ASF hosted binaries collecting user data without an explicit opt-in

classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Shane Curcuru-2
Roman Shaposhnik wrote on 6/7/17 4:20 PM:

> On Wed, Jun 7, 2017 at 10:56 AM, Mark Thomas <[hidden email]> wrote:
>> On 07/06/17 17:53, Roman Shaposhnik wrote:
>>> On Wed, Jun 7, 2017 at 8:32 AM, Sean Busbey <[hidden email]> wrote:
>>>> On 2017-06-06 11:59 (-0500), Roman Shaposhnik <[hidden email]> wrote:
>>>>> On Mon, Jun 5, 2017 at 8:25 PM, John D. Ament <[hidden email]> wrote:
>>>>>> While these are all great discussion points, I don't believe they're
>>>>>> relevant to incubator only and probably should have remained on the
>>>>>> legal-discuss list.  Ignite graduated ~2 years ago.  The incubator probably
>>>>>> doesn't have an opinion about this, but it's good to know that the policy
>>>>>> may change (and I do personally have an opinion on said types of software).
>>>>>
>>>>> The reason I'm bringing it on the IPMC mailing list has nothing to do
>>>>> with how long
>>>>> ago Ignite graduated and everything to do with the following two points:
>>>>>    1. It can be very useful to the future podlings
>>>>>    2. I honestly don't know any other forum where I can meaningfully
>>>>> discuss changes to release policy
>>>>>
>>>>> I'll take advice on #2, of course.
>>>>
>>>>
>>>> Who owns release policy? I presume it's VP Legal, which would suggest legal-discuss.
>>>
>>> I would really be surprised if VP Legal actually *owned* it. This
>>> feels someplace between
>>> INFRA, ComDev and Legal, but it still doesn't answer the question
>>> who's a single throat
>>> to choke.
>>
>> Consider yourself surprised then. V.P. Legal owns the release policy.
>
> Is legal-discuss then the appropriate forum to actually build the consensus?
> I surely hope V.P. Legal won't play a BDFL with our release policy, will he?

Huh?  Only the board and specifically authorized officers can set policy
like the release policy that all PMCs MUST follow.  So yes, VP Legal is
the final determiner of release policy updates, not anyone else.

legal-discuss@ is the best place to bring any specific requests from
project(s) to change the actual policy itself.  But first it would be
useful to get some rough consensus on some of those specific requests
here from the IPMC or from ComDev.  Having specific changes backed up by
actual *needs* from one or more PMCs is the best way to start.

Note that ComDev is a PMC itself, and has no authority to set *policy*
for other PMCs.  But they do provide a lot of good docs and best
practices, and dev@community is becoming quite a good cross-project
discussion area, so it's a good place to get other feedback on a proposal.

> Thanks,
> Roman.

--

- Shane
  https://www.apache.org/foundation/marks/resources

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Roman Shaposhnik
On Wed, Jun 7, 2017 at 1:26 PM, Shane Curcuru <[hidden email]> wrote:

> Roman Shaposhnik wrote on 6/7/17 4:20 PM:
>> On Wed, Jun 7, 2017 at 10:56 AM, Mark Thomas <[hidden email]> wrote:
>>> On 07/06/17 17:53, Roman Shaposhnik wrote:
>>>> On Wed, Jun 7, 2017 at 8:32 AM, Sean Busbey <[hidden email]> wrote:
>>>>> On 2017-06-06 11:59 (-0500), Roman Shaposhnik <[hidden email]> wrote:
>>>>>> On Mon, Jun 5, 2017 at 8:25 PM, John D. Ament <[hidden email]> wrote:
>>>>>>> While these are all great discussion points, I don't believe they're
>>>>>>> relevant to incubator only and probably should have remained on the
>>>>>>> legal-discuss list.  Ignite graduated ~2 years ago.  The incubator probably
>>>>>>> doesn't have an opinion about this, but it's good to know that the policy
>>>>>>> may change (and I do personally have an opinion on said types of software).
>>>>>>
>>>>>> The reason I'm bringing it on the IPMC mailing list has nothing to do
>>>>>> with how long
>>>>>> ago Ignite graduated and everything to do with the following two points:
>>>>>>    1. It can be very useful to the future podlings
>>>>>>    2. I honestly don't know any other forum where I can meaningfully
>>>>>> discuss changes to release policy
>>>>>>
>>>>>> I'll take advice on #2, of course.
>>>>>
>>>>>
>>>>> Who owns release policy? I presume it's VP Legal, which would suggest legal-discuss.
>>>>
>>>> I would really be surprised if VP Legal actually *owned* it. This
>>>> feels someplace between
>>>> INFRA, ComDev and Legal, but it still doesn't answer the question
>>>> who's a single throat
>>>> to choke.
>>>
>>> Consider yourself surprised then. V.P. Legal owns the release policy.
>>
>> Is legal-discuss then the appropriate forum to actually build the consensus?
>> I surely hope V.P. Legal won't play a BDFL with our release policy, will he?
>
> Huh?

