incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Hyde <jh...@apache.org>
Subject Re: ASF hosted binaries collecting user data without an explicit opt-in
Date Tue, 06 Jun 2017 02:34:56 GMT
If the binaries are built from the released source code I don’t think we should restrict
what the binaries do. The question is whether the community is aware of what the code is doing,
and considers it to be in the best interests of the project.

The answer seems to be yes, and yes. I saw that the issue was discussed on dev@ignite[1],
and had a corresponding JIRA case[2], and no objections were raised. If anyone has problems
with that behavior (including security bugs) they should raise it with Ignite's PMC.

Julian

[1] https://mail-archives.apache.org/mod_mbox/ignite-dev/201504.mbox/%3CCALV17Qod61yu63__Cs9ekGu+KVxHPpKXmpAGNdoNRz1t8_T9SA@mail.gmail.com%3E
<https://mail-archives.apache.org/mod_mbox/ignite-dev/201504.mbox/%3CCALV17Qod61yu63__Cs9ekGu+KVxHPpKXmpAGNdoNRz1t8_T9SA@mail.gmail.com%3E>

[2] https://issues.apache.org/jira/browse/IGNITE-775 <https://issues.apache.org/jira/browse/IGNITE-775>



> On Jun 5, 2017, at 6:48 PM, Roman Shaposhnik <roman@shaposhnik.org> wrote:
> 
> Hi!
> 
> after seeing this thread on legal-discuss:
>    https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201706.mbox/%3CCAGJoAUn-hiE89mWObh1Lb2S_vgqQJ%3DDC%3D1P_V1REQ9hUERCFog%40mail.gmail.com%3E
> 
> I'd like to ask a policy related question.
> 
> What we currently have is a whole bunch of binaries hosted
> by ASF: https://ignite.apache.org/download.cgi#binaries that
> collect user data and ship it away to a host currently not
> associated with ASF (nor does it seem to be associated with
> Ignite's PMC). The host name is ignite.run (and, as a side note,
> as it turns out the connection to that host in Ignite releases prior
> to 1.9 is unsecure:
>   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805
> )
> 
> Is this something ASF should be concerned with from a standpoint
> of the policy that we have for binary convenience artifacts that are
> hosted on our end?
> 
> Would it make it different if ignite.run and the data collected
> by it was managed by an Ignite PMC as opposed to an unidentified
> 3d party?
> 
> Thanks,
> Roman.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message