How to get access the data that is gathered from gnome-info-collect?
How to audit the data structure, and the method of collection (if IPs are tracked, if additional logs processing taking place, etc.)?
How to ensure that the build is not modified from the source publiclly available?
You need to speak to the Gnome community about this, since it’s a Gnome tool. The Fedora community did not develop it, nor does it maintain it—we are not upstream for this. The magazine post merely highlights the tool, as it does with various third party tools.
This looks like the upstream repository:
This particular bit is relatively easy—check the sources of the rpm (the spec/tar) in the COPR repository.
I would say it endorses it. And if upstream was there while writing the article, I expected somebody who endorses it to answer, and now I need to do all this research myself, which makes me sandgry, because I had planned different thigs for today.
Please be more careful with your comments. A number of your posts on the two discussion platforms do not meet the “be excellent to each other” standards set by the community.
You asked a question, and we answered. Are you expecting a crash course in security auditing where someone tells you step by step what to do? I’m sure you’ll agree that it is beyond the scope of this forum. We’re here to help people troubleshoot issues, we can’t give step by step tutorials on subjects as complex as security auditing.
download the source rpm
“install” (extract) it rpm -Uvh <source rpm
check the included spec and source archive
Some more information on source rpms here:
In this case, the rpm was built directly from the upstream git repository, so you can be very sure that the upstream sources are the ones that have been used:
So I need to compare the source archive to upstream source, and then also check that the rules in .spec do not inject anything funny. And because people can’t upload binary packages to COPR directly - the only way to get the package is to go through the COPR build from the raw source - this guarantees that I get the package built from these sources by COPR.
But if the COPR build server is compromised, the only way to check is to get the same sources and repeat the build on different machine. This is what I’ve been thinking - how to make reproducible build of that and check the hashes for all files?
In any case, Gnome.org has commissioned this tool and must therefore comply with the Opensource regulations. These are GNU General Public License v3.0.
Also other distributions have started such a query. A well-known example is Ubuntu. I can’t remember if they allowed the user to see the collected data.
I personally consider your plan, which you mentioned last, as a vote of no confidence in Fedora. Since the question arises what Fedora has to do with your problem? If the tool would violate OpenSource guidelines it would not exist.
But I have the impression you have the knowledge to read and understand the Python code so you can check everything yourself; https://gitlab.gnome.org/vstanek/gnome-info-collect/-/blob/master/client/client.py