#1273 Policy interpretation on proprietary products in gnome-software, gnome overview search results
Closed None Opened 5 years ago by immanetize.

= phenomenon =
gnome-software 3.12.0-1 currently offers presents products such as Google+, Facebook, BBC iPlayer, Amazon Kindle, Twitter, Google Maps, and perhaps more. The results are displayed when browsing categories or searching in Software, and as matches during routine usage of the gnome-shell overview. The licenses for the products, as listed in gnome-software, are "proprietary".

See https://bugzilla.redhat.com/show_bug.cgi?id=1083817 for the initiating discussion and some screenshots. I've CCd those from the bug's CC list, as a courtesy.

= background analysis =
The situation presents a number of questions:
- Are websites embedded in preconfigured windows subject to the same restrictions as packaged components of Fedora?
- Is the direct presentation of products that are not packaged in Fedora considered compliant?
- Presumably, the code for the applets lives in gnome-software, but they are presented as discrete applications. Is this considered bundling?
- Is the presentation of third party products in this way subject to compliant with the Third Party Repository Policy?
- If these applications are not considered subject to the existing policy, is there existing policy to address them?
- Specific policy aside, does Fesco consider this to be inline with the stated goals of the Board and Project?
- Should the user need to explicitly choose to have this class of products displayed? If so, should the choice be presented within Fedora, or just the potential for choice enabled?
- Your concern here...

= implementation recommendation =

The existing policy addressing the inclusion of third party products presumes that the product would be packaged. The web applets in question are not discretely packaged, and so have not been reviewed for policy compliance. Requiring them to be packaged and undergo review would allow the existing policy to be applied, avoiding the potential cascade of comparisons to web browsers or alternative sources like CPAN, pip, or gem.

Furthermore, while the code for a web applet may be permissively licensed, if applet explicitly depends on a proprietary or restricted product to function, it should not be considered permissible. Taken literally, this could be construed to restrict packages that interface with external services as a whole; in my opinion, such a comparison only provides unhelpful distraction and complication. I encourage FESCo to avoid comparisons to disparate circumstances, and consider such comparisons as separate questions as much as reasonable.

Additionally, maintianers should be categorically advised against this kind of promotion. Regardless of the details of the implementation, and the technical adherence to policy, the end user is being directly presented with something that is contrary to Fedora's Foundations.


To the extent that this ticket has questions regarding the interpretation or implied motivation of the recently-decided Board policy about non-free software, I think the questions should go to the Board.

This does leave a few technical questions for FESCo to solve, but starting with those seems rather pointless to me.

I'll post some technical info to clear a few points up:

gnome-software uses AppStream metadata to return search results. The AppStream metadata is generated from the packageset of Fedora, plus any extra overrides from fedora-appstream. The overrides provide better descriptions, Fedora specific screenshots and that kind of thing. It also provides extra web applications that were chosen by the GNOME Design team and these can be found here: https://github.com/hughsie/fedora-appstream/tree/master/appstream-extra -- the metadata licence is CC0.

So, gnome-software shows the "BBC iPlayer" entry when searching for "iplayer" for instance. When the user clicks "install" all that gnome-software does is create a desktop file in ~/.local/share/applications/ that's a launcher. This allows a "BBC iPlayer" icon to appear in the GNOME shell dash.

If the "BBC iPlayer" item is clicked in GNOME Shell, or "Launch" is clicked in gnome-software then epiphany is used in "app" mode which means we don't show the usual browser chrome and it appears as a web app. You can create other web-apps inside epiphany too.

Now, the AppStream spec requires a <licence> tag for each entry, which I chose "proprietary" for the web-apps, as they is no licencing information available (or would make sense for) things like the Amazon homepage. It would also be disingenuous to mark the web-app as CC0, as that might indicate the web-app is actually free software, when clearly it's not.

I think the real bug here is that we show the "License:" details header at all in gnome-software for GNOME Software. It's not useful, and misleading however you look at it, so I'll probably remove the header in 3.12.1 for web-apps.

Of course, if you're going to stop applications that can possibly use or link to proprietary services from Fedora, Firefox is a pretty good case for rethinking that; There are tons of applications in Fedora using proprietary web-services. I guess it depends on how pragmatic Fedora wants to be, but in the real world users are using non-free web services and this is what the design of GNOME Software reflects.

Of course, if we want to link to free web-apps I'm totally up to adding to the list as long as the applications are of high quality and useful to users. Elad added the "Devdocs.io" application recently which is MPLv2. If we have to add some boilerplate explaining what a non-free web-application is, and why it's not ideal that would be possible, although the designers would hate it and most users would either be confused and the others would find it condescending at best.

To be clear the 'Proprietary' in the licensing field here does not refer to software, but to a service. That said the license labeling as it is currently is confusing so we are looking into removing it for web apps. Fedora has shipped with support for commercial services such as various email services, chat services, twitter and so on for a long time, so this is nothing new. The software used to access these services is open source (GNOME Web)

Replying to [comment:4 uraeus]:

... so this is nothing new.

Showing these websites in the "Start screen" search clearly ''is'' new, even if it were a composition of already existing policies. I think engaging with the objections directly instead of dismissing them as "nothing new" would be more productive—certainly it would help avoid non-solutions to non-problems like removing the "Proprietary" license tag in metadata.

(And I still think that this needs to be a Board ticket; if nothing else, my election promise was to always refer such matters to the Board.)

Replying to [comment:6 mitr]:

Showing these websites in the "Start screen" search clearly ''is'' new

We don't show them in the gnome-software start screen, we only show selected chosen free software. If you want to find them you either have to hunt through the categories manually or enter a search word like "iplayer" or "kindle".

The 'old' behaviour was that you searched for Twitter and was given a list of applications that could send and receive Twitter messages, like Birdie, Gwibber and Hotot Twitter clients.

