Gnome-shell's outbound connections / what and how to stop

After booting and reaching the GUI respectively the display manager GDM, the gnome-shell starts calling home:

COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
gnome-she 1160    gdm   38u  IPv4  30777      0t0  TCP localhost.localdomain:27146->master1.openshift4.gnome.org:https (ESTABLISHED)

when I procced and do a login as normal user, an additional home call is done:

COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
gnome-she 1820   test   49u  IPv4  44683      0t0  TCP localhost.localdomain:34244->master3.openshift4.gnome.org:https (ESTABLISHED)

Desktop environments do more complex and legitimately tasks nowadays but for the sake of transparency; what triggers such requests? Any API usage? It surprises that such requests starts already at GDM stage. I already disabled gnome-software, weather widgets etc…

1 Like

Are you logging in in a corporate network?

No, that is just one node where OCP is running.
https://wiki.gnome.org/Infrastructure/Servers

2 Likes

For how long have you been using Gnome before you discovered that it was calling home?

For me it was about three months till some people at Tor warned me about using Gnome.

At that time, I was new to Linux and the only Linux distro that had and still has a very short learning curve for those who migrated from Microsoft Windows was/is Ubuntu. However Ubuntu’s default desktop environment was and still is Gnome.

The folks at Tor and Tails advised me to move away from Ubuntu and I decided on Debian because Tails is based on Debian.

On Debian (stable), I do not install a desktop environment. In fact I picked and chose what software to run.

In addition to Gnome calling home, there is a potential source of security nightmare: stay away from using Network Manager. There was an incident in which a moderate to severe bug was reported to the developers of Network Manager and it took the latter at least two years (or thereabouts ??) to fix it.

If you are or your company is using VPN, you should avoid using NetworkManager-openvpn as well. VPN vendors which are serious about privacy will advise you to not use said plug-in. Bug reports were filed against NetworkManager-openvpn and to the best of my knowledge, after five years, no patch has been issued.

P.S.: It’s perfectly OK to not use Gnome. You will survive, just as I have :wink:

Ariana: this reply is not really useful here since it’s more a general commentary rather than one specific to the topic. It also makes a casual reader feel like Gnome/Network Manager is collecting data on users and is riddled with privacy/security issues—which is not the case

If you can please edit your post to list references about “Gnome calling home” etc. and it being an issue, that’ll be very useful here to clarify what it really means and put these statements in context.

There are a number of legitimate cases for computers connecting to servers. For example, the detection of a captive portal when connecting to public wifi requires it. Even checking if there’s network connectivity requires it (see /usr/lib/NetworkManager/conf.d/20-connectivity-fedora.conf). Any service that checks for updates will connect to someplace online, the Fedora repos, or FlatHub sources, or Gnome extension servers and so on.


Leon: does this connection persist throughout, or does it only happen on login? I had a look at the Gnome GitLab and found this issue (which is fixed now), but does indicate it could be the extensions checker:

So my best guess at the moment is that this is the gnome-shell extension update checker. When there are updates, I do remember getting a notification immediately after logging in.

I think it checks on start (although I don’t know the code well enough so I could be wrong):

and then there’s also this:

$ nslookup extensions.gnome.org
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
extensions.gnome.org    canonical name = router-default.apps.openshift4.gnome.org.
Name:   router-default.apps.openshift4.gnome.org
Address: 8.43.85.4
Name:   router-default.apps.openshift4.gnome.org
Address: 8.43.85.3
Name:   router-default.apps.openshift4.gnome.org
Address: 8.43.85.5

Edit: edited to note why I think Ariana’s reply is not useful

5 Likes

Woah, wait a minute. Not sure I am happy to come onto a forum to see a user calling another helper being ‘not really useful’.

The OP had already shown that GNOME is calling home to openshift4.gnome.org, so its; not detecting a captive portal, nor checking network connectivity. We have software like DNF and package managers to check Fedora Repos and Flathub services. Of course it is expected for them to do outward bound requests. The reason many of us switch to Linux and get away from the nasty Microsofts and Apples is to escape data capture that we have little or no control over, nor any say to dispute it. It’s already been claimed that Canonical have done some shady data collection in the past, I for one will no longer use Ubuntu on those grounds.

It’s a free world and we are adult enough to make up our own decisions and if a user wants to warn us of potential data risks, then I for one want to know about it so I can make my own investigations and my own choices.

2 Likes

As long as people scream for a OS as simple as Aple and Microsofts OS then it needs more than just DNF and package manager. Extensions have been mentioned as an example, and those are managed by Gnome it selves as I understand. If new users fear the terminal then you can’t expect that they act as an advanced Linux user and let them do everything in the terminal.

I’m not a native English speaker, and for me the term “Gnome-shell calling home” is confusing and not really let’s me know what the matter is. I also think the title should be clarified/changed.

@stamper this is not what he said. He @ankursinha mentioned that here @sabrina 's experience she made not really fits in to this topic because it not clarifies what the effective problem is. So as here answer is given it looks like that gnome is collecting data we do not have an idea off. She should feel free to tell here experience she made with gnome but I guess it would be better placed when she writes them in a own topic. Especially because she not really uses Gnome anymore.

