Debian Bug report logs - #681721
popularity-contest: option to limit the list of packages sended to popcon

version graph

Package: popularity-contest; Maintainer for popularity-contest is Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>; Source for popularity-contest is src:popularity-contest.

Reported by: Stéphane Blondon <stephane.blondon@gmail.com>

Date: Sun, 15 Jul 2012 22:27:01 UTC

Severity: wishlist

Found in version popularity-contest/1.55

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 15 Jul 2012 22:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Blondon <stephane.blondon@gmail.com>:
New Bug report received and forwarded. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 15 Jul 2012 22:27:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stéphane Blondon <stephane.blondon@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: popularity-contest: option to limit the list of packages sended to popcon
Date: Mon, 16 Jul 2012 00:25:07 +0200
Package: popularity-contest
Version: 1.55
Severity: wishlist

Currently, the popcon script on user computer sends the list of all
installed packages.
However, it would the nice to have a configurable option to limit it
to the official package because today, there is only two choices if
the user have sensitive packages:

 - refuse popcon to not publish them
 - accept popcon and be unpleased because it's published.

If they can choose what they publish: {all | only official packages | none}
it could fit more needs.
(And perhaps to have more contributors because it could fit the users
using currently the first choice?)


-- 
Stéphane



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 15 Jul 2012 22:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian PERRIER <bubulle@debian.org>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 15 Jul 2012 22:48:07 GMT) Full text and rfc822 format available.

Message #10 received at 681721@bugs.debian.org (full text, mbox):

From: Christian PERRIER <bubulle@debian.org>
To: Stéphane Blondon <stephane.blondon@gmail.com>, 681721@bugs.debian.org
Subject: Re: Bug#681721: popularity-contest: option to limit the list of packages sended to popcon
Date: Sun, 15 Jul 2012 16:44:20 -0600
[Message part 1 (text/plain, inline)]
Quoting Stéphane Blondon (stephane.blondon@gmail.com):
> Package: popularity-contest
> Version: 1.55
> Severity: wishlist
> 
> Currently, the popcon script on user computer sends the list of all
> installed packages.
> However, it would the nice to have a configurable option to limit it
> to the official package because today, there is only two choices if
> the user have sensitive packages:
> 
>  - refuse popcon to not publish them
>  - accept popcon and be unpleased because it's published.
> 
> If they can choose what they publish: {all | only official packages | none}
> it could fit more needs.
> (And perhaps to have more contributors because it could fit the users
> using currently the first choice?)


Is there a point in reporting non official packages?

/me would be OK with the "yes" choice to only report official packages

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Mon, 16 Jul 2012 08:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Mon, 16 Jul 2012 08:18:03 GMT) Full text and rfc822 format available.

Message #15 received at 681721@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Stephane Blondon <stephane.blondon@gmail.com>, 681721@bugs.debian.org
Subject: Re: [Popcon-developers] Bug#681721: popularity-contest: option to limit the list of packages sended to popcon
Date: Mon, 16 Jul 2012 10:15:43 +0200
On Mon, Jul 16, 2012 at 12:25:07AM +0200, Stéphane Blondon wrote:
> Package: popularity-contest
> Version: 1.55
> Severity: wishlist
> 
> Currently, the popcon script on user computer sends the list of all
> installed packages.
> However, it would the nice to have a configurable option to limit it
> to the official package because today, there is only two choices if
> the user have sensitive packages:

Hello Stéphane,

The issue is how popcon can reasonnably known whether a package is "official"
or not.

Also the list of official packages installed which are dependencies of the
sensitive packages might provide too string an hint that the sensitive package
is installed anyway.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Mon, 16 Jul 2012 21:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Blondon <stephane.blondon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Mon, 16 Jul 2012 21:21:06 GMT) Full text and rfc822 format available.