The 'new' behaviour is that now there is a extra option of launching GNOME Web without browser chrome accessing the twitter website.

So I am trying to deal with the objections by pointing out that this is the same thing we always done, the only difference here is that the new way was marked in the UI as proprietary and thus making people think we are doing something radically different from before.

So the real question here is if we want to purge apps like Birdie, Gwibber, Hotot and remove things like Pidgin and GNOME online accounts because we feel that by including them we are advertising for proprietary services. Doing this would be a quite radical change for Fedora, but trying to make the claim that using Birdie with twitter is somehow 'freeer' than using GNOME Web with twitter is not reasonable.

I have more to weigh in with on this ''after'' I help get all of the Cloud SIG change proposals filed, but I wanted to quickly note that it would be a shame if there were extra "punishment" for being honest about web applications' proprietary nature, and doubly a shame if the "solution" is to sweep that honesty under the rug. (If anything, I think it's probably our responsibility to make this more clear in other places where we integrate deeply with proprietary services, and encourage open options.) I also agree with Mitr that this is a board-level conversation. Anyway, more later.

Replying to [comment:9 mattdm]:

...doubly a shame if the "solution" is to sweep that honesty under the rug...

I have no idea if the amazon kindle site uses AGPLv3+, BSD or proprietary components, or a mixture of the above. The data simply isn't available. With the new metadata gnome-software simply has "License: Unknown"

I'm open for the board to make suggestions on how we should convey this, on the premise they talk to the Fedora or GNOME design teams and get buy-in there first, otherwise I'm piggy-in-the-middle, again.

Replying to [comment:10 rhughes]:

I have no idea if the amazon kindle site uses AGPLv3+, BSD or proprietary components, or a mixture of the above. The data simply isn't available. With the new metadata gnome-software simply has "License: Unknown"

Not to bikeshed too much, but how about 'unknown (web application)" or something?

I'm open for the board to make suggestions on how we should convey this, on the premise they talk to the Fedora or GNOME design teams and get buy-in there first, otherwise I'm piggy-in-the-middle, again.

Totally fair, yes. The requirements should be clear and then they can be designed for.

Replying to [comment:10 rhughes]:

I have no idea if the amazon kindle site uses AGPLv3+, BSD or proprietary components, or a mixture of the above. The data simply isn't available. With the new metadata gnome-software simply has "License: Unknown"

A good question to ask is if it even makes sense to try. It is not like we warn people connecting to the network using Fedora that we can not guarantee that the DHCP server used by their ISP is 100% free software. I think this is why even RMS tends to draw a quite clear line between local applications and web services in terms of licensing expectations.

Replying to [comment:7 rhughes]:

Replying to [comment:6 mitr]:

Showing these websites in the "Start screen" search clearly ''is'' new

We don't show them in the gnome-software start screen, we only show selected chosen free software.

To clarify, I was referring to things like http://immanetize.fedorapeople.org/screenshots/cha-overview-results.png , not gnome-software.

Replying to [comment:13 mitr]:

To clarify, I was referring to things like http://immanetize.fedorapeople.org/screenshots/cha-overview-results.png

That looks more like a bug; I'd be suprised if the webapps were the only thing to match on such small keywords.

You know there is a difference in advertising FOSS software that can be used for a commercial, proprietary service and advertising the commercial, proprietary service itself. I just don't see why a small group of GNOME people are trying to push all this non-FOSS stuff into Fedora. It's not what we stand for and violates our very core values.

sparks, can you add me to the CC for that ticket, please? And, possibly, the advisory-board public list? These discussions should be in the open.

Replying to [comment:16 sparks]:

You know there is a difference in advertising FOSS software that can be used for a commercial, proprietary service and advertising the commercial, proprietary service itself. I just don't see why a small group of GNOME people are trying to push all this non-FOSS stuff into Fedora. It's not what we stand for and violates our very core values.

You might feel that offering an application that doesn't do anything if twitter is not available is very different from offering a chromeless browser with that service. I do not.

And you might personally think that accessing the internet goes against 'the FOSS philosophy', but I sincerely hope that is not the mindset of the wider Fedora community.

Replying to [comment:19 uraeus]:

And you might personally think that accessing the internet goes against 'the FOSS philosophy', but I sincerely hope that is not the mindset of the wider Fedora community.

I really wish you would stop putting words in my mouth as it only makes you appear more ignorant.

Replying to [comment:18 mattdm]:

sparks, can you add me to the CC for that ticket, please? And, possibly, the advisory-board public list? These discussions should be in the open.

Done. I'm not sure if adding the advisory-list to the CC will work but I added it.

Seeing as I can't even view the other ticket, when the board has decided what needs to be done and got approval from the Fedora design team, then please email me or re-open the original bug. Please be aware that string changes or additions can't be done upstream due to translation freezes in effect upstream, but could be done in Fedora but without translations.

I'm not sure I can add more to the 'discussion' here.

Richard

I use GNOME and am generally satisfied with it and the design direction. I think gnome-software is great, and appreciate Richard's work on it, AppData, and Appstream. I also recognize that a web applet of this kind probably isn't presenting any issues about permissible redistribution (except for perhaps the trademarked logos as icons, which could be or are already loaded dynamically).

My objection isn't about how these products are labeled, or the implementation details behind presenting them. Fedora's long-standing commitment to free software can be perceived as compromised by the inclusion of things like this. I think it's a good idea to have a stable, documented software installation utility that organizations like Google and Twitter can target with web apps or even native applications. They have funding for development and marketing, and I have no objection against reaching out to them to let them know how discerning users can opt in to third party products' presentation in Software.

