[Popcon-developers] Bug#632438: popcon wrongly claims to be anonymous
Bill Allombert
Bill.Allombert at math.u-bordeaux1.fr
Sun May 5 12:57:12 UTC 2013
On Mon, Oct 29, 2012 at 09:57:55AM +0100, Helmut Grohne wrote:
> I think the problem is worse than Paul Wise outlines. The package
> description claims anonymity. This is only true if it cannot be
> trivially defeated.
>
> The common use case for equivs is to create a package based on the
> hostname. Gladly popcon gives us numbers[1]. So about 8% of the
> submitters are using equivs. (Some machines will use packages generated
> using equivs without actually having installed equivs.) Let's assume
> that half of them employ a metapackage based on the hostname. The
> hostname is kind of public. It occurs in message-ids, bug reports, etc.
> So using this scheme we can almost trivially deanonymize 4% of the
> users.
>
> Another case is looking at packages whose versions are newer than sid or
> experimental. Most likely the machine owner is the maintainer or an
> uploader. This also works for mentors and for them probably even better,
> because their packages tend to wait for a long time until being
> uploaded. A quick grep on the maintainer field shows about 2000
> different maintainer addresses. Let's guess every fourth maintainer is
> using using pop-con and can be deanonymized using this technique.
> Another 0.5%.
>
> These numbers are low for the general but still alarming. The risk of
> being deanonymized is way higher for maintainers or developers unless
> they are aware of the problem an work around[2] it or simply remove
> popcon.
I agree with the risk of deanonymization, however you have to look at the
consequence: we only publish agregated results, not individual reports, so this
is only leaking whether someone is reporting or not, this does not leak the
full list of packages, or the popcon UUID.
Cheers,
--
Bill. <ballombe at debian.org>
Imagine a large red swirl here.
More information about the Popcon-developers
mailing list