Message #20 received at 681721@bugs.debian.org (full text, mbox):

From: Stéphane Blondon <stephane.blondon@gmail.com>
To: 681721@bugs.debian.org
Subject: Re: [Popcon-developers] Bug#681721: popularity-contest: option to limit the list of packages sended to popcon
Date: Mon, 16 Jul 2012 23:17:08 +0200
16 juillet 2012, Christian PERRIER:
> Is there a point in reporting non official packages?

I have been told it's a way to know other used packages so it could
help to know what is needed by debian' users.
The fact that every used package are send is documented in
/usr/share/doc/popularity-contest/FAQ.gz:
   "Unofficial and local packages are reported. This can be an issue
   due to 2) above, especially for custom-build kernel packages.
   We are evaluating how far we can alleviate this problem."


2012/7/16 Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
> The issue is how popcon can reasonnably known whether a package is "official"
> or not.

The list of packages provided by the debian repository seems to be a
good start to me.
For example for an AMD64 arch processor:
 -  http://ftp.fr.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.bz2
 - the same archive for contrib and non-free (?)


> Also the list of official packages installed which are dependencies of the
> sensitive packages might provide too string an hint that the sensitive package
> is installed anyway.

I don't think it's a problem because the dependancy pckages stats are
summed up to all other users' stats.


-- 
Stéphane



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Tue, 17 Jul 2012 10:30:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Tue, 17 Jul 2012 10:30:03 GMT) Full text and rfc822 format available.

Message #25 received at 681721@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Stéphane Blondon <stephane.blondon@gmail.com>, 681721@bugs.debian.org
Subject: Re: [Popcon-developers] Bug#681721: Bug#681721: popularity-contest: option to limit the list of packages sended to popcon
Date: Tue, 17 Jul 2012 12:26:40 +0200
On Mon, Jul 16, 2012 at 11:17:08PM +0200, Stéphane Blondon wrote:
> 16 juillet 2012, Christian PERRIER:
> > Is there a point in reporting non official packages?
> 
> I have been told it's a way to know other used packages so it could
> help to know what is needed by debian' users.

Yes, it is useful to find packages that are somehow missing in Debian proper.

> 2012/7/16 Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
> > The issue is how popcon can reasonnably known whether a package is "official"
> > or not.
> 
> The list of packages provided by the debian repository seems to be a
> good start to me.
> For example for an AMD64 arch processor:
>  -  http://ftp.fr.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.bz2
>  - the same archive for contrib and non-free (?)

But how do you perform the check client-side ?

> > Also the list of official packages installed which are dependencies of the
> > sensitive packages might provide too string an hint that the sensitive package
> > is installed anyway.
> 
> I don't think it's a problem because the dependancy pckages stats are
> summed up to all other users' stats.

Only on the server side, not in the report that are sent to the server.

If really your packages are sensitive, you do not want them to be transmitted in
clear text to the server, I suppose.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Tue, 17 Jul 2012 23:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stéphane Blondon <stephane.blondon@gmail.com>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Tue, 17 Jul 2012 23:33:03 GMT) Full text and rfc822 format available.

Message #30 received at 681721@bugs.debian.org (full text, mbox):

From: Stéphane Blondon <stephane.blondon@gmail.com>
To: 681721@bugs.debian.org
Subject: Re: [Popcon-developers] Bug#681721: Bug#681721: popularity-contest: option to limit the list of packages sended to popcon
Date: Wed, 18 Jul 2012 01:30:26 +0200
2012/7/17 Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
> On Mon, Jul 16, 2012 at 11:17:08PM +0200, Stéphane Blondon wrote:
>> The list of packages provided by the debian repository seems to be a
>> good start to me.
>> For example for an AMD64 arch processor:
>>  -  http://ftp.fr.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.bz2
>>  - the same archive for contrib and non-free (?)
>
> But how do you perform the check client-side ?

I see two solutions:
 - download the Packages.bz2 from http ou ftp server, uncompress and
keep only the package names.
or
 - use files in /var/lib/apt/lists to rebuild the packages names. On
my computer, the file
ftp.fr.debian.org_debian_dists_testing_main_binary-amd64_Packages
seems to be a good start. I don't know exactly how it works (with
IndexDiff) but they are text files so I think it's doable.