They don't need our help reaching users. It's "just a web app", sure, but the minor convenience offered doesn't outweigh even the perceived compromise of Fedora's values. Changing implementation details, labeling, or rationalizing comparisons to other packages that use third party services do not remove the third party products from the user experience.

Replying to [comment:20 sparks]:

Replying to [comment:19 uraeus]:

And you might personally think that accessing the internet goes against 'the FOSS philosophy', but I sincerely hope that is not the mindset of the wider Fedora community.

I really wish you would stop putting words in my mouth as it only makes you appear more ignorant.

How about we all refrain from insinuating bad intentions on the other side ?

Trac doesn't let me see the board ticket you filed, but I did get an email about it which revealed the title you chose:

GNOME 3.12 pushes Google and other commercial, non-FOSS "apps" at users

'push' - really ? Like a drug dealer ?! Is that what you think of us, just because we don't quite meet your standards of purity ?

We are not pushing anything at users, we are offering meaningful search results when users search for software that is very widely used.

Replying to [comment:24 mclasen]:

'push' - really ? Like a drug dealer ?! Is that what you think of us, just because we don't quite meet your standards of purity ?

We are not pushing anything at users, we are offering meaningful search results when users search for software that is very widely used.

The offerings that you mention are encouraging the use of non-FOSS services and software. Fedora has gone through and removed Google search functionality from its websites because it violates our Foundations. The inclusion of Google products in our operating system similarly violates these Foundations, IMO. Of more concern I'm not sure where this ends. If we offer Google search why not Bing? And if we offer Google Docs then why not Microsoft Office Live (and won't that be a treat to start typing 'office' to bring up LibreOffice and get an advertisement for Microsoft Office Live).

I'm not against the functionality but I am against having these offerings pushed to the user without the user asking for them. The user should have to install a repo (or similar) because they want to see Google products (or whatever). We shouldn't be advertising their proprietary services for them.

With the addition of Google, Amazon, Facebook, Dropbox, and others, it appears that Fedora is sanctioning their use. Believe it or not, what GNOME has done is start their own advertising system. This system isn't an opt-in system (can you even opt-out?).

The way that GNOME has implemented this is expressly against what the [http://meetbot.fedoraproject.org/fedora-meeting-1/2014-01-23/fedora_board.2014-01-23-19.01.html Board decided]: "The board believes that shipping repository metadata that points at non-free software is incompatible with Fedora's foundations". All of the services that GNOME now points to are non-free solutions.

Replying to [comment:25 sparks]:

The way that GNOME has implemented this is expressly against what the Board decided

I'm sorry, but I had to reply to this as this points the gun squarely at me, and that's not fair:

"The board believes that shipping repository metadata

It's not repository metadata.

that points at non-free software

It's not software, it's a web-service. Even RMS makes the distinction between the two. I'm not sure how much clearer I can make it -- it's a link to a website -- nothing more! I'm really going round in circles here.

is incompatible with Fedora's foundations"

Then a lot of software in Fedora also has to be ripped out if using a non-free webservice is incompatible with Fedora.

. All of the services that GNOME now points to are non-free solutions.

Incorrect, we also have free web services there too, like devdocs.io -- and others can be added if popular and useful.

Richard

Replying to [comment:23 immanetize]:

My objection isn't about how these products are labeled, or the implementation details behind presenting them. Fedora's long-standing commitment to free software can be perceived as compromised by the inclusion of things like this.

Well then we as a community need to communicate what we are doing and why. We can't let a fear of how something could be perceived stop us from making the best decisions for our system. A bigger threat to Fedora's future than any impression of having compromised on our commitment to free software is if we end up with the image that if you use twitter, google plus or similar you are not pure enough to be part of the Fedora community.

I think it's a good idea to have a stable, documented software installation utility that organizations like Google and Twitter can target with web apps or even native applications. They have funding for development and marketing, and I have no objection against reaching out to them to let them know how discerning users can opt in to third party products' presentation in Software.

They do have the funding for development and marketing, but we are fooling ourselves if we think that they are going to spend that funding on us. We are simply not that important or have the kind of userbase defending any kind of special effort. The likelyhood of Google deciding that continued support for Fedora with Chrome is not worth it is a lot higher than the chance they deciding they are going to spend time and money on advertising themselves to our users, especially so when the project message is that using Chrome on Fedora is a bit unsavory. I sometimes feel that there is a belief in the Fedora community that we are somehow so important that major organizations and companies are going to change policies or spend a lot of money on accommodating us, this is probably as far from the truth as you can possibly come. For example if Google says that only 100% open source drivers will be certified for Android, then yes the driver makers will take notice and re-think their driver strategy. Fedora does not in any way or form hold that kind of market influence, in fact any such moves on our part just makes people drop the already near bottom support they offer for our system.

They don't need our help reaching users. It's "just a web app", sure, but the minor convenience offered doesn't outweigh even the perceived compromise of Fedora's values. Changing implementation details, labeling, or rationalizing comparisons to other packages that use third party services do not remove the third party products from the user experience.

To be fair I think we need them a lot more than they need us. It is not Twitter or Google needing us and our users, it is we who need them to offer our users a compelling experience. Fedora has become a non-player in the operating system arena. When was the last time you saw a major new effort be built using Fedora as the starting point? The last I can think of was Sugar for OLPC, which is not exactly news anymore. More recent efforts like Linaro, OpenStack, Docker, SteamOS and ChromeOS all use other systems than Fedora, in fact Fedora as far as I know none of them even considered it. So in some of these cases there are people reaching out and doing things to bring Fedora into these spaces, but a future as the eternal also-ran is not a very interesting one.

Fedora can choose to be the operating system for those who out of a principled stand on freedom refuse to use twitter, gmail/gtalk, msn chat, facebook and so on. But that is a very limited space to inhabit and one that is likely to guarantee that Fedora becomes a very insular community with little impact on the world around it.