Because last time BDFL tendencies flared up around ASF Legal it was
painful all around.

>  Only the board and specifically authorized officers can set policy
> like the release policy that all PMCs MUST follow.  So yes, VP Legal is
> the final determiner of release policy updates, not anyone else.
>
> legal-discuss@ is the best place to bring any specific requests from
> project(s) to change the actual policy itself.  But first it would be
> useful to get some rough consensus on some of those specific requests
> here from the IPMC or from ComDev.

That was my very question: what is the right forum. You could've just answered
that. So it is IPMC, ComDev, both?

Seriously WHERE do I have to move this thread to?

> Note that ComDev is a PMC itself, and has no authority to set *policy*
> for other PMCs.  But they do provide a lot of good docs and best
> practices, and dev@community is becoming quite a good cross-project
> discussion area, so it's a good place to get other feedback on a proposal.

Sure. We all know that.

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Ted Dunning
On Wed, Jun 7, 2017 at 10:31 PM, Roman Shaposhnik <[hidden email]>
wrote:

> > legal-discuss@ is the best place to bring any specific requests from
> > project(s) to change the actual policy itself.  But first it would be
> > useful to get some rough consensus on some of those specific requests
> > here from the IPMC or from ComDev.
>
> That was my very question: what is the right forum. You could've just
> answered
> that. So it is IPMC, ComDev, both?
>
> Seriously WHERE do I have to move this thread to?


Let's leave it here to get an IPMC opinion.

Then take it to legal-discuss with a specific thought in mind.
Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

John D. Ament-2
On Wed, Jun 7, 2017 at 4:55 PM Ted Dunning <[hidden email]> wrote:

> On Wed, Jun 7, 2017 at 10:31 PM, Roman Shaposhnik <[hidden email]>
> wrote:
>
> > > legal-discuss@ is the best place to bring any specific requests from
> > > project(s) to change the actual policy itself.  But first it would be
> > > useful to get some rough consensus on some of those specific requests
> > > here from the IPMC or from ComDev.
> >
> > That was my very question: what is the right forum. You could've just
> > answered
> > that. So it is IPMC, ComDev, both?
> >
> > Seriously WHERE do I have to move this thread to?
>
>
> Let's leave it here to get an IPMC opinion.
>

I disagree.  The Ignore PMC released the software with this included.  It
seems like they're the ones having issues with it, the discussion should
happen on their lists to find out what should have been done.



>
> Then take it to legal-discuss with a specific thought in mind.
>
Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Bertrand Delacretaz
In reply to this post by Sean Busbey-2
On Wed, Jun 7, 2017 at 5:32 PM, Sean Busbey <[hidden email]> wrote:
> ...Who owns release policy? I presume it's VP Legal, which would suggest legal-discuss...

I don't think our release policy is relevant here.

The issue is a project releasing software that a) collects user data
without an explicit opt-in, and b) apparently does that in an insecure
way.

a) is a privacy violation - we have
https://www.apache.org/foundation/policies/privacy.html for that, I
suggest that we simply expand it with a "collecting user data"
section. As Shane mentions
https://wiki.openoffice.org/wiki/Update_Service is related.

b) is a general security problem,
http://www.apache.org/security/committers.html applies to that as
usual.

