https://discuss.privacyguides.net/t/manjaro-is-experimenting-with-opt-out-telemetry/22305
Manjaro (a Linux distro) has requested feedback regarding their proposal to collect what they claim is 'anonymized' data.
We're currently testing a new open-source tool for Manjaro, that will help us with the development of Manjaro. It's called MDD 26 and it collects some anonymous and impersonal statistics about Manjaro systems.
One user has commented:
"This is a bit problematic, as they include a lot of info in those reports : all your machine hardware, timezeone, country, etc."
Another has also made his views clear:
... you have to get a individual permission and have to ask every single user independent, which is ending in a "license-agreement" similar to ms-windows. otherwise this application is a dead-horse that is violating all and especially the european-data-security-laws. this is something that you have to figure out with @philm and all the other responsible persons at manjaro.
Manjaro dismisses this claim without actually considering EU laws which do cover this very topic. Opt-Out is not permitted.
MDD - Opt-in vs Opt-out
- Testers needed: Manjaro Data Donor
https://forum.manjaro.org/t/testers-needed-manjaro-data-donor/170163/48
So, Soylentils, what is your view on this subject? Do you think system metrics are required for anyone producing a distro, even it the information is as anonymized as they claim it is? Or is this overstepping the mark?
(Score: 3, Funny) by Frosty Piss on Sunday November 17, @03:17PM (17 children)
A distro I've never heard of doing something sketchy. Shocking.
(Score: 4, Interesting) by Adam on Sunday November 17, @03:28PM (5 children)
It's number 5 on DistroWatch and has been around for years.
(Score: 5, Informative) by RamiK on Sunday November 17, @04:43PM (4 children)
Personally I can't even remember ever hearing about №1 and can only vaguely recall mentions of №3 though nothing beyond the name comes to mind. Beyond №5, the ratio between distros I know, vaguely recognize and never heard about is probably roughly the same as 1-5.
For reference, the top 30 page hits:
( https://distrowatch.com [distrowatch.com] )
compiling...
(Score: 4, Interesting) by Gaaark on Sunday November 17, @10:23PM
I used to use Manjaro, and only stopped when i found MX linux: it is systemd free.
Never really had any problems with Manjaro but do like that MX is systemd free (or should i say 'systemd optional': you can opt in to systemd, but not sure why you'd want to.
MX is nice. I'd probably go back to Manjaro if MX ended.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by Reziac on Monday November 18, @03:06AM
It's not a popularity-of-distro, it's how many times DW gets a hit on that distro's page. Which probably yanks the standings in all directions.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 2) by Freeman on Monday November 18, @03:24PM
I've been using MX Linux for a number of years. It's my current go-to Linux distribution. Mint has never been my thing.
I'm kind of surprised that EndeavourOS is as high as it is.(Apparently EndeavourOS is the "user-friendly" Arch distro.) Debian is up there, because Debian. Manjaro has also, never been my thing. Ubuntu is okay, but it's essentially the definition of Bloatware for Linux. (Though, I've used the likes of Edubuntu, Lubuntu, and Xubuntu all of which I preferred over regular Ubuntu.) Pop!_OS is probably as high as it is, because it's included on some pre-built systems. https://pop.system76.com/ [system76.com] Fedora and OpenSUSE have never been my thing either. Pretty much the only one I've not heard of in the top 10 is "CachyOS" (Apparently an Arch distro). The fact that Arch itself isn't on the list, should tell you something about Arch. The only other distro on that list that I've dabbled with is antix and I find that MXLinux is just better.Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by corey on Tuesday November 19, @09:21PM
Yeah I tried to get MX Linux installed but because I have a RTX3060, it wouldn’t even boot to the installer. Couldn’t work out the problem, tried with “nofb” kernel flag. Anyway I went back to good old Gentoo which I’ve set up and is going really great for work every day. And systemd-free.
(Score: 3, Disagree) by acid andy on Sunday November 17, @03:29PM (10 children)
Manjaro is a popular distro on Pine64 devices like the PinePhone. I tend not to use Manjaro myself as it has Systemd.
Enjoy the slurping of your Google or Apple device.
Welcome to Edgeways. Words should apply in advance as spaces are highly limite—
(Score: 3, Interesting) by Frosty Piss on Sunday November 17, @03:47PM (9 children)
Alas, sooner or later ALL distros will have SystemD...