Replying to [comment:25 sparks]:

Replying to [comment:24 mclasen]:

'push' - really ? Like a drug dealer ?! Is that what you think of us, just because we don't quite meet your standards of purity ?

We are not pushing anything at users, we are offering meaningful search results when users search for software that is very widely used.

The offerings that you mention are encouraging the use of non-FOSS services and software. Fedora has gone through and removed Google search functionality from its websites because it violates our Foundations. The inclusion of Google products in our operating system similarly violates these Foundations, IMO. Of more concern I'm not sure where this ends. If we offer Google search why not Bing? And if we offer Google Docs then why not Microsoft Office Live (and won't that be a treat to start typing 'office' to bring up LibreOffice and get an advertisement for Microsoft Office Live).

I'm having a lot of trouble squaring your assertion that Fedora has removed all of those things from software within Fedora when I am typing this in a default Fedora Firefox browser that has a search bar that offers search from: Google (default), Yahoo, Bing, Amamzon.com, DuckDuckGo, eBay, Twitter, and Wikipedia. Firefox is already offering these services within the context of software installed in a default Fedora install.

I'm not against the functionality but I am against having these offerings pushed to the user without the user asking for them. The user should have to install a repo (or similar) because they want to see Google products (or whatever). We shouldn't be advertising their proprietary services for them.

Should Firefox then be modified in Fedora to remove those default search services I mentioned above? If so, I believe we would run the risk of Mozilla trademark issues and have to rebrand it to iceweasel or whatever.

Replying to [comment:23 immanetize]:

I also recognize that a web applet of this kind probably isn't presenting any issues about permissible redistribution (except for perhaps the trademarked logos as icons, which could be or are already loaded dynamically).

Do these icons indeed load dynamically? Does this mean that when I'm searching on Gnome-Shell and get Twiiter as a result, my machine requests the logo from twitter.com? If that's the case there is also a privacy problem here.

Replying to [comment:29 comzeradd]:

Do these icons indeed load dynamically?

Yes.

my machine requests the logo from twitter.com

We use the images provided for the press for each site, for instance http://cdn3.rd.io/user/press/rdio-icon.png -- we're not allowed to redistribute the logos. Note, if you're going to go down that paranoid rabbit-hole, lots of other software downloads images as well, for instance gnome-boxes downloads the product logos for the OS's it installs as they too are non-redistributable.

I also don't see the privacy implications -- it's no different to visiting CNN or the BBC news and the twitter image there being downloaded at runtime. You don't go on a website and interactively agree to each resource being loaded from a different domain. Ubuntu loading product images for specific search results without proxying is bad, but this is a completely different thing altogether.

When I visit CNN or BBC news and Twitter is tracking me, that's a problem. I can run Ghostery to help mitigate that. I would hate to get into a situation where Gnome Shell needs Ghostery.

Also: there is a difference of expectation in privacy when I am doing a search using the quick overview search (my favorite Gnome 3 UI feature, hands down!) and when I am using a web browser. I expect the latter to generate traffic to third party networks, but it's reasonable to consider it surprising for the former.

I recognize that it is genuinely in the name of friendliness and ease on our side, but there also are side effects.

Replying to [comment:31 mattdm]:

When I visit CNN or BBC news and Twitter is tracking me, that's a problem. I can run Ghostery to help mitigate that. I would hate to get into a situation where Gnome Shell needs Ghostery.

Also: there is a difference of expectation in privacy when I am doing a search using the quick overview search (my favorite Gnome 3 UI feature, hands down!) and when I am using a web browser. I expect the latter to generate traffic to third party networks, but it's reasonable to consider it surprising for the former.

I recognize that it is genuinely in the name of friendliness and ease on our side, but there also are side effects.

I'm not sure I understand your concern. The shell and installer are grabbing an icon file from the various sites. Yes, it's generating traffic to the site to grab that, but in the context of "tracking" that normally implies cookies and/or js running on your machine from the site. There are no cookies or js execution being done here. Twitter can't track that you moved on to searching for something else after the icon is fetched. At most I would think they could log that your IP address issued an http request for the icon. There is no further tracking being done.

Replying to [comment:32 jwboyer]:

I'm not sure I understand your concern. The shell and installer are grabbing an icon file from the various sites. Yes, it's generating traffic to the site to grab that, but in the context of "tracking" that normally implies cookies and/or js running on your machine from the site. There are no cookies or js execution being done here. Twitter can't track that you moved on to searching for something else after the icon is fetched. At most I would think they could log that your IP address issued an http request for the icon. There is no further tracking being done.

The IP address and pattern of requests can be correlated and connected. It's not something that I'm particularly personally worried about, given the practically unavoidable aura of this type information we can't help but give off all the time. But, I also don't think it's fair to dismiss as "a paranoid rabbit-hole". At the very least, the BBC and CNN have statements about third-party information tracking in their privacy policies. Just like not wanting to have to have Ghostery for Gnome Shell, I'm not keen on needing such a privacy policy either, and I do think we should take privacy-friendly concerns into account as well as ease-of-use concerns.

Anyway, as I said in the board ticket, I think there are at least three separate issues here (none of which are the icon/tracking issue). They are:

  1. Presentation of proprietary web services as applications in Gnome Software and Gnome Shell search. (Subtopic: does this differ from a wrapper which downloads Java or native code and runs that in a sandbox?)
  2. Curation of the list of services that are presented — should this be a Fedora community process (and if so, how can we make that open without being heavyweight?)
  3. How we deal with applications with the sole purpose of interacting with a proprietary service, in general, whether they are wrapped websites or local open source code.

Of these:

I think the first is an area where FESCo can helpfully draw up some technical guidance on where exactly we see the lines and what specific attributes are important to make clear to end users, and then the designers can work out how to do that.

