My personal philosophy is this: If FOSS and ONLY FOSS asks me first for data collection and it's only for hardware stuff to make it better I always say yes. On KDE I have manually set it so it gets all info from me in crash reports etc. The moment FOSS start selling my data however I not only would turn it off, I would also stop using said software.
users: how do we increase marketshare devs: we make better defaults and seamless installations from telemetry to identify problems users: no not like that CRAZY how all the best platforms and programs use it. almost like it always makes it better
The users of Manjaro arent as upset by this as the people who dont use manjaro. Most people dont care about an automatic hardware survery that is clearly disclosed.
I don't mind sharing my data with a FOSS project if they're going to use it to actually fix and improve the things they make that I use. My main issue is when they suck up the data by default without ever asking and then turn around and use that for marketing or sell that info to someone else.
Me too, if it is done right. In example in KDE Plasma there is a slider (Opt-in BTW) to set levels of how many data is sent. And it shows for each level what kind of data is sent and you can view sent data too. They do not collect anything that could identify me too. This is something I have enabled, because its acceptable.
The dev (romangg) locked the topic 7 days ago, and the API endpoint went down today. "A few people also like to overdramatize these kind of topics with emotional language like “disgusting” and “shameful”, while in the end we only talk about a few hardware metrics and no personal data at all." These things are hardware: Whether it's desktop/laptop/other, what motherboard/vendor's UUID, CPU arch/model/cores/threads, how much RAM you have, how big your drives are, what GPUs you have, how many displays you have, what connection types they are. These things are not hardware: Timezone, install date, uptime, locale, cli/gui/dm/wm/display/compositor, how long it's been since you updated, what branch you're on, how many packages, how many out of date packages, how many mirrors, whether you also have Windows installed, whether you use a UEFI bios, what audio driver you use, what video driver you use, your display resolution, your display arrangement, your kernel version, your release version, and a *SHA256-encoded unique machine ID.* Regardless of how insignificant they might seem, this is much more than "a few hardware metrics", and I think it's a reasonable response from the community, given the demonstrated ability of databrokers and their ilk to de-anonymize people based on things like: how many apps on their phone, which apps, their window/screen resolution (tor), location... Fingerprinting is only going to get better (worse).
I was not talking about this one instance but more in the broader general sense. This was just the catalyst. I mentioned in the video that this could absolutely be too much data and it matters how they sanitize it. Overall the idea of doing this isn’t necessarily a bad thing, but it is possible they could do it badly.
I agree. I'm ready to let some open source prog to collect telemetry for aggregated information with my clear permission. Also, it is very Important to show us and let us to select exactly what will be sent.
I think opt-in with opt-out/refinement during installation/usage. A common library with a settings page, accessed within the settings panel and the application, to choose what is acceptable to communicate.
Opt-out is NOT ethical (and almost certainly a violation of GDPR here in the EU). Maybe such a practice is acceptable to you, but it is not for me. Manjaro is now permabanned from all systems I control or have a say in. And if Arch does something like this, I'm leaving it, too. And if GNU/Linux follows your advice and implements this everywhere, I'm leaving it for BSD. The line has to be drawn here. This far and NOT further. No opt-out stuff. Not ever.
I'm against any type of data collection on my systems. Since it never stops, once someone is hooked on data collection, it will keep expanding until it can collect everything. Even if it starts out innocent enough, such as to improve the software, knowing what hardware your users have will allow you to track how often a person upgrades their hardware as well as their general budget. At some point, it will become too hard to resist, and selling the data you have collected thus far will seem like the only logical option. I ditched Manjaro 6 months ago so it won't effect me. It was obvious after that Proprietary Office stuff they started shipping
I don't care how innocuous telemetry is *right now*. By implementing opt out telemetry at all, you're telling me it's your choice what data you collect, not mine. I'd never use an OS I have an antagonistic relationship where I have to keep tabs on every update to make sure it doesn't flip more switches I don't want flipped. That's literally one of the reasons people switch from Windows.
You're a great salesman. I've seen too many companies start out with something like this then gradually move to something worse. Sure, I can see that Manjaro may well start out with good intent. However, organizations change over time along with the people involved. Personally, I'd rather not be involved to begin with.
it would be interesting to have some usage data. an open source project with an open data set. everyone could decide to contribute data, and use the data to make reports
Freebsd has a website where newbies and users report willing to share their data, and it works quite well.At least it's a choice not a feature no users ask for it...
