[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [TSVN] TortoiseSVN calling home?

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: 2006-04-12 18:55:18 CEST

Molle Bestefich wrote:

>>> I find it *EXTREMLY* rude for any application to call home without
>>> asking me first.
>> Sorry, but that's not rude.
>
> Yes it is.
> Sorry, but you don't get to decide what's rude, because you're not the
> end user - I am :-).
> I ultimately decide what I find rude.

But I have to decide what's rude and what's not for the average user.

>> Almost all applications which release new versions do that.
>> That's the default.
>
> I don't think so, but whatever.

Some examples: MSN messenger, the messenger+ extension, Winzip,
Powerarchiver, ...

>> And you *can* deactivate it.
>
> Only to find it reactivated after the next upgrade, I imagine.
> Regardless, that's not the point.

No. Once deactivated, it stays that way.

>>> If I'm asked during the installation process, I always say "yes, please".
>> Checking for a new version during installation isn't enough.
>
> You misunderstood me.
>
> I was talking about the installer asking the user if "Is it ok to
> check for updates from time to time?". Probably just as a checkbox
> that's checked per default. That's what I see others doing.

And where would that stop? *You* want to decide *that* option in the
setup. Then the next guy wants another option in the setup too. In the
end, we'd have the whole settings dialog in the setup too.

>> We have to check for newer versions from time to time,
>> so the user gets notified *after* (s)he has installed TSVN.
>
> No problem there, but you have to ask me kindly if you can phone home
> from time to time, otherwise you will be blocked.

I don't think I have to ask. If we would send some data back to the
server, then yes we'd have to ask first. But for a simple check if
there's a newer version available? No. Because you have absolutely *no*
disadvantage when we do that. You give up no information about yourself.
(no, we don't even have your ip address, because we don't have access to
the tigris.org server). All TSVN does is fetching the file
http://tortoisesvn.tigris.org/version.txt. Nothing more.

>>> If I'm not asked, I'll note to myself that the particular application
>>> apparently has something it wants to hide. Perhaps they're collecting
>>> a bunch of statistics from my PC, perhaps they're sending home my
>>> webbanking account numbers, or perhaps they're just checking up on how
>>> often I use the application. Either way, not going to happen.
>> You can be suspicious with closed applications. But with open source
>> apps? We can't hide anything from you, the whole sourcecode is available.
>
> I don't personally know the developers.
> And I don't have the time to proactively follow every commit to the
> source repository before the application happens to self-update with a
> new version.

You don't have to. This is an open source project. So there are a lot of
people involved. And even more read the commit mails, or browse the
sourcecode from time to time. If one of them would discover something
nasty, you can be sure that this would be made public immediately.

> I much rather like a trust-based approach.
> You ask me whether I trust you to automatically update this piece of
> software, I tell you yes or no.

You have installed it. So I assume you trust it.

> (If I tell you no, don't install the crash report feature. Gray out
> the checkbox. Another problem solved.)

No. I would never disable the crash report feature!
And I don't have to. The crash report feature doesn't send anything
unless told to. Only if you click on the "Send" button it will open your
mail client, fill in the "to:" address and attach the dumpfile to it.
You then still have to send the mail manually. So you can decide
yourself if you want to send that kind of information or not, even if
it's activated.
If you really want more, you can delete the crashrpt.dll in the TSVN
installation folder - but you have to deal with yourself being overly
paranoid.

>> Would your firewall even notice a call-home from an app which *has* to
>> access the internet (e.g. a mail client, messenger program, ...) - you
>> should be more worried with those, because they know that they most
>> likely won't be detected calling home.
>
> Yes. Just like TSVN can update my local WC of the TSVN repo, but not
> ask the same server about software updates, my browser cannot phone
> home to the mozilla servers (because they didn't ask nicely) (oh, and
> because I hate that Firefox removes the custom search engines when
> upgrading, hehe) but they can browse the web.

If you upgrade Firefox correctly, the custom search engines will be
kept. And you really block firefox from checking for newer versions? A
webbrowser? That means an application which connects to the internet and
must be kept up-to-date all the time to avoid having security issues?

> As far as mail bugs go, I'm stripping all scripting and externally linked items.

I do that too. But here again: you have to *disable* the feature. It's
enabled by default.

Stefan

-- 
        ___
   oo  // \\      "De Chelonian Mobile"
  (_,\/ \_/ \     TortoiseSVN
    \ \_/_\_/>    The coolest Interface to (Sub)Version Control
    /_/   \_\     http://tortoisesvn.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Wed Apr 12 18:55:43 2006

This is an archived mail posted to the TortoiseSVN Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.