Am I missing something?

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Raphael Bircher-2
Hi all,

Am .06.2017, 09:43 Uhr, schrieb Bertrand Delacretaz  
<[hidden email]>:

> On Wed, Jun 7, 2017 at 5:32 PM, Sean Busbey <[hidden email]> wrote:
>> ...Who owns release policy? I presume it's VP Legal, which would  
>> suggest legal-discuss...
>
> I don't think our release policy is relevant here.
>
> The issue is a project releasing software that a) collects user data
> without an explicit opt-in, and b) apparently does that in an insecure
> way.
>
> a) is a privacy violation - we have
> https://www.apache.org/foundation/policies/privacy.html for that, I
> suggest that we simply expand it with a "collecting user data"
> section. As Shane mentions
> https://wiki.openoffice.org/wiki/Update_Service is related.
>
> b) is a general security problem,
> http://www.apache.org/security/committers.html applies to that as
> usual.
>
> Am I missing something?
Yea, as far as I know it is in a old version who is in the archive, right.  
I think this makes some difference.

Regards Raphael



--
My introduction https://youtu.be/Ln4vly5sxYU

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Bertrand Delacretaz
On Thu, Jun 8, 2017 at 10:01 AM, Raphael Bircher
<[hidden email]> wrote:
> Am .06.2017, 09:43 Uhr, schrieb Bertrand Delacretaz
> <[hidden email]>:
>> ...Am I missing something?
>
> Yea, as far as I know it is in a old version who is in the archive, right. I
> think this makes some difference...

Ah yes you're right, we might want to pull the old binaries from the
archive as well, in addition to the changes that I suggested.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Greg Stein-4
On Thu, Jun 8, 2017 at 3:10 AM, Bertrand Delacretaz <
[hidden email]> wrote:

> On Thu, Jun 8, 2017 at 10:01 AM, Raphael Bircher
> <[hidden email]> wrote:
> > Am .06.2017, 09:43 Uhr, schrieb Bertrand Delacretaz
> > <[hidden email]>:
> >> ...Am I missing something?
> >
> > Yea, as far as I know it is in a old version who is in the archive,
> right. I
> > think this makes some difference...
>
> Ah yes you're right, we might want to pull the old binaries from the
> archive as well, in addition to the changes that I suggested.
>

In the specific case of Apache Ignite's invocation of that URL and passing
along certain data ... that is no longer relevant, even for OLD versions,
as the Foundation currently controls the ignite.run domain (and host). That
host will no longer resolve, so no HTTP request will be performed, and
(certainly) no data will be collected from old/new versions of Apache
Ignite.

Cheers,
Greg Stein
Infrastructure Administrator, ASF
Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Chris Mattmann-4
Makes sense to me.

Cheers,
Chris




On 6/8/17, 1:42 AM, "Greg Stein" <[hidden email]> wrote:

    On Thu, Jun 8, 2017 at 3:10 AM, Bertrand Delacretaz <
    [hidden email]> wrote:
   
    > On Thu, Jun 8, 2017 at 10:01 AM, Raphael Bircher
    > <[hidden email]> wrote:
    > > Am .06.2017, 09:43 Uhr, schrieb Bertrand Delacretaz
    > > <[hidden email]>:
    > >> ...Am I missing something?
    > >
    > > Yea, as far as I know it is in a old version who is in the archive,
    > right. I
    > > think this makes some difference...
    >
    > Ah yes you're right, we might want to pull the old binaries from the
    > archive as well, in addition to the changes that I suggested.
    >
   
    In the specific case of Apache Ignite's invocation of that URL and passing
    along certain data ... that is no longer relevant, even for OLD versions,
    as the Foundation currently controls the ignite.run domain (and host). That
    host will no longer resolve, so no HTTP request will be performed, and
    (certainly) no data will be collected from old/new versions of Apache
    Ignite.
   
    Cheers,
    Greg Stein
    Infrastructure Administrator, ASF
   



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Myrle Krantz-2
Out of curiousity: Do we ever let domains like this expire?