Its a tough sale for sure. Even Linux Mint does their own data analytics through Datadog for similar reasons. Its not a 1:1 here as Mint was just looking for how was downloading what edition etc but I understand distros needing to know what their users use, wants needs etc. HOWEVER, the user needs to be consulted immediately about it (opt in or out) and fine grain control of what gets reported. I'm no developer but I can see that a simple application to do check boxes of "I want to do this, that, not this" etc. I personally don't like data collection due to its abuse, but at the same time I understand its a 2 way street. Its one thing to be opt out and not yell your users (*cough cough* firefox) vs being upfront, honest and clear what it is what you're doing.
Masking the IP address by hashing it doesn't actually hide information, because the key space for ip addresses is so small, it is trivial to reverse the hashing and identify the IP address from the hash.
IP only relates to Matomo not this new thing. I don’t know how it’s trivial though because you’d have to know the salt and that’s unique to the instance
@@fuseteam if you hash one latin letter using SHA1, and challenge someone to find which letter you hashed, how difficult do you think it will be? IPv4 addresses have a slightly larger key space - 4 million options instead of 26, but this difference is negligible for a computer - reversing hashes using brute force is the basis of all "proof of work" block chains and modern GPUs have hashing rates of around 100M/s - reverse hashing unsalted IP addresses is trivial.
@@michael_tunnell I was considering that they'd must salt the plaintext, but that still doesn't make a lot of sense - if the salt is a per-instance static value, then it only protects the IP address from attackers gaining access to the data but not the installation - which doesn't seem all that useful to me, unless people are expected to regularly export the logs to the public. If the salting is done per record using a key derivation function, then it is still trivially accessible to anyone who has access to the open source key derivation function.
A bit more about the power of key derivation functions and why they are irrelevant to IP hashing - in the past, the password hashing "crypt" algorithm used the first two characters of your password - stored as plain text - as the salt. Even with this mind-boggingly naive function, an alphanumeric-only 8 character password is *4 orders of magnitude* harder to brute force than an unsalted IP address. OTOH a rainbow table for reversing a SHA1 hash of an IP address using a known key derivation function is a very manageable uncompressed 80GB.
Opt-out is honestly really bad and I find it disappointing that you think this is the right way to do it. The way Debian does this is pretty nice, you get a step on the installer asking if you want to enable it. The default option is OFF, you can enable it if you want at any time. I'm not saying the Manjaro team is acting in bad faith, but these "surprise" enable telemetry updates is one of the reasons I got away from Microsoft in the first place. Weather the amount of shared information is reasonable or not is different for each user. Maybe you're okay sharing your country, other people probably aren't. Maybe they'll update the amount of information shared, maybe they'll turn it back on in another update. This break of trust is a slippery slope. The argument you make that a person would be too distracted to notice this new telemetry update works the other way as well. A distracted user that does not want to share their location for whatever reason can now start sharing it without realizing. Distributions should empower the user, opt-out is empowering someone else.
I agree but we don’t have any indication that this it would. Right now we’re in the wait-and-see mode. The fact that they became public with this before doing it suggest that they’ll do it right.
Totally agree, just a thought that I had in a worst case vacuum. It definitely happens in the proprietary world. @@michael_tunnell. I think like youve suggested, Manjaro needs to do this right. I like KDE plasmas slider approach at install
I think that as long as the collected data can be checked before it is sent by the user themselves, and the choice for participation is made during installation where everybody has to make the choice then that would be an acceptable option for me. Even if I would not check the data myself, enough people would check it to unearth any shenanigans/risk with said data.
There should be no asymmetry to withhold consent. Requiring an extra step to opt-out demonstrates little care went into it and does not inspire confidence. The simple middle ground is to present a mandatory Yes / No choice without a default. It's like a speedbump, but it's important enough to require the user to interact, and to demonstrate their choice is taken seriously. Using a "No" answer as telemetry would be a dirty trick.
I agree, "opt-ask" is the way to go. Even Michael's argument for opt-out seems to be basiacally: we want more people struggling to disable it or even never notice that their data is collected.