Then, only stats from packages listed in the previous generated list
are sended.


The first way needs a network connection but popCon needs network to
send the stats, so I don't think it's a problem.



root@foehn:/var/lib/apt/lists# LANG=C; ls -l
total 75152
-rw-r--r-- 1 root root   198615 Jul 17 22:24
ftp.fr.debian.org_debian_dists_testing_InRelease
-rw-r--r-- 1 root root 29021698 Jul 17 16:15
ftp.fr.debian.org_debian_dists_testing_main_binary-amd64_Packages
-rw-r--r-- 1 root root     7876 Jul 17 16:15
ftp.fr.debian.org_debian_dists_testing_main_binary-amd64_Packages.IndexDiff
-rw-r--r-- 1 root root 18902880 Jul 17 04:14
ftp.fr.debian.org_debian_dists_testing_main_i18n_Translation-en
-rw-r--r-- 1 root root     7876 Jul 17 04:14
ftp.fr.debian.org_debian_dists_testing_main_i18n_Translation-en.IndexDiff
-rw-r--r-- 1 root root  3167707 Jul 17 16:15
ftp.fr.debian.org_debian_dists_testing_main_i18n_Translation-fr
-rw-r--r-- 1 root root     7819 Jul 17 16:15
ftp.fr.debian.org_debian_dists_testing_main_i18n_Translation-fr.IndexDiff
-rw-r--r-- 1 root root 25521688 Jul 17 16:18
ftp.fr.debian.org_debian_dists_testing_main_source_Sources
-rw-r--r-- 1 root root     7876 Jul 17 16:18
ftp.fr.debian.org_debian_dists_testing_main_source_Sources.IndexDiff
-rw-r----- 1 root root        0 Jul 26  2010 lock
drwxr-xr-x 2 root root     4096 Jul 18 01:02 partial


-- 
Imprimez ce message en A2 et en couleur au moins 500 fois!
Brûlez des arbres!!

-- envoyé depuis ma centrale à charbon
Stéphane



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Mon, 24 Sep 2012 05:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Mon, 24 Sep 2012 05:39:03 GMT) Full text and rfc822 format available.

Message #35 received at 681721@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: 681721@bugs.debian.org
Subject: popcon: 681721: duplicate of #632438
Date: Mon, 24 Sep 2012 13:35:24 +0800
[Message part 1 (text/plain, inline)]
#681721 looks like a duplicate of the bug report I filed earlier
#632438. I've manually solved this on my own systems by modifying the
popcon cron job to remove sensitive packages from the output. In #632438
I mentioned a few ideas that could be used to exclude packages.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 05 May 2013 12:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 05 May 2013 12:39:04 GMT) Full text and rfc822 format available.

Message #40 received at 681721@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Paul Wise <pabs@debian.org>, 681721@bugs.debian.org
Subject: Re: Bug#681721: popcon: 681721: duplicate of #632438
Date: Sun, 5 May 2013 14:34:40 +0200
On Mon, Sep 24, 2012 at 01:35:24PM +0800, Paul Wise wrote:
> #681721 looks like a duplicate of the bug report I filed earlier
> #632438. I've manually solved this on my own systems by modifying the
> popcon cron job to remove sensitive packages from the output. In #632438
> I mentioned a few ideas that could be used to exclude packages.

Well, I am not sure I like the idea to help users to remove packages from the
list. If you are afraid to leak information, the only safe course is not to
report to popcon. I do not want popcon to be held responsible for leaking
information it was told to protect.

Beside, I am afraid this will skew popcon results because some packages will be
under-reported.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 05 May 2013 12:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 05 May 2013 12:51:08 GMT) Full text and rfc822 format available.