Greets,
Myrle


On Thu, Jun 8, 2017 at 4:55 PM, Chris Mattmann <[hidden email]> wrote:

> Makes sense to me.
>
> Cheers,
> Chris
>
>
>
>
> On 6/8/17, 1:42 AM, "Greg Stein" <[hidden email]> wrote:
>
>     On Thu, Jun 8, 2017 at 3:10 AM, Bertrand Delacretaz <
>     [hidden email]> wrote:
>
>     > On Thu, Jun 8, 2017 at 10:01 AM, Raphael Bircher
>     > <[hidden email]> wrote:
>     > > Am .06.2017, 09:43 Uhr, schrieb Bertrand Delacretaz
>     > > <[hidden email]>:
>     > >> ...Am I missing something?
>     > >
>     > > Yea, as far as I know it is in a old version who is in the archive,
>     > right. I
>     > > think this makes some difference...
>     >
>     > Ah yes you're right, we might want to pull the old binaries from the
>     > archive as well, in addition to the changes that I suggested.
>     >
>
>     In the specific case of Apache Ignite's invocation of that URL and passing
>     along certain data ... that is no longer relevant, even for OLD versions,
>     as the Foundation currently controls the ignite.run domain (and host). That
>     host will no longer resolve, so no HTTP request will be performed, and
>     (certainly) no data will be collected from old/new versions of Apache
>     Ignite.
>
>     Cheers,
>     Greg Stein
>     Infrastructure Administrator, ASF
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Roman Shaposhnik
In reply to this post by Bertrand Delacretaz
On Thu, Jun 8, 2017 at 12:43 AM, Bertrand Delacretaz
<[hidden email]> wrote:
> On Wed, Jun 7, 2017 at 5:32 PM, Sean Busbey <[hidden email]> wrote:
>> ...Who owns release policy? I presume it's VP Legal, which would suggest legal-discuss...
>
> I don't think our release policy is relevant here.

Actually, that's what I'm trying to figure out. My initial thought around why
release policy was relevant here was that THE ONLY reason we reacted
the way we did is because there was a piece of software associated with
ASF in two ways:
   1. branding
   2. distribution off of ASF infrastructure

It sounds like you're saying that #1 is actually more important that #2. I may
buy that, but let me ask you a hypothetical first. Suppose releases of Ingite
were only done as source tarballs. Suppose also that the company called
GridGain built it and made the binary available off of their website with
the binary (and associated branding) saying Apache Ignite.

Would we still have a problem if that binary did what Ignite's binary did?

> The issue is a project releasing software that a) collects user data
> without an explicit opt-in, and b) apparently does that in an insecure
> way.

I'm not concerned about b -- so lets cut it out of the discussion.

> a) is a privacy violation - we have
> https://www.apache.org/foundation/policies/privacy.html for that, I
> suggest that we simply expand it with a "collecting user data"
> section. As Shane mentions
> https://wiki.openoffice.org/wiki/Update_Service is related.

Well, but what does that policy apply to? A source release? A binary
release? A binary release off of ASF infrastructure?

Please be specific.

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Greg Stein-4
I recall a company that started to list out each of things NOT to do. Item
after item after item, to develop a policy. After a few dozen such, one guy
piped up, "this is ridiculous" ... It just isn't tractable. So he suggested
a simple replacement:

Do no evil.


On Jun 8, 2017 21:13, "Roman Shaposhnik" <[hidden email]> wrote:

