The developers of the Manjaro Linux distribution, built on the basis of Arch Linux and aimed at beginners, announced the beginning of testing a new service MDD (Manjaro Data Donor), designed to collect statistics about the system and send it to the external server of the project. The author of the MDD intended to enable telemetry by default (opt-out), but the decision has not yet been approved and, judging by the objections of some developers and users, it is likely that telemetry will be offered as an option requiring prior consent of the user (a request to enable telemetry is proposed to be added to the greeting interface after the first download).
The report includes data such as host name, kernel version, desktop component versions, detailed information about hardware and drivers involved, screen size and resolution information, network device MAC addresses, disk serial numbers, disk partition data, information about the number of running processes and installed packages, versions of basic packages such as systemd, gcc, bash and PipeWire.
The sent data is stored on the project server in the ClickHouse database and visualized using the Grafana platform. The IP addresses of users are not stored, and the hash from the /etc/machine-id
file is used as the system identifier.
Аccording to the code https://github.com/manjaro/mdd/blob/master/mdd.py#L40 sends everything.
Don’t like it, don’t opt in
Even Debian has popcon
There are lots of benefits for developers to gather telemetry.
Don’t like that? Fork and do your own distro (presumably though you don’t contribute anything to open source, so id expect such people to simply whine and get angry at contributors)
Yeah, my only concern here was if it was opt-out. That’d be bad.
Now I completely understand the developer on this. This is useful info to have to help decide future changes/features and general direction, but balancing the right to privacy means this kind of data provision should ALWAYS be opt-in. Microsoft, you hearing me here?
Debian popcon is opt-in, first of all.
Q) What information is reported by popularity-contest ?
A) popularity-contest reports the system vendor [1], the system architecture you use, the version of popularity-contest you use and the list of packages installed on your system. For each package, popularity-contest looks at the most recently used (based on atime) files, and reports the filename, its last access time (atime) and last change time (ctime). However, some files are not considered, because they have unreliable atime. For privacy reasons, the times are truncated to multiple of twelve hours.
[1] i.e. the dpkg Vendor field, see dpkg-vendor(1).
So no fucking MAC addresses and machine-ids and harddrive serial numbers and stuff.
They only want package statistics, the point being to have statistics about the popularity of packages, mainly so they can be prioritized for the CD/DVD isos. You know, information that actually has a use, not hardware identifiers that can only be used for tracking purposes.
Each popularity-contest host is identified by a random 128bit uuid (MY_HOSTID in /etc/popularity-contest.conf). This uuid is used to track submissions issued by the same host. It should be kept secret.
Oh, and by default, IP, unless usetor is enabled
A machine I’d is just a hash too
Can you explain to me how you track Mac address, serial numbers over the internet.
Just fyi, the backend project I made 20 years ago was hardware related. There’s potential reasons to grab this info…
But, if it is a concern, I’m sure they’d welcome submissions to improve the parsing and allow things to be filtered.
In fact, popcon could be used for digital fingerprinting technically
In all likelihood, op never spoke to the manjaro developers either