(Score: 5, Funny) by acid andy on Sunday November 17, @03:48PM (2 children)
No they won't, because the distro I use will not have SystemD, one way or another...
Welcome to Edgeways. Words should apply in advance as spaces are highly limite—
(Score: 5, Funny) by driverless on Monday November 18, @12:00AM (1 child)
I'm not really sure if you can call DOS 3.3 a distro, but I agree that it's definitely SystemD-free.
(Score: 2) by acid andy on Monday November 18, @02:11PM
Unclean! Unclean!
That sort of thing would be a last resort. I figure as we are working with open source, if I have to I will roll my own SystemD-free distro, or try and backport any new functionality I need to an older version that doesn't have it. I mean, there must be enough rebel nerds on this site that we could probably scrape together enough SystemD-phobic coders to make it happen if it was too much for one person.
Welcome to Edgeways. Words should apply in advance as spaces are highly limite—
(Score: 4, Interesting) by DrkShadow on Sunday November 17, @07:53PM (4 children)
The only distros with SystemD are:
- Redhat
- Debian
- Arch
- Suse
Everything else doesn't. Slackware. Void. Alpine. Devuan. Artix. Gentoo. All of the BSDs. All of the others are basically spin-offs of Debian. SystemD Is really and truly in the minority amongst distros. Debian was hotly contested, and probably bribery entered into the mix (after all, without Debian - the biggest - SystemD would be a Redhat exclusive). Using SystemD pays: as a user, the increased attack service (multiple root vulnerabilities (journald, etc), the xz ssh backdoor); and as a provider: those support dollars keep rolling in, because the users have no choice - it just doesn't work as advertised, so support contracts to tell them to "deal with it."
Anyway, unless you're paying out the ass for a support contract, you should probably *not* be using Ubuntu -- use Debian instead for your servers, which means use Devuan. If you're containerizing, use something like Alpine, or else you're likely making a statically-linked Go executable that should be the only file in the container filesystem.
There's no practical reason to use SystemD. Maybe you're giving your users Linux Mint, and going "Our servers have to run the same thing as the Users' OS," so you're putting Ubuntu on yours servers. Stop. That. Containerize it, just so that your OS is separate from your application environment (but omg *do not* go "micro-service" (very-macro-overhead)). By "Containerize it," I mean give your users a Dockerfile that builds the app into a container based on Alpine or similar - the Mint on their workstation is just for E-mail, web browsing, etc. Not application deployment.
(Score: 4, Insightful) by Frosty Piss on Sunday November 17, @08:07PM (3 children)
It's *not* the raw number of distros, the fact is that in terms of deployment of Linux in *enterprise* installs, SystemD rules. All the rest are hobbyists pontificating on how many fleas RMS picks out of his beard every day. Which is too bad since SystemD is an abomination.
But if you don't think it's going to dominate, you're delusional.
(Score: 2, Interesting) by pTamok on Sunday November 17, @08:37PM (1 child)
In terms of *enterprise* installs, you are completely correct.
However, Android doesn't use systemd, so in terms of total number of installs on bare-metal, a non-systemd distribution (if you think of Android as a Linux distribution) predominates.
From an enterprise point of view, I also wonder if the number of linux kernels running in VMs might count towards non-systemd implementations. I'm no expert here, but I have heard that Void Linux might be chosen for VMs that need fast startup speed and low resource usage, and it uses runit, not systemd. I'll stress that I could be laughably wrong, but it might be a material number, to use accountancy speak.
(Score: 2) by Unixnut on Monday November 18, @11:19AM
It would be the height of irony if that is the case, considering the main reason systemd was forced upon us was the argument of "fast startup speed" and "low resource usage". Systemd only had those two things to do and it failed at them, all while crapping all over the rest of the system.
Not that I am surprised, those arguments were always nonsense from the get go (alas lots of people believed it, mostly Linux newbies I suspect) but its the excuse they used to force systemd through the door, after which it metastasised across the entire GNU/Linux system.
However the GP poster is still correct. While the number of systemd distros is small in percentage terms of all the distros out there, they captured (via RedHat and Debian) both RPM and DEB based distros, which dominate the Linux ecosystem.