> On Thu, Jun 8, 2017 at 12:43 AM, Bertrand Delacretaz
> <[hidden email]> wrote:
> > On Wed, Jun 7, 2017 at 5:32 PM, Sean Busbey <[hidden email]> wrote:
> >> ...Who owns release policy? I presume it's VP Legal, which would
> suggest legal-discuss...
> >
> > I don't think our release policy is relevant here.
>
> Actually, that's what I'm trying to figure out. My initial thought around
> why
> release policy was relevant here was that THE ONLY reason we reacted
> the way we did is because there was a piece of software associated with
> ASF in two ways:
>    1. branding
>    2. distribution off of ASF infrastructure
>
> It sounds like you're saying that #1 is actually more important that #2. I
> may
> buy that, but let me ask you a hypothetical first. Suppose releases of
> Ingite
> were only done as source tarballs. Suppose also that the company called
> GridGain built it and made the binary available off of their website with
> the binary (and associated branding) saying Apache Ignite.
>
> Would we still have a problem if that binary did what Ignite's binary did?
>
> > The issue is a project releasing software that a) collects user data
> > without an explicit opt-in, and b) apparently does that in an insecure
> > way.
>
> I'm not concerned about b -- so lets cut it out of the discussion.
>
> > a) is a privacy violation - we have
> > https://www.apache.org/foundation/policies/privacy.html for that, I
> > suggest that we simply expand it with a "collecting user data"
> > section. As Shane mentions
> > https://wiki.openoffice.org/wiki/Update_Service is related.
>
> Well, but what does that policy apply to? A source release? A binary
> release? A binary release off of ASF infrastructure?
>
> Please be specific.
>
> Thanks,
> Roman.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Roman Shaposhnik
On Thu, Jun 8, 2017 at 10:15 PM, Greg Stein <[hidden email]> wrote:
> I recall a company that started to list out each of things NOT to do. Item
> after item after item, to develop a policy. After a few dozen such, one guy
> piped up, "this is ridiculous" ... It just isn't tractable. So he suggested
> a simple replacement:
>
> Do no evil.

Should we add that to our release policy? Will VP Legal go along with that?

Seriously, on one hand I see folks saying here that clarfiying what is and isn't
acceptable is useful. On the other hand, I see your reaction that can only
be described as "duh! what policy -- its just common sense".

I actually do not think it is common sense anymore -- I do think it needs to be
documented.

However, this won't be the first time when what I feel passionate about is
ignored by the "official ASF" -- not a biggie -- you guys are the bosses. I just
need to learn to care less.

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Greg Stein-4
Haha... I'm no Director any more. Such policy is above my pay grade :-P

On Jun 8, 2017 22:20, "Roman Shaposhnik" <[hidden email]> wrote:

On Thu, Jun 8, 2017 at 10:15 PM, Greg Stein <[hidden email]> wrote:
> I recall a company that started to list out each of things NOT to do. Item
> after item after item, to develop a policy. After a few dozen such, one
guy
> piped up, "this is ridiculous" ... It just isn't tractable. So he
suggested
> a simple replacement:
>
> Do no evil.

Should we add that to our release policy? Will VP Legal go along with that?

Seriously, on one hand I see folks saying here that clarfiying what is and
isn't
acceptable is useful. On the other hand, I see your reaction that can only
be described as "duh! what policy -- its just common sense".

I actually do not think it is common sense anymore -- I do think it needs
to be
documented.

However, this won't be the first time when what I feel passionate about is
ignored by the "official ASF" -- not a biggie -- you guys are the bosses. I
just
need to learn to care less.

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Raphael Bircher-2
In reply to this post by Roman Shaposhnik
Hi Roman, Greg, *

Am .06.2017, 07:20 Uhr, schrieb Roman Shaposhnik <[hidden email]>:

> On Thu, Jun 8, 2017 at 10:15 PM, Greg Stein <[hidden email]> wrote:
>> I recall a company that started to list out each of things NOT to do.  
>> Item
>> after item after item, to develop a policy. After a few dozen such, one  
>> guy
>> piped up, "this is ridiculous" ... It just isn't tractable. So he  
>> suggested
>> a simple replacement:
>>
>> Do no evil.
>
> Should we add that to our release policy? Will VP Legal go along with  
> that?
>
> Seriously, on one hand I see folks saying here that clarfiying what is  
> and isn't
> acceptable is useful. On the other hand, I see your reaction that can  
> only
> be described as "duh! what policy -- its just common sense".
>
> I actually do not think it is common sense anymore -- I do think it  
> needs to be
> documented.
>
> However, this won't be the first time when what I feel passionate about  
> is
> ignored by the "official ASF" -- not a biggie -- you guys are the  
> bosses. I just
> need to learn to care less.