Message #45 received at 681721@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: 681721 <681721@bugs.debian.org>
Subject: Re: Bug#681721: popcon: 681721: duplicate of #632438
Date: Sun, 05 May 2013 20:49:02 +0800
[Message part 1 (text/plain, inline)]
On Sun, 2013-05-05 at 14:34 +0200, Bill Allombert wrote:

> Well, I am not sure I like the idea to help users to remove packages from the
> list. If you are afraid to leak information, the only safe course is not to
> report to popcon. I do not want popcon to be held responsible for leaking
> information it was told to protect.
> 
> Beside, I am afraid this will skew popcon results because some packages will be
> under-reported.

The main use of the feature would be to not report sensitive packages,
especially metapackages not in Debian.

I would suggest that lack of this feature will reduce the amount of
people willing to report to popcon.d.o and skew the results.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 05 May 2013 13:03:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 05 May 2013 13:03:09 GMT) Full text and rfc822 format available.

Message #50 received at 681721@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Paul Wise <pabs@debian.org>, 681721@bugs.debian.org
Subject: Re: Bug#681721: popcon: 681721: duplicate of #632438
Date: Sun, 5 May 2013 15:00:48 +0200
On Sun, May 05, 2013 at 08:49:02PM +0800, Paul Wise wrote:
> On Sun, 2013-05-05 at 14:34 +0200, Bill Allombert wrote:
> 
> > Well, I am not sure I like the idea to help users to remove packages from the
> > list. If you are afraid to leak information, the only safe course is not to
> > report to popcon. I do not want popcon to be held responsible for leaking
> > information it was told to protect.
> > 
> > Beside, I am afraid this will skew popcon results because some packages will be
> > under-reported.
> 
> The main use of the feature would be to not report sensitive packages,
> especially metapackages not in Debian.

What kind of metapackages ?

> I would suggest that lack of this feature will reduce the amount of
> people willing to report to popcon.d.o and skew the results.

But in a more obvious way.

Maybe such packages could have a control field 'X-Popcon-report: no' that would prevent
popcon from reporting them. This way it would not be a per-user decision.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here. 



Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 05 May 2013 13:24:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 05 May 2013 13:24:05 GMT) Full text and rfc822 format available.

Message #55 received at 681721@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: 681721 <681721@bugs.debian.org>
Subject: Re: Bug#681721: popcon: 681721: duplicate of #632438
Date: Sun, 05 May 2013 21:21:54 +0800
[Message part 1 (text/plain, inline)]
On Sun, 2013-05-05 at 15:00 +0200, Bill Allombert wrote:

> What kind of metapackages ?

The usual:

organisation-site-purpose

For example:

google-nycdc-crawler
amazon-sydney-ec2storagenode

> Maybe such packages could have a control field 'X-Popcon-report: no' that would prevent
> popcon from reporting them. This way it would not be a per-user decision.

I don't think it would be enough and the decision should be with the
owner of the machine running popcon not with the apt repos they use.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>:
Bug#681721; Package popularity-contest. (Sun, 05 May 2013 13:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>:
Extra info received and forwarded to list. Copy sent to Popularity Contest Developers <popcon-developers@lists.alioth.debian.org>. (Sun, 05 May 2013 13:39:08 GMT) Full text and rfc822 format available.

Message #60 received at 681721@bugs.debian.org (full text, mbox):

From: Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr>
To: Paul Wise <pabs@debian.org>, 681721@bugs.debian.org
Subject: Re: Bug#681721: popcon: 681721: duplicate of #632438
Date: Sun, 5 May 2013 15:35:42 +0200
On Sun, May 05, 2013 at 09:21:54PM +0800, Paul Wise wrote:
> On Sun, 2013-05-05 at 15:00 +0200, Bill Allombert wrote:
> 
> > What kind of metapackages ?
> 
> The usual:
> 
> organisation-site-purpose
> 
> For example:
> 
> google-nycdc-crawler
> amazon-sydney-ec2storagenode

Who create them ? What information is leaked by the release of this package name ?

> I don't think it would be enough and the decision should be with the
> owner of the machine running popcon not with the apt repos they use.

If the APT repos is public, what is the security concern ?

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 01:07:11 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.