So as far as deployed Linux machines are concerned the majority is systemd and more importantly (for those of us not independently wealthy) pretty much 90% of the Linux jobs out there involve dealing with systemd. So if you want to earn money using Linux, you will be dealing with systemd. Unfortunately some hobby distros sitting on the edge of the ecosystem being tinkered with are really irrelevant beyond those who use them.
The only non systemd distro that I've seen gain any kind of traction in business was Devuan, primarily because they gave a clear upgrade path from Debian to Devuan back when the schism happened, and a lot of Debian sysadmins and users switched to it because it was more similar to the old Debian than the new systemd Debian became. However it also has no traction in enterprise because of the lack of support from proprietary software vendors.
When people say "Linux" they tend to mean GNU/Linux, while Android is a different system on top of the Linux kernel (more accurately referred to as "Android/Linux"). Android is more of an appliance than a general purpose OS, so you can't really compare the two. Android not running systemd is about as relevant as the hundreds of millions of other Linux appliances running their own custom distros.
(Score: 2) by Freeman on Monday November 18, @03:27PM
SystemD would be one of those "stupid weird things", if it had never made it into Debian.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 2) by Thexalon on Monday November 18, @03:21AM
I don't think so.
Even if I have to spend hours compiling stuff to make a working Linux From Scratch sans SystemD or a SystemD-free Gentoo. Because it was always a fundamentally bad idea.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 5, Insightful) by looorg on Sunday November 17, @03:27PM (2 children)
Opt-Out as noted is very problematic. They use it cause they know that most people won't bother, or even know how, to opt-out of anything. Even if they are tempted to opt-out they are then usually met with a lot of warning signs, bells and whistles that seeds doubt in the user if they should or not. So they don't.
That said I do understand them in some aspect. If you want to do new things it's good to know how said thing is being used, on what and how. You need data somehow. But considering the whole open source idea. Wouldn't it be better then to just ask your users once a year or so to run a script or some piece of software on your system and share said data file with them. Preferably then the data file is easily read in some clearly formatted output. That way you can see what data was actually gathered.
Looking at their "Data Donor" file. I would probably not want it to share "device_id". I know they want a unique identifier of some kind. Preferably also if you do submit over and over again so they can see how your system changes. But then you run into issues with that anonymity they claim. "Region" and "Timezone" could be problematic. "Last_Update" is probably somewhat sensitive to if you don't do it very often. Useful for them, potentially bad for the user.
With that in mind whenever someone calls it's "anonymous and impersonal statistics" they are all lying. It's only anonymous for as long as the one gathering the data wants it to be. They probably don't have a lot of incentive here to make it personal. But it's a lie either way.
(Score: 4, Informative) by Mykl on Sunday November 17, @11:55PM
The well has been poisoned by too many companies 'requiring' too much detail in the past. Now most discerning people are hesistant to share anything at all in the event that the data is hacked or leaks, or if the data is ultimately used against them in some way (someone further down mentioned the stripping of Firefox functionality).
Steam used to keep sending me requests to run a hardware survey, but they were asking for a LOT of information and it was all-or-nothing, so I declined.
(Score: 2) by Unixnut on Monday November 18, @11:26AM
Or after an update the opt-out gets reversed unless you read the fine print saying that you have to re-opt-out during the update. That is the great thing about "enabled by default" settings. It is a constant case of you being vigilant and expending energy making sure its not been re-enabled, either due to an update, due to a fat-finger, or a reinstall. You have to be constantly on your guard to make sure the system has not been reset to the default.
It reminds me of Android, where you constantly have to fight the OS to prevent it reverting to the default "we will suck up everything about you and send it to Google for evil and profit". Its bad enough I have to endure that on my smartphone, I really don't want or need to endure it on my PC as well.
(Score: 5, Insightful) by dwilson98052 on Sunday November 17, @04:06PM
...distro to avoid...
(Score: 2, Funny) by Anonymous Coward on Sunday November 17, @04:09PM (4 children)
Did IQs just drop sharply while I was away.
(Score: 2, Funny) by lush7 on Sunday November 17, @05:22PM (3 children)
They mostly come at night. Mostly..
(Score: 2) by Gaaark on Sunday November 17, @10:27PM
“Oh, yeah. Oooh, ahhh, that’s how it always starts. Then later there’s running and screaming.”
