Stefan Küng wrote:
> Molle Bestefich wrote:
>
>>>> I find it *EXTREMLY* rude for any application to call home without
>>>> asking me first.
>>> Sorry, but that's not rude.
>>
>> Yes it is.
>> Sorry, but you don't get to decide what's rude, because you're not the
>> end user - I am :-).
>> I ultimately decide what I find rude.
>
> But I have to decide what's rude and what's not for the average user.
>
>>> Almost all applications which release new versions do that.
>>> That's the default.
>>
>> I don't think so, but whatever.
>
> Some examples: MSN messenger, the messenger+ extension, Winzip,
> Powerarchiver, ...
>
>>> And you *can* deactivate it.
>>
>> Only to find it reactivated after the next upgrade, I imagine.
>> Regardless, that's not the point.
>
> No. Once deactivated, it stays that way.
>
>>>> If I'm asked during the installation process, I always say "yes,
>>>> please".
>>> Checking for a new version during installation isn't enough.
>>
>> You misunderstood me.
>>
>> I was talking about the installer asking the user if "Is it ok to
>> check for updates from time to time?". Probably just as a checkbox
>> that's checked per default. That's what I see others doing.
>
> And where would that stop? *You* want to decide *that* option in the
> setup. Then the next guy wants another option in the setup too. In the
> end, we'd have the whole settings dialog in the setup too.
>
>>> We have to check for newer versions from time to time,
>>> so the user gets notified *after* (s)he has installed TSVN.
>>
>> No problem there, but you have to ask me kindly if you can phone home
>> from time to time, otherwise you will be blocked.
>
> I don't think I have to ask. If we would send some data back to the
> server, then yes we'd have to ask first. But for a simple check if
> there's a newer version available? No. Because you have absolutely
> *no* disadvantage when we do that. You give up no information about
> yourself.
> (no, we don't even have your ip address, because we don't have access
> to the tigris.org server). All TSVN does is fetching the file
> http://tortoisesvn.tigris.org/version.txt. Nothing more.
>
>>>> If I'm not asked, I'll note to myself that the particular application
>>>> apparently has something it wants to hide. Perhaps they're collecting
>>>> a bunch of statistics from my PC, perhaps they're sending home my
>>>> webbanking account numbers, or perhaps they're just checking up on how
>>>> often I use the application. Either way, not going to happen.
>>> You can be suspicious with closed applications. But with open source
>>> apps? We can't hide anything from you, the whole sourcecode is
>>> available.
>>
>> I don't personally know the developers.
>> And I don't have the time to proactively follow every commit to the
>> source repository before the application happens to self-update with a
>> new version.
>
> You don't have to. This is an open source project. So there are a lot
> of people involved. And even more read the commit mails, or browse the
> sourcecode from time to time. If one of them would discover something
> nasty, you can be sure that this would be made public immediately.
>
>> I much rather like a trust-based approach.
>> You ask me whether I trust you to automatically update this piece of
>> software, I tell you yes or no.
>
> You have installed it. So I assume you trust it.
>
>> (If I tell you no, don't install the crash report feature. Gray out
>> the checkbox. Another problem solved.)
>
> No. I would never disable the crash report feature!
> And I don't have to. The crash report feature doesn't send anything
> unless told to. Only if you click on the "Send" button it will open
> your mail client, fill in the "to:" address and attach the dumpfile to
> it. You then still have to send the mail manually. So you can decide
> yourself if you want to send that kind of information or not, even if
> it's activated.
> If you really want more, you can delete the crashrpt.dll in the TSVN
> installation folder - but you have to deal with yourself being overly
> paranoid.
>
>>> Would your firewall even notice a call-home from an app which *has* to
>>> access the internet (e.g. a mail client, messenger program, ...) - you
>>> should be more worried with those, because they know that they most
>>> likely won't be detected calling home.
>>
>> Yes. Just like TSVN can update my local WC of the TSVN repo, but not
>> ask the same server about software updates, my browser cannot phone
>> home to the mozilla servers (because they didn't ask nicely) (oh, and
>> because I hate that Firefox removes the custom search engines when
>> upgrading, hehe) but they can browse the web.
>
> If you upgrade Firefox correctly, the custom search engines will be
> kept. And you really block firefox from checking for newer versions? A
> webbrowser? That means an application which connects to the internet
> and must be kept up-to-date all the time to avoid having security issues?
>
>> As far as mail bugs go, I'm stripping all scripting and externally
>> linked items.
>
> I do that too. But here again: you have to *disable* the feature. It's
> enabled by default.
>
> Stefan
>
Sorry for the emotive Subject line.
I don't have a problem with the once a week check for updates stuff. In
fact Windows Update is armed to download but ask daily. My concern
related to the fact I frequently disconnect from the real world when
working on the laptop so I don't want any dependency on being connected.
And regardless of where the program puts the option to allow/disallow
connection, (Installer/deep in a submenu) the firewall nails the call it
before it gets out. I was thinking from the URL it was more a Subversion
related function rather Tortoise's.
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tortoisesvn.tigris.org
For additional commands, e-mail: dev-help@tortoisesvn.tigris.org
Received on Wed Apr 12 19:09:37 2006