1- it should be opt-in only 2- it should list all type of data to be collected 3- any personal identifiable data should be replaced with hashed function (could be seeded with user account name for multiuser login)
1. if the user is asked before doing anything is that okay? 2. it does list all the data 3. there isnt any but still all data should be sanitized anyway
@@michael_tunnell 1. If the user is asked, I don't think it is opt-out anymore, it is "opt-ask" (the default, if no answer is given, has to be "no") 2. add a third button "configure", to choose the data to collect.
@snygg1993 1. opt-out means default yes but it is also possible to ask before yes is applied. Ubuntu for examples asks the user before ever sending anything but the question is default checked with yes so the user is always asked first but its still technically opt-out this way. 2. yes choosing what data is sent would be best
I think your logic of “well, people aren’t going to do it if it’s opt-in, so we have to do it opt-out” is reasonable and effective but also very dangerous. That means your starting point is you assume you’re doing the right thing, and proceed to do so without spending the effort to try convince them. That is some fertile breeding ground for abusive tactics in the future. Maybe you show your current data to your sponsors and they’re still not convinced, so you go and do more aggressive data collection, all the while believing you’re still on the good side. And it will grow into a “we’ve come too far to go back” situation. And then at some point you mess something up, and somebody caught you in the act, and the whole thing blows up, and at that point you have managed to poison the well for all other people who is doing any kind of telemetry, opt-in or opt-out anyway. This is exactly how the situation about telemetry ended up here in the first place, isn’t it? The “proper” way in my view is you have to do it the hard way, namely you can only do opt-in, and you channel most of your energy into doing PSAs and changing perception that it will always be done properly, and also still, you’ll always ask before doing such a thing. You do this to foster goodwill in advance, for the honest mistakes that you’ll eventually and inevitably make in the future. This is hard, really hard, but the price of the alternative, of not doing so is too great in my view. If you value efficiency and effectiveness above the proper respect, etiquette, and communication, you’re gonna end up at the same place as Microsoft now. Very few “evil” entities deliberately do evil intentionally from the start. The road to hell is more often than not paved with good intentions.
So I'm at 9:28 seconds and I have to point out that if it's opt out, doesn't it mean that before you opt out you'll be sending the data regardless? Say you install Manjaro, it goes though it's setup. Unless the opt out comes during the setup process, you're going to arrive at a desktop while in the background data is being "collected". Then you'd have to find how to opt out unless a popup appears telling you could opt out. This is all crap. I remember back when I was first looking at Linux and for whatever reason I decided against Manjaro. I'm glad I went with something else.
Whenever a distribution (i.e. fedora recently) tries to convince that this type of data collection "will improve next releases" it NEVER seems to be accompanied with a committment to report regularly to the end-users / contributors how their data actually resulted in specific improvements that would otherwise not have been possible. I still have to meet the first person/blog that explains with some clear examples which improvements can actually be expected? I basically just don't want those Kb/Gb data to flow out of my network without understanding the purpose.
Here's the things about machine IDs/fingerprints. Just as easy as this "installed base tracker" can get them, so can other processes and use it as trackable device fingerprint that could eventually be matched to a regular personal identity by having more data matched to it. I don't feel comfortable with any fingerprinting and print-collection in databases out there. Those could be considered even worse than IP address tracking.
Opt-out is not okay, regardless of what data is sent. Unless before sending the data, the user is provided with the a popup to send it or not and the ability to see what data is sent. There should be also an explanation to why this is being done and the option to disable this entirely. Only then it is acceptable to have this option enabled by default to me.
I agree. Opt-Out done poorly is unacceptable but if it’s done properly then I’m okay with it. That’s the basis for making the video to say opt-out can be done properly
I too share info with KDE, but wouldn't with Manjaro. Besides I found Endeavour OS (really Antergos first) after Manjaro pissed me of too many times, and have had a great time using them and haven't switched distro's, not even tried others ever since, Endeavour OS with KDE is like the perfectly tailored suit to me, because I get to be the tailor!
I suspect this is mostly an issue because of what Microsoft is doing. If MS wasn't doing their thing most people not be concerned. I do agree there should be an opt in instead and I have no problem with the choice being given during installation even if, as you said, opt in is already checked. If it is too much trouble to click a box then perhaps they shouldn't be using any computer.
Is there no way to check how many downloads there are from the repos? Sorry if that's a dumb question. Also, want to get started coding an application to allow users to decide what data they want to send.