....ooops. Wrong movie. ;)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Funny) by Tork on Monday November 18, @05:08PM (1 child)
🏳️🌈 Proud Ally 🏳️🌈
(Score: 2) by corey on Tuesday November 19, @09:23PM
There is only zuuuuuuul.
(Score: 5, Insightful) by DrkShadow on Sunday November 17, @06:01PM (3 children)
You want to see how useful Telemetry is?
Look at Firefox. Telemetry gave them every reason to strip out all of the features that they "saw" only 10% of people weer using. Iteratively, repeatedly. Until there was nothing left.
Telemetry gives MS all the reason to dumb-down the OS to the point that experienced people can't do anything with it.
Telemetry will only ever give you the lowest-common denominator. If you're shooting for achievements based on telemetry, your business has already failed.
(Score: 2) by Reziac on Monday November 18, @03:14AM (1 child)
That is a very good point. Basically the same problem as "ordering to the net" in retail.
And since the more-savvy users are more-likely to block or avoid, the data will be skewed toward the behavior of the unsophisticated user, thus accelerating the dumb-down of the product.
And there is no Alkibiades to come back and save us from ourselves.
(Score: 4, Interesting) by aafcac on Monday November 18, @04:50AM
In an ideal world, that's what focus groups with cameras watching people interacting with the software and fora are for. The more advanced users usually are willing to say what they want.
(Score: 2) by VLM on Monday November 18, @01:23PM
The best idea I've come up with doesn't even require client side telemetry, if you have a financial budget for I18N, and logs from the repo servers for downloaded packages, you could in theory allocate I18N translation money to match the userbase. So if 3.5% of users live in France you can assign 3.5% of the I18N budget toward some mixture of French and Arabic translations.
There is also stealth telemetry. If, for example, you get rid of Debian's "linux-firmware" package and replace it with very fine grained packages then you can look at the download stats for the packages to figure out who owns which nvidia graphics card, etc. Right now you could look at download and popularity stats for "firmware-microbit-micropython" to see who runs micropython on a BBC micro:bit board.
Likewise info about timezones is also not very problematic as all the data is in the repo download logs source-ip column anyway.
(Score: 5, Informative) by pTamok on Sunday November 17, @06:01PM
Opt-out is a no-no, but this being European bureaucracy there are some exceptions wide enough to drive a coach and horses through.
To lawfully control* personal data, your grounds for processing that data need to be included in one of the following list. Note that 'user consent' is only one of the grounds, and has some significant downsides for data controllers:
If a data subject withdraws consent for processing of personal data for which the grounds are 'consent', you have to show within reasonable time that you have stopped processing it, and no longer hold it. Removing such records can be time-consuming and costly, which is why relying on consent is problematic for data controllers.
This is why 'legitimate interest' is used more and more frequently used as a basis for processing. No consent needed. But "The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. "
Th UK Information Commisioner's office has a lot more information on 'legitimate interests' as a basis for processing,
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/legitimate-interests/ [ico.org.uk]
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/legitimate-interests/what-is-the-legitimate-interests-basis/ [ico.org.uk]
What it boils down to is that organisations, if they can successfully argue their processing meets the requirements of 'legitimate interests', can process personal data without consent of the data subject. An exception is direct marketing where "If you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the individual’s rights."
So there is lots of room for dispute.
Manjaro might try to use the 'legitimate interests' ground, in which case they should have a Legitimate Interests Assessment (LIA) which they could make public. Note that 'anonymized' data can still be personal data if it meets the GDPR definition of 'personal data'
So a 'unique' but anonymous identifier (such as a randomly assigned UUID) would still be personal data if an index could link it to an identity as listed (but not limited to that list). German courts have ruled that dynamically assigned IP addresses are personal data, because with the necessary ISP records, the time that a particular IP address was handed out to a particular physical device can be determined, and such devices are use customarily by a person, or a small group of persons. Note that proper anonymity is hard. This means that 'advertising IDs' are personal data.
Long answer, still oversimplified, and quite possible misleading in placed. DYOR. But in the EU and EFTA, at least, and quite possibly the UK as well, they would be on shaky ground.
*You, as a 'data controller' can offload the actual processing of data to a 'data processor', but you retain responsibility for the lawful processing of the data. You can't offload that responsibility.
(Score: 2) by Freeman on Monday November 18, @03:30PM
In reality, is this entirely different from what's already out there in other distributions?
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"