How to check `gnome-info-collect` privacy claims?

Since nobody answers me at [Article Proposal] gnome-info-collect introduction and CFA - #8 by abitrolly - Fedora Discussion I decided to repeat my questions here.

How to get access the data that is gathered from gnome-info-collect?
How to audit the data structure, and the method of collection (if IPs are tracked, if additional logs processing taking place, etc.)?
How to ensure that the build is not modified from the source publiclly available?

You need to speak to the Gnome community about this, since it’s a Gnome tool. The Fedora community did not develop it, nor does it maintain it—we are not upstream for this. The magazine post merely highlights the tool, as it does with various third party tools.

This looks like the upstream repository:

This particular bit is relatively easy—check the sources of the rpm (the spec/tar) in the COPR repository.

1 Like

This DIY is literally killing me. If I won’t find a job, I will screw myself up with all this procrastination. :smiley:

How to check the sources?

I would say it endorses it. And if upstream was there while writing the article, I expected somebody who endorses it to answer, and now I need to do all this research myself, which makes me sandgry, because I had planned different thigs for today.

Please be more careful with your comments. A number of your posts on the two discussion platforms do not meet the “be excellent to each other” standards set by the community.

You asked a question, and we answered. Are you expecting a crash course in security auditing where someone tells you step by step what to do? I’m sure you’ll agree that it is beyond the scope of this forum. We’re here to help people troubleshoot issues, we can’t give step by step tutorials on subjects as complex as security auditing.

You’d:

  • download the source rpm
  • “install” (extract) it rpm -Uvh <source rpm
  • check the included spec and source archive

Some more information on source rpms here:

In this case, the rpm was built directly from the upstream git repository, so you can be very sure that the upstream sources are the ones that have been used:

The spec file is included in the upstream repo:

It does not endorse any tools that are featured. It is merely a news/info blog:

“Fedora Magazine is a website that hosts promotional articles and short guides contributed from the community about free/libre and open-source software that runs on or works with the Fedora Linux operating system. (more about Fedora Magazine)”

If I am not being excellent to you here, let’s settle this now. If that’s another person, maybe you can forward the message what is wrong with me expressing my emotions.

So I need to compare the source archive to upstream source, and then also check that the rules in .spec do not inject anything funny. And because people can’t upload binary packages to COPR directly - the only way to get the package is to go through the COPR build from the raw source - this guarantees that I get the package built from these sources by COPR.

But if the COPR build server is compromised, the only way to check is to get the same sources and repeat the build on different machine. This is what I’ve been thinking - how to make reproducible build of that and check the hashes for all files?

I do not understand your question!
If you have a problem with the collection of additional info by a Gnome tool, you should simply not use it.

If you are willing to do so but don’t agree with the user not seeing the collected data, you should contact the Gnome community.
https://discourse.gnome.org/t/help-wanted-packaging-gnome-info-collect/9617

In any case, Gnome.org has commissioned this tool and must therefore comply with the Opensource regulations. These are GNU General Public License v3.0.

Also other distributions have started such a query. A well-known example is Ubuntu. I can’t remember if they allowed the user to see the collected data.

I personally consider your plan, which you mentioned last, as a vote of no confidence in Fedora. Since the question arises what Fedora has to do with your problem? If the tool would violate OpenSource guidelines it would not exist.
But I have the impression you have the knowledge to read and understand the Python code so you can check everything yourself; https://gitlab.gnome.org/vstanek/gnome-info-collect/-/blob/master/client/client.py

1 Like