The second hinges on a board issue (e.g., should Fedora concern itself here with what links to web applications are included), but if the board thinks this is an important area, FESCo can work out the practical who/what/how details of the process.

And the third, I think, is very much a board decision.

Replying to [comment:27 uraeus]:

Replying to [comment:23 immanetize]:
A bigger threat to Fedora's future than any impression of having compromised on our commitment to free software is if we end up with the image that if you use twitter, google plus or similar you are not pure enough to be part of the Fedora community.

This is a false dichotomy. I'm not advocating any measures to prevent users from opting in to proprietary or commercial products. The Fedora Project proper does not need to directly provide these products for them to be used by the community.

I think it's a good idea to have a stable, documented software installation utility that organizations like Google and Twitter can target with web apps or even native applications. They have funding for development and marketing, and I have no objection against reaching out to them to let them know how discerning users can opt in to third party products' presentation in Software.

They do have the funding for development and marketing, but we are fooling ourselves if we think that they are going to spend that funding on us. We are simply not that important or have the kind of userbase defending any kind of special effort. The likelyhood of Google deciding that continued support for Fedora with Chrome is not worth it is a lot higher than the chance they deciding they are going to spend time and money on advertising themselves to our users, especially so when the project message is that using Chrome on Fedora is a bit unsavory. I sometimes feel that there is a belief in the Fedora community that we are somehow so important that major organizations and companies are going to change policies or spend a lot of money on accommodating us, this is probably as far from the truth as you can possibly come. For example if Google says that only 100% open source drivers will be certified for Android, then yes the driver makers will take notice and re-think their driver strategy. Fedora does not in any way or form hold that kind of market influence, in fact any such moves on our part just makes people drop the already near bottom support they offer for our system.

As I understand it, there's a venture underway called Fedora Workstation, with a primary goal of providing a stable target environment for third party developers. I would be very disappointed to find that this goal had taken a tangent, that the product's proponents felt that third parties would never target Fedora, and that Fedora should take on the job of promoting external products instead.

...
Fedora can choose to be the operating system for those who out of a principled stand on freedom refuse to use twitter, gmail/gtalk, msn chat, facebook and so on. But that is a very limited space to inhabit and one that is likely to guarantee that Fedora becomes a very insular community with little impact on the world around it.

Fedora could also choose to be free software, with the capacity to coexsist with such things on an individual's machine - and you could choose to invest your efforts to bring twitter and facebook to Fedora users into an external project, one that users could opt into. I'm not saying that these things are inherently evil, I'm saying that the fact that people will use them anyway doesn't obligate Fedora to provide them.

Replying to [comment:33 mattdm]:

Replying to [comment:32 jwboyer]:

I'm not sure I understand your concern. The shell and installer are grabbing an icon file from the various sites. Yes, it's generating traffic to the site to grab that, but in the context of "tracking" that normally implies cookies and/or js running on your machine from the site. There are no cookies or js execution being done here. Twitter can't track that you moved on to searching for something else after the icon is fetched. At most I would think they could log that your IP address issued an http request for the icon. There is no further tracking being done.

The IP address and pattern of requests can be correlated and connected.

By whom? Individual sites might be able to see you've hit the URL for the icon. However, unless various sites are sharing http GET request information with each other, I don't see how there can be any connection done between the individual icon requests. As far as I can see, all that can be said is "this IP address requested this icon X times over X seconds/minutes/days".

It's not something that I'm particularly personally worried about, given the practically unavoidable aura of this type information we can't help but give off all the time. But, I also don't think it's fair to dismiss as "a paranoid rabbit-hole". At the very least, the BBC and CNN have statements about third-party information tracking in their privacy policies. Just like not wanting to have to have Ghostery for Gnome Shell, I'm not keen on needing such a privacy policy either, and I do think we should take privacy-friendly concerns into account as well as ease-of-use concerns.

I'm not saying it's "paranoid rabbit-hole". I'm asking you to elaborate how this would be a privacy concern beyond "this IP address accessed this URL". In other words, I would really like to limit this concern to the actual things that can happen and not make it larger than it really is.

Replying to [comment:35 immanetize]:

Replying to [comment:27 uraeus]:

Replying to [comment:23 immanetize]:

Fedora could also choose to be free software, with the capacity to coexsist with such things on an individual's machine - and you could choose to invest your efforts to bring twitter and facebook to Fedora users into an external project, one that users could opt into. I'm not saying that these things are inherently evil, I'm saying that the fact that people will use them anyway doesn't obligate Fedora to provide them.

Yes I understand that this is the option a lot of people want us to take, and we are due to this investigating the option of setting up some kind of external to Fedora project where we basically re-roll the workstation under a different brand name and turn all these integration options on. So that the Fedora Workstation in some sense becomes a whitebox product for this external option. But it is a step I dearly hope we can avoid taking as it inevitably leads to a situation of competing with ourselves both for users and for development time and resources.

Replying to [comment:37 uraeus]:

Replying to [comment:35 immanetize]:

Replying to [comment:27 uraeus]:

Replying to [comment:23 immanetize]:

Fedora could also choose to be free software, with the capacity to coexsist with such things on an individual's machine - and you could choose to invest your efforts to bring twitter and facebook to Fedora users into an external project, one that users could opt into. I'm not saying that these things are inherently evil, I'm saying that the fact that people will use them anyway doesn't obligate Fedora to provide them.

Yes I understand that this is the option a lot of people want us to take, and we are due to this investigating the option of setting up some kind of external to Fedora project where we basically re-roll the workstation under a different brand name and turn all these integration options on. So that the Fedora Workstation in some sense becomes a whitebox product for this external option. But it is a step I dearly hope we can avoid taking as it inevitably leads to a situation of competing with ourselves both for users and for development time and resources.