This is a good question and the answer is that Downloads are not a reliable way for many reasons. 1. Some people download once and use multiple times. 2. Some people download multiple editions to try them out and multiple distros ultimately landing on one but trigger data for dozens. 3. Some people get downloads from mirrors not from the original source so they aren’t traceable at all. 4. Some people use torrents which also skews the data
I like Manjaro Cinnamon...but mine is already installed. Like you, I'll keep a weather eye out if an update slaps this opt-out on my existing distro. Aloha!
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
@@michael_tunnell Mahalo for your prompt reply! I did watch, and I'm intrigued. I'm an old man in his 7th decade of life. For my part, I don't approve of the timezone part of this metric-gathering change. My threat model could never require such granular security...but very few people live in Hawaii. As a result, when I do browser fingerprint tests...as you can imagine...my browser signature is nearly always unique. That's just a silly browser. What do pentesters and security people think about this stuff on their machines? No big deal for me. Much aloha to you!
How do you feel about this case? Manjaro isn’t going behind users back since they are telling people up front about it and it’s not opt-out yet so no one has been affected by it unless they chose to
@snygg1993 imo hearing what it “sounds like” and not what happened is problematic. They decided to do data collection so they made a very public forum post on it and asked people to participate to test the tool and see what it does. They made it clear they plan to do Opt-Out in the future when the tool is ready, this means it’s opt-in right now. How it’s done matters but has not been defined yet so their transparency of it suggests it will be handled well, not what it “sounds like”
Why wouldn't metrics from the software repository be sufficient? It doesn't give up any information about the user (except IP address etc) and if you already have mate-desktop 1.28.2-2 will you generally download it again? No. If an organization has exactly 19 computers behind your NAT, it will generally show exactly 19 downloads to mate-desktop (for example). Now there are some software repository caches meant to reduce downloads for large organizations, maybe they could gather metrics from them to compensate? I dunno.
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
good more people should do this. no ones gonna go out of their way to turn it on lol. unless your proofreading every line of code, they could just be stealing your stuff anyways. if they say they aren't abusing data you may as well believe them too
Well it has been awhile since Manjaro screwed something up 🤣. I do expect them to do the right thing but probably in the "wrong way" given their history... something something certificates multiple times . In all seriousness its not a distro I use but I look forward to seeing if they can change my opinion on the subject for sure. I believe even Fedora has talked about this as well so its a matter of time before it comes to a distro near you.
@samarthnagar2939 please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
Those saying "opt-out is never ok" did you watch the whole video? Do you guys _want_ the linux to grow on the desktop? If yes how _would_ you proof to application developers that our userbase is large enough to be worthwhile?
opt-out is never ok. If you would have watched the video, then you would know that even Michael's argument is basiacally: it has to be opt-out, so that more people don't know how to disable it or even never notice that their data are collected. According to Michael's own definition, that is spyware. It might be legal and it might be done by all big corporations, but spyware is never "ok".
@snygg1993 that’s not at all what I said. I said it should be presented to the user prior to doing anything and giving the option to do it or not. That’s not even close to spyware
@@snygg1993 That is not what he said, he specifically said that the UX for opt-in would annoy the user too much for them to bother to opt-in, Also please address the other questions, as those are the reasons why you _want_ users to opt-in (or not opt-out) in the first place
@@michael_tunnell there is nothing they could do that would make it ok. I left MS years ago because they behaved in a similar manner. Now. that same mentality is finding it's way into Linux. They didn't ask if I was ok with it, they just announced they were going to do it. I've been running Arch for the past 5 months and I couldn't be happier. I've been distro hopping for quite a while until I finally decided to try Arch Linux... So, I'm home.... The other distros that collect data at least ask if it's ok and give the option to participate. Apparently Manjaro is taking a page from Microsoft's playbook and is just doing it regardless of how users feeld about it. that's not Ok.
I don’t know why you are saying that Manjaro is doing that. They are giving the user the option to do it or not. They haven’t even started the opt out process yet, it’s still testing phase and currently opt in. The question is how they do opt out, they might do it right or they might screw it up…we don’t know yet because it’s not happened yet
Isn't that going against the GDPR ? I've my doubt that this is legal. Manjaro is run by a german company so I think they technically can't do this. At least not without being opt-in by default.
@@michael_tunnell Ok. Guess I'm gonna have to replace the OS on family member's laptops. This doesn't seem too bad but I won't always be around to see how this evolve and the point of putting linux there was to secure their personal data footprint.