I do agree with you, I’m also interested in potential data risk. But I prefer it based on facts and not really on “I got told not to use of” basis. The information needs to be more selected and not just thrown everything together.

1 Like

The OP refers to a call from the localhost.localdomain to a server owned by gnome, in this case the server was

master3 .openshift4. gnome .org

. These calls come both from user gdm and locauser, look at this two process descriptions posted:

It’s a pretty common term, see Phoning home - Wikipedia. I guess we can leave it.

@ilikelinux I agree with everything that you said, with the exception of

Because, that IS what he said and then went on to defend why some software makes outbound connections in a way as to defend to process.

If another user finds someones post interesting and would like more clarification then sure, they can ask for more information and start an adult conversation, or even another thread, but to use a derogatory term like ‘you’re not useful’! If that was said to your child, they could carry that with them for the rest of their lives. It’s not nice and it’s not necessary. If the OP chooses to ignore the reply because they (the OP) find it not useful, then that is different, but it is not for others to make that distinction and be rude in the process.

There is way way too much toxicity on the net, lets not have it in this forum please.

1 Like

Sorry about that. I should’ve done better. I’ve edited my post to clarify what I meant. Does this make more sense?

Users warning of data risks is a good thing. Users doing this without providing references/evidence is not. We’ve got to be careful here. We don’t partake in “bashing” of Gnome or any other FOSS tool on the forum.

6 Likes

Should OP maybe ask on Gnome’s Discourse forum to get first hand information from someone knowing the code?

3 Likes

Thank you @ankursinha , I really appreciate your reply and adjusting your post.

I agree completely, bashing FOSS tools without reason is poor practice, and should certainly be challenged if no real evidence is forthwith. One of the great things about Linux is having the confidence that your privacy and security is considered with best intent. Which is why I am following this post with great interest, because if GNOME is doing something shady, I very much want to know (including the hearsay).

Please accept my apology if my original reply to your post was in any way distasteful to you.

2 Likes

@ankursinha thanks for the pointer. I was not sure which domain name is used here. There are more then one sub domains that are pointing to gnome’s infra (e.g. api.gnome.org).

So, delegating extensions.gnome.org here locally prevents such calls. Somehow I have seen these calls only on f36, f37 seems to be more quite (what I can see).

Any official knob in the GUI to configure this (or in the dconf sub system)?

I haven’t been able to find one. Looks like this is built into Gnome shell. Worth confirming with the gnome folks though—could even be a feature request?

1 Like

It would be interesting to see if toggling /org/gnome/software/allow-updates includes update checking for extensions as well.

edit: related topics:

So, 2 years ago someone was already trying to introduce a switch for turning extension updates ON/OFF. That merge request is still open.

2 Likes

Further investigation revealed that the above differences are due to the following causes: a user had locally (user account) some extensions installed. So, everything makes sense.

Thanks for those pointers! They show the current state nicely. Temporally workarounds are also available. I hope that anyone here understands now that not a software piece is evil, its the human behind it :-). Have a nice day and thanks!

3 Likes

I guess the point was, to bring the “extension validation check” in to the settings. Because in dconf it is available to switch off.
Then the comment was made to bring up a switch to disable auto update in settings (see block quote below; from last link augenauf posted).

So I tend to prefer the latter option, have a way to turn off automatic updates rather than all updates altogether.

So again to not make a confusion, especially for new less experienced users, please do what you mentioned above, bring this topic back to discourse of gnome and post this “disagreements” there.

Gnome already made the first step and separated extensions from gnome it selves.

  • Experienced users:
    Switches and possibilities to turn of automatic checks are there. As always in gnome you have to find them some how. If you want to be secure do not use extensions at all. It is always a compromise to have beauty and simplicity united (in IT and real life :wink: )

  • Less experienced users:
    Please stop following all this trends on YouTube etc. They do live from clicks, likes and followers to get a lot of money if you feed them intentionally. Their object is to make money with that and this is ok. But you really have to be able to separate sensations from real danger. We here are a audience of a big crowd with any level of knowledge. Most of us like the freedom of choice. Search real info on the base/source of projects like gnome.

Sorry, where can I find that switch?

All I found is an extension that turns off extension update checking: Add option to disable extension updates (#2514) · Issues · GNOME / gnome-shell · GitLab

I’m a bit confused now, I thought you are more advanced user ?!

I use dconf-editor in the search field i enter " enable-extension-updates "

( !1099 >> just followed links of your posted links :wink: )

Then you get a list of switches you can toggle like:
Disables the validation of extension version compatibility > /org/gnome/shell/disable-extension-version-validation

@augenauf a more personal question, why do you not accept personal messages via your profiles (PM’s)?
Sometimes I do have the feeling you try to “lead on the slippery slope” with comments you make. With a possibility to resolve this in particular it sometimes wouldn’t blow up things so much.
It is up to you if you want to hide the way people could contact you, it just would make things easier to resolve some “personal issues” out of the public.

I’m not here to fight with people, the opposite I try to help as you do. But I’m also not here that I get the feelings that I have to justify my selves for comments I make (last time in the lounge, the discussion about the avatars). I am as everyone else a person who don’t knows everything and make mistakes.