That does seem like an extreme course. I was thinking of something more like RPMFusion and less like forking the distribution. Are the changes that you'd like to make so broad that a more modular approach isn't reasonable?

Replying to [comment:36 jwboyer]:

Replying to [comment:33 mattdm]:

It's not something that I'm particularly personally worried about, given the practically unavoidable aura of this type information we can't help but give off all the time. But, I also don't think it's fair to dismiss as "a paranoid rabbit-hole". At the very least, the BBC and CNN have statements about third-party information tracking in their privacy policies. Just like not wanting to have to have Ghostery for Gnome Shell, I'm not keen on needing such a privacy policy either, and I do think we should take privacy-friendly concerns into account as well as ease-of-use concerns.

I'm not saying it's "paranoid rabbit-hole". I'm asking you to elaborate how this would be a privacy concern beyond "this IP address accessed this URL". In other words, I would really like to limit this concern to the actual things that can happen and not make it larger than it really is.

Or to put this another way, neither you nor I are domain experts in what is possible to gather from the icon requests of gnome-shell and software-installer. Before claiming any form of privacy concern, it would be prudent to get the opinion of such a domain expert. Gathering and presenting the facts around this would be the correct course of action before making any decisions based on the privacy aspects of this.

Replying to [comment:39 jwboyer]:

Replying to [comment:36 jwboyer]:

I'm not saying it's "paranoid rabbit-hole". I'm asking you to elaborate how this would be a privacy concern beyond "this IP address accessed this URL". In other words, I would really like to limit this concern to the actual things that can happen and not make it larger than it really is.

Or to put this another way, neither you nor I are domain experts in what is possible to gather from the icon requests of gnome-shell and software-installer. Before claiming any form of privacy concern, it would be prudent to get the opinion of such a domain expert.

(As if it mattered for the larger discussion... I suppose I find this a fun activity.)

Assuming that
* the order of results in the search, at least in the "suggested apps" section, is consistent/predictable (very likely to be true)
* that search results are generated for even very short search terms (as they are on F19)
this would leak the prefix of the search being made to ''anyone'' on the network path (e.g. wifi provider or a peer on the same unencrypted network). The search term may include what application is being started, or the prefix of a document name, or other private information.

Note that this doesn't require the server ''hosting'' the icon to snoop, ''anyone'' can.

Mitigating factors are
* primarily caching or preloading, if any, of the icons (there would be a big difference between accessing the icon e.g. once a month, and accessing it every time a search for anything starting with "f" happened; I don't know what the implementation does)
* secondarily a limit of how much of a prefix would be recognizable (after the app suggestions stop changing, typing more letters doesn't reveal anything)
* how much such a prefix reveals ("Resi"[gn] is interesting, "2014 " not so much); this strongly depends on the other information known about the subject
* if there were many other search results so that the app suggestions both wouldn't be displayed, and wouldn't lead to fetching the icon even if it weren't displayed, the network access would obviously not happen.

'''Taking the question of caching mitigating the problem aside for the rest of the analysis:'''

This essentially allows a network observer to see, after seeing which public websites the victim is reading (which they can do anyway), what offline-only documents (or encrypted-only documents, like on Google Drive), the victim is interacting with as a consequence.

This wouldn't be individually worse than "what all of the internet is doing to a paranoid person" (sky is falling!). It is unordered in badness with the Windows 8 start screen (which may send to Microsoft the full text, but only to Microsoft).

It does compose with other leaked information (whether that other information was leaked knowingly, unknowingly or inevitably), especially for a case of a targeted attack.

WRT privacy, this is primarily an ''"unforced error"''. We have enough storage space to preload all the icons we would show, or we can opt to just not have non-installed applications in the search results. Again, it's not a "sky is falling" situation like heartbleed, but leaking small amounts of data is a bad habit to get into, and small leaks very quickly compose into very specific and full dossiers.

Replying to [comment:40 mitr]:

WRT privacy, this is primarily an ''"unforced error"''. We have enough storage space to preload all the icons we would show, or we can opt to just not have non-installed applications in the search results. Again, it's not a "sky is falling" situation like heartbleed, but leaking small amounts of data is a bad habit to get into, and small leaks very quickly compose into very specific and full dossiers.

On this one single point, given that it's logos we are talking about, the (assumed) barrier to pre-loading/pre-shipping all of them is legal/trademark, not anything related to disk space for storage.

Replying to [comment:40 mitr]:

this would leak the prefix of the search being made to ''anyone'' on the network path

No. We only request the icon, no search text is sent to the remote site. To do so would be completely unnecessary. We just go one HTTP GET request with no data and get back the icon.

  • primarily caching or preloading, if any, of the icons

The icons are of course cached, and could be preloaded at session start, but not shipped with the package.

Replying to [comment:42 rhughes]:

Replying to [comment:40 mitr]:

this would leak the prefix of the search being made to ''anyone'' on the network path

No. We only request the icon, no search text is sent to the remote site. To do so would be completely unnecessary. We just go one HTTP GET request with no data and get back the icon.

Thanks for confirming that.

I'll take mitr's credentials as a domain expert. But, overall, I want to emphasize that this particular concern is secondary to the big picture -- except, perhaps, that the fact that we have to take such measures even to show the icons seems like a red flag that we may be straying from the Fedora mission of "advanc[ing] free and open source software and ''content''", emphasis on content added.

I certainly don't want the board to be overwhelmed with wrangling with details of interpretation, but it seems like there are ambiguities in how everyone is understanding the Board's previous statement. So, I guess to add to the three previous topics, a direct question about [https://fedorahosted.org/fesco/ticket/1273#comment:27 Christian's comment #27]:

  1. Is the display of popular non-free web services in software and desktop search results acceptable within the spirit of Fedora's mission to lead the advancement of free and open source software and content?

