incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Stein <gst...@gmail.com>
Subject Re: ASF hosted binaries collecting user data without an explicit opt-in
Date Tue, 06 Jun 2017 02:36:15 GMT
The Infrastructure team is taking this to the Apache Ignite PMC. This is
completely improper.

On Mon, Jun 5, 2017 at 9:34 PM, Julian Hyde <jhyde@apache.org> wrote:

> If the binaries are built from the released source code I don’t think we
> should restrict what the binaries do. The question is whether the community
> is aware of what the code is doing, and considers it to be in the best
> interests of the project.
>
> The answer seems to be yes, and yes. I saw that the issue was discussed on
> dev@ignite[1], and had a corresponding JIRA case[2], and no objections
> were raised. If anyone has problems with that behavior (including security
> bugs) they should raise it with Ignite's PMC.
>
> Julian
>
> [1] https://mail-archives.apache.org/mod_mbox/ignite-dev/201504.mbox/%
> 3CCALV17Qod61yu63__Cs9ekGu+KVxHPpKXmpAGNdoNRz1t8_T9SA@mail.gmail.com%3E <
> https://mail-archives.apache.org/mod_mbox/ignite-dev/201504.mbox/%
> 3CCALV17Qod61yu63__Cs9ekGu+KVxHPpKXmpAGNdoNRz1t8_T9SA@mail.gmail.com%3E>
>
> [2] https://issues.apache.org/jira/browse/IGNITE-775 <
> https://issues.apache.org/jira/browse/IGNITE-775>
>
>
>
> > On Jun 5, 2017, at 6:48 PM, Roman Shaposhnik <roman@shaposhnik.org>
> wrote:
> >
> > Hi!
> >
> > after seeing this thread on legal-discuss:
> >    https://mail-archives.apache.org/mod_mbox/www-legal-
> discuss/201706.mbox/%3CCAGJoAUn-hiE89mWObh1Lb2S_vgqQJ%3DDC%3D1P_
> V1REQ9hUERCFog%40mail.gmail.com%3E
> >
> > I'd like to ask a policy related question.
> >
> > What we currently have is a whole bunch of binaries hosted
> > by ASF: https://ignite.apache.org/download.cgi#binaries that
> > collect user data and ship it away to a host currently not
> > associated with ASF (nor does it seem to be associated with
> > Ignite's PMC). The host name is ignite.run (and, as a side note,
> > as it turns out the connection to that host in Ignite releases prior
> > to 1.9 is unsecure:
> >   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805
> > )
> >
> > Is this something ASF should be concerned with from a standpoint
> > of the policy that we have for binary convenience artifacts that are
> > hosted on our end?
> >
> > Would it make it different if ignite.run and the data collected
> > by it was managed by an Ignite PMC as opposed to an unidentified
> > 3d party?
> >
> > Thanks,
> > Roman.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message