No we should not care less. We should care more. But adding new policy  
don't means, that this never happened again. I think, more important then  
policy is to have the eyes open. And that's the task of us all.

Regards, Raphael



--
My introduction https://youtu.be/Ln4vly5sxYU

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Bertrand Delacretaz
In reply to this post by Greg Stein-4
On Fri, Jun 9, 2017 at 7:15 AM, Greg Stein <[hidden email]> wrote:
>... Do no evil...

Of course. As long as everybody agrees on the definition of "evil" ;-)

Hence my proposal to briefly document best practices about how to
collect user data in a non-evil way.

Maybe adding a few notes to
https://issues.apache.org/jira/browse/IGNITE-5413 about what infra has
been doing to fix the current issue is sufficient, so that we can
point to that later if similar cases arise.

-Bertrand

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Roman Shaposhnik
On Thu, Jun 8, 2017 at 11:51 PM, Bertrand Delacretaz
<[hidden email]> wrote:

> On Fri, Jun 9, 2017 at 7:15 AM, Greg Stein <[hidden email]> wrote:
>>... Do no evil...
>
> Of course. As long as everybody agrees on the definition of "evil" ;-)
>
> Hence my proposal to briefly document best practices about how to
> collect user data in a non-evil way.
>
> Maybe adding a few notes to
> https://issues.apache.org/jira/browse/IGNITE-5413 about what infra has
> been doing to fix the current issue is sufficient, so that we can
> point to that later if similar cases arise.

There's also this:
https://issues.apache.org/jira/browse/IGNITE-775?focusedCommentId=14513325&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14513325

which I find very intriguing.

But I've got to say -- we need INFRA (Greg?) to tell us what they are
and what they are NOT
willing to do to enable something like that.

If the default is not much -- I think we have no choice but to say
that since ASF can't
provide the infrastructure to reliable and securely collect user data
project that publish
convenience binaries off of Apache Infra shouldn't do that.

Which basically gets me to the list I was proposing we clean up and
add to the policy:

So far it seems that there's an agreement on that having this type of
capability...
   1 ... in the source code disabled by default -- totally OK
   2 ... in the source code enabled by default -- questionable, but OK
   3 ... in the binary hosted by ASF disabled by default -- OK
   4 ... in the binary hosted by ASF enabled by default -- NOT OK

Thanks,
Roman.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: ASF hosted binaries collecting user data without an explicit opt-in

Greg Stein-4
On Tue, Jun 13, 2017 at 1:00 AM, Roman Shaposhnik <[hidden email]>
wrote:
>...

> There's also this:
> https://issues.apache.org/jira/browse/IGNITE-775?
> focusedCommentId=14513325&page=com.atlassian.jira.
> plugin.system.issuetabpanels:comment-tabpanel#comment-14513325
>
> which I find very intriguing.
>
> But I've got to say -- we need INFRA (Greg?) to tell us what they are
> and what they are NOT
> willing to do to enable something like that.
>

If the query is pushed out to the DNS substrate of the Internet, then Infra
really doesn't have much to support :-) ... we'll happily add DNS records
for such.


> If the default is not much -- I think we have no choice but to say
> that since ASF can't
> provide the infrastructure to reliable and securely collect user data
> project that publish
> convenience binaries off of Apache Infra shouldn't do that.
>

The basic policy of Infra is that we'll offer what we can within the budget
given to us by the Board. When an individual project requests resources,
then (again) we'll do what we can for them. You'll see this in daily
make-work, but also in the provision of "project VMs" where we provision a
VM/resources dedicated to a specific project.

However, we have run into an occurrence where a project's VM ran well past
any/all resources that we could provide within the Infrastructure budget
provided by the Board. As a result, we had to shut it down, or the project
needed to request specific budget from the Board to keep that system
running.

So. We can and will do all that we can. If the request is still pretty
nebulous/unclear, then bring it to users@infra for some early discussion.
Once it gets concrete, then file a ticket. We'll go from there.

Cheers,
Greg Stein
Infrastructure Administrator, ASF
12