I think these are fair summaries: On one side, the argument that no, this is explicitly promoting non-free options, possibly over free alternatives, and must be banned. On the other side, the argument that the net benefit to the free and open software in Fedora itself leads to overall advancement. And I suppose there is a middle option: while this does not necessarily lead to the advancement, it is not considered forbidden either. Does that all sound about right just as statements of position?

And, of course, there's plenty of room for nuance: what about linking to Stack Exchange, which is proprietary software but strongly in support of open, Creative Commons content, or GitHub, which hosts millions of free and open source projects but is itself closed? Take these as example questions here, though, because this really is a board-level strategic issue.

Err, actually, I guess that's really what I'm already asking with question 1, just spelled out a little more.

Replying to [comment:41 notting]:

Replying to [comment:40 mitr]:

We have enough storage space to preload all the icons we would show

On this one single point, given that it's logos we are talking about, the (assumed) barrier to pre-loading/pre-shipping all of them is legal/trademark, not anything related to disk space for storage.

We could preload them in initial-setup, on first session start, or after a metadata update.

Replying to [comment:42 rhughes]:

Replying to [comment:40 mitr]:

this would leak the prefix of the search being made to ''anyone'' on the network path

No. We only request the icon, no search text is sent to the remote site. To do so would be completely unnecessary.

The information is already leaked implicitly by ''which'' icon is being requested.

Replying to [comment:44 mattdm]:

I'll take mitr's credentials as a domain expert. But, overall, I want to emphasize that this particular concern is secondary to the big picture --

1) Mitr's credentials are fine. His assumptions have proven to be incorrect in his initial assessment though.

2) You are the one that brought up privacy concerns. If that is a legitimate concern, it needs to be assessed at a technical level and facts (not assumptions) need to be presented to the Board so they can correctly evaluate the concern at a project level.

Replying to [comment:46 mitr]:

Replying to [comment:41 notting]:

Replying to [comment:40 mitr]:

We have enough storage space to preload all the icons we would show

On this one single point, given that it's logos we are talking about, the (assumed) barrier to pre-loading/pre-shipping all of them is legal/trademark, not anything related to disk space for storage.

We could preload them in initial-setup, on first session start, or after a metadata update.

Replying to [comment:42 rhughes]:

Replying to [comment:40 mitr]:

this would leak the prefix of the search being made to ''anyone'' on the network path

No. We only request the icon, no search text is sent to the remote site. To do so would be completely unnecessary.

The information is already leaked implicitly by ''which'' icon is being requested.

If it is a simple http GET request of the icon, how are those search terms being leaked to the network? The network, site, etc has no idea whether a user searched for "twitter" or "social network" or "pictures of giant pandas."

Replying to [comment:48 jwboyer]:

The information is already leaked implicitly by ''which'' icon is being requested.

If it is a simple http GET request of the icon, how are those search terms being leaked to the network? The network, site, etc has no idea whether a user searched for "twitter" or "social network" or "pictures of giant pandas."

Assuming that the search doesn't show Facebook for ''every'' possible search query :), and, as I said earlier,

the order of results in the search, at least in the "suggested apps" section, is consistent/predictable (very likely to be true)
one can build a dictionary of (short string -> set of fetched icons), and then use it in the other direction.

It's good that the icons are cached; that makes the problem much less severe in any case (but not having the problem at all but still be better).

Replying to [comment:47 jwboyer]:

2) You are the one that brought up privacy concerns.

No, I am not. That was comzeradd.

Replying to [comment:50 mattdm]:

Replying to [comment:47 jwboyer]:

2) You are the one that brought up privacy concerns.

No, I am not. That was comzeradd.

OK, apologies. The rest of my #2 bullet point still stands.

Replying to [comment:41 notting]:

On this one single point, given that it's logos we are talking about, the (assumed) barrier to pre-loading/pre-shipping all of them is legal/trademark, not anything related to disk space for storage.

Speaking of rabbit-holes, has Legal ACKed the idea that precaching or fetching in the background and displaying as potential search results avoids the assumed barrier? That is ''definitely'' an area where I don't have the domain knowledge, but it may also make a lot of this moot.

Replying to [comment:38 immanetize]:

Replying to [comment:37 uraeus]:

Replying to [comment:35 immanetize]:

Replying to [comment:27 uraeus]:

Replying to [comment:23 immanetize]:

Fedora could also choose to be free software, with the capacity to coexsist with such things on an individual's machine - and you could choose to invest your efforts to bring twitter and facebook to Fedora users into an external project, one that users could opt into. I'm not saying that these things are inherently evil, I'm saying that the fact that people will use them anyway doesn't obligate Fedora to provide them.

Yes I understand that this is the option a lot of people want us to take, and we are due to this investigating the option of setting up some kind of external to Fedora project where we basically re-roll the workstation under a different brand name and turn all these integration options on. So that the Fedora Workstation in some sense becomes a whitebox product for this external option. But it is a step I dearly hope we can avoid taking as it inevitably leads to a situation of competing with ourselves both for users and for development time and resources.

That does seem like an extreme course. I was thinking of something more like RPMFusion and less like forking the distribution. Are the changes that you'd like to make so broad that a more modular approach isn't reasonable?

Because the goal of is to create a popularly successful operating system, not to create an obscure repository for a distribution who wants nothing to do with it?

I have a couple of questions. And, please don't interpret these as rhetorical devices to make some point — from what I am hearing from people, I think the answers are legitimately different between the people advocating for different Fedora positions. Well-articulated answers will help us make the right decision. I'm going to try to ask without any particular bias; if you detect such bias, please read it as an unintentional accident of wording. If possible, I'd to have both technical answers understandable by passionate geeks, and two-line "elevator" explanation ones could give to an intelligent fifth-grader. I think that some of the higher-level talk has people frustrated and talking past each other, so, this being FESCo, let's go back to some of the engineering basics.

