cz>
Linux Kernel Sound Maintainer
ALSA Project, Red Hat, Inc.

Re: alsa-info security/privacy concerns

[Wu Fengguang]

Hi Jaroslav,

On Wed, Jan 07, 2009 at 10:22:13AM +0200, Jaroslav Kysela wrote:
> On Wed, 7 Jan 2009, Wu Fengguang wrote:
> 
> > Greetings,
> > 
> > The auto-uploading behavior of http://www.alsa-project.org/alsa-info.sh
> > makes it act like a spyware.
> 
> The script always prompts before the upload action, so user can break it. 
> Just read the first dialog.

What I'd like to add is a dedicated dialog for the warning message and
let users interactively choose between yes/no for uploading.

Doesn't it sound reasonable?

Thanks,
Fengguang

Re: alsa-info security/privacy concerns

[Takashi Iwai]

At Wed, 7 Jan 2009 16:33:06 +0800,
Wu Fengguang wrote:
> 
> Hi Jaroslav,
> 
> On Wed, Jan 07, 2009 at 10:22:13AM +0200, Jaroslav Kysela wrote:
> > On Wed, 7 Jan 2009, Wu Fengguang wrote:
> > 
> > > Greetings,
> > > 
> > > The auto-uploading behavior of http://www.alsa-project.org/alsa-info.sh
> > > makes it act like a spyware.
> > 
> > The script always prompts before the upload action, so user can break it. 
> > Just read the first dialog.
> 
> What I'd like to add is a dedicated dialog for the warning message and
> let users interactively choose between yes/no for uploading.
> 
> Doesn't it sound reasonable?

[Added Travis to Cc]

I like the idea.   We can give the following options:

- the greeting dialog informs that the script collects info, waits
  for Y/N or OK button.
- when --upload option is given, the data will be automatically
  uploaded.
- when --no-upload option is given, the data is just stored locally
  and quit.
- when neither options are given, show a dialog to ask to upload or
  not.


Takashi

Re: alsa-info security/privacy concerns

[Wu Fengguang]

On Wed, Jan 07, 2009 at 11:04:31AM +0200, Takashi Iwai wrote:
> At Wed, 7 Jan 2009 16:33:06 +0800,
> Wu Fengguang wrote:
> > 
> > Hi Jaroslav,
> > 
> > On Wed, Jan 07, 2009 at 10:22:13AM +0200, Jaroslav Kysela wrote:
> > > On Wed, 7 Jan 2009, Wu Fengguang wrote:
> > > 
> > > > Greetings,
> > > > 
> > > > The auto-uploading behavior of http://www.alsa-project.org/alsa-info.sh
> > > > makes it act like a spyware.
> > > 
> > > The script always prompts before the upload action, so user can break it. 
> > > Just read the first dialog.
> > 
> > What I'd like to add is a dedicated dialog for the warning message and
> > let users interactively choose between yes/no for uploading.
> > 
> > Doesn't it sound reasonable?
> 
> [Added Travis to Cc]
> 
> I like the idea.   We can give the following options:
> 
> - the greeting dialog informs that the script collects info, waits
>   for Y/N or OK button.
> - when --upload option is given, the data will be automatically
>   uploaded.
> - when --no-upload option is given, the data is just stored locally
>   and quit.
> - when neither options are given, show a dialog to ask to upload or
>   not.

Good ideas, I'd embrace them!

Thanks,
Fengguang