So, first:

  • What, if anything, is the difference between
    a. transparently downloading an HTML + Javascript webapp to a temporary cache and running it (in a fully open source runtime, in this case Gnome Web) seamlessly as what appears to the end user be a "native" way;
    b. transparently downloading a pure Java application in the same way and running it (in a fully open source runtime, e.g. OpenJDK) seamlessly in a similar way;
    c. transparently downloading game content in the same way and running it in a fully open source runtime for that data, and
    d. transparently downloading native code and running it in a seamless application sandbox?

I have some other questions along these lines, but let's start with that.

I'm not asking at this point for any arguments about what we ''should'' do in each case; just for the differences if any. (And if someone's position is that ''all'' of the cases are on one side of some line, but there's a different case that would be on the other side, please explain that too.)

My goal here is to spell out some strong technical positions in enough detail that we can separate the policy (and, let's be honest, emotional) issues. It may be that there is a middle approach with more overlap than it seems, and we can end up with a policy that satisfies all of the concerns and which everyone can feel good about — or, at least, feel ''okay'' about.

And in the interest of making this into not a "gotcha", which is certainly not the intention:

For "c", I specifically have the "autodownloader" used by the Games SIG in mind, and dim remembrance of a discussion about that in 2008. https://fedoraproject.org/wiki/FWN/Issue119. In some cases, the "data" downloaded is not just graphic and sound resources but logic as well.

In today's Board meeting one clear item was decided:

"Software not included in the Fedora repositories must be clearly differentiated when presented to the user (+1:6 -1:1)"

Please work with the developers on making this distinction in the software-installer and gnome-shell.

As to the remaining issues, further discussion is still needed. The full logs are here:

http://meetbot.fedoraproject.org/fedora-meeting-1/2014-04-10/fedora-meeting-1.2014-04-10-18.00.log.html

Replying to [comment:56 jwboyer]:

Please work with the developers...

Not the developers: the designers. GNOME now has a design team, developers don't really do UI design and UX any more.

And at least one developer has made it fairly clear that he just wants this to get worked out and does not want to be stuck in the middle. :)

Richard, Christian, Matthias: who are the designers involved here, and what's the best way to talk to them about implementation of this board decision?

Replying to [comment:59 mattdm]:

Richard, Christian, Matthias: who are the designers involved here

The two main designers of "Software" have been Allan and Jakub, both available in #gnome-design on GIMPNet with the IRC names of aday and jimmac.

Kalev asked me to pass along that gnome-software now distinguishes webapps. This was done under https://bugzilla.gnome.org/show_bug.cgi?id=725002#c8. A screenshot is included here: http://kalev.fedorapeople.org/gnome-software-details-google-drive.png

On the one hand, I'd really like to avoid bikeshedding the design, but... "app only works with an internet connection" != "app is a web application", given that you're talking about things ranging from SimCity to Evolution to Firefox to gmail.

Replying to [comment:62 notting]:

On the one hand, I'd really like to avoid bikeshedding the design, but... "app only works with an internet connection" != "app is a web application", given that you're talking about things ranging from SimCity to Evolution to Firefox to gmail.

Correct. In my advisory-board post, I focused mostly on the fact that upstream is already making changes in this area without being contacted by FESCo. Now would be the time to talk to them since they're already working on it.

CC'ing Kalev.

FESCo discussed this at the 2014-04-16 FESCo meeting. Given the board task in comment #56 above, we'd like to work with you on this. In the general FESCo opinion, what's shown in http://kalev.fedorapeople.org/gnome-software-details-google-drive.png doesn't really meet the board criteria above.

Replying to [comment:63 jwboyer]:

In my advisory-board post, I focused mostly on the fact that upstream is already making changes in this area without being contacted by FESCo. Now would be the time to talk to them since they're already working on it.

Yes, that change wasn't meant to fully address Board's concerns, just something that we were working on separately.

Replying to [comment:65 notting]:

CC'ing Kalev.

FESCo discussed this at the 2014-04-16 FESCo meeting. Given the board task in comment #56 above, we'd like to work with you on this.

Sure, thanks for CC'ing me. If you could you open a ticket at https://bugzilla.gnome.org/enter_bug.cgi?product=gnome-software , that would be a good start. I can then ask the designers working on gnome-software (Allan and Jakub) to help come up with a way to address the concerns.

Any news here? From reading the upstream bug, it looks like discussion with the designers stalled a bit.

Replying to [comment:68 toshio]:

From reading the upstream bug, it looks like discussion with the designers stalled a bit.

Well, nothing more than that upstream bug -- I think Allan is waiting from a response from Matthew.

Replying to [comment:69 rhughes]:

Well, nothing more than that upstream bug -- I think Allan is waiting from a response from Matthew.

Matthew ''me''? Huh, that was not clear to me. I apologize. I didn't mean to insert myself as a blocker simply by commenting.

I guess I can take that response back to the Fedora Board and see if that fits the response. I also didn't mean to insert myself as a middleman. Since I'm now a board member, that may be different — but since this was before that, I don't know if I'm really the best one to represent the request.

We've gone five months without any activity on this ticket. Matthew, did the Board ever make a decision on this (and was it implemented)?

The upstream ticket is resolved and the descriptions that are shown in gnome-software now clearly state that these are webapps, e.g.:

"This webapp provides a quick way to launch a web browser to access Google Drive."

I hope we can close this now but just to be sure adding it back to meeting.

This topic will be discussed at FESCo meeting on Wednesday 2014-11-19 on 18:00 UTC.

The web apps are clearly marked, we can close the ticket.

Login to comment on this ticket.

Metadata