I dont think they would go as far as to violate the GDPR because they are based in Germany so I dont think Manjaro is a good solution for anyone who needs maintenance from someone else like friends and family because imo Arch and anything based on Arch are the worst options for that since it moves so much. I would just give them something Ubuntu based to lower my commitment to manage it
@@michael_tunnell Nope. Ubuntu is a constant bugfest with hacky solutions. Only thing that can go wrong with a basic user on arch are updates. And updates are not an issue if you pay attention.
@@michael_tunnell You may have a point about manjaro specifically though cause I definitely encountered my fair share of showstopper bugs with their update cycles. Maybe pure arch is actually a better bet... but definitely feel more hostile to new users.
its not in Manjaro yet so not sure but thats up to Mabox devs also please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
Opt-in by default collection of PII is illegal under the GDPR. Someone who works in marketing/advertising should be well aware of that. It's inherently impossible to anonymize PII or it wouldn't be PII to begin with.
Why? They aren’t doing anything wrong in the first place plus if they sanitize and do it in aggregate it won’t matter because each machine will have a unique ID
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
Neither will I. I don't trust anyone who collects data opt-out. You ask me politely before any collecting, and I'll consider it. You go behind my back and you're done.
the problem with Microsoft doing what they do is not comparable to what Manjaro is doing as Manjaro doesnt take personal data and Microsoft does. Opt-Out isnt always bad, from Microsoft it always but thats a different story
personally i hate telemetry , i am one of many linux users who dropped Microsoft windows for the telemetry crap , if all distros implement it then whats the point of using linux? my point is if distros REALLY need users data in the installer they ask if the user says NO then no telemetry tools installed.
No, this is vastly different from what Windows is doing. I don’t think they need as much data as they are requesting but Manjaro is not requesting any personal data and they are giving the user the option to participate or not. Microsoft is taking everything about your computer and everything you do in it and you have no choice. These are very different things
I am confident in saying that this would never happen because Linux is very much a privacy focused platform so any data collection would be done in a minimal way that doesn’t disrespect the users. I can’t imagine any distribution would do anything even remotely close to what Microsoft does
@@bhargavjitbhuyan9394 It's just a worse Arch linux really. They hold back packages by 2 weeks to make it more "stable" but in reality, you just get the same bugs as upstream arch, but 2 weeks later. If you want an "easy" arch-based distro, just go with Endeavour, Garuda, Cachyos. There are far better options than Manjaro.
@@whentheyD it is quite simple to use, boots fast and can be installed by a beginner and it has good hardware support. Why would a beginner need a different kernel than the stock one? Why would a beginner need the aur? There are flatpaks and snaps. If you want to use something else, it's your choice. But don't criticize something that's not meant for you. I have used Vanilla arch in the past as well. I don't use manjaro but don't criticize something that's not meant for you.
I'm not happy with this I switched to Linux from Windows in April because of Microsoft behaviour and privacy I'm using Manjaro and I don't want them to collect my Data It should be opt In only if you want most people won't notice or fiddle with settings People don't want their data to be used and sent somewhere 😢😢 So goodbuy Manjaro just switched to Open Suse I hope Linux won't do the same like Microsoft?
please watch the video before making decisions on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this kind of thing
I think its one thing to make it opt in, not tell your users nor ask you on first boot (or at installation) your preferences (make it opt out there then?) vs just doing something and making your users "figure it out" hopefully they make the right decision.
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
"I sure wish would port to Linux!" "The vendor needs to know your machine really exists to make it worthwhile to them" "I don't like that" (wash / rinse / repeat)
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
It's totally valid to not wanting telemetry but if the distro gives the user the option to decline the telemetry then I dont see any contradiction to not having it because for that user they dont have it. As long as Manjaro does it right and gives the user the option to participate then I think its okay to have it because for your individual case you could just say no to it.
Russian Troll here - sad to say, but after 5 years of subscription - I see me unsubscribing, as your country has led wars - and therefor I can no longer accept your effort ... :,[
My personal philosophy is this: If FOSS and ONLY FOSS asks me first for data collection and it's only for hardware stuff to make it better I always say yes. On KDE I have manually set it so it gets all info from me in crash reports etc. The moment FOSS start selling my data however I not only would turn it off, I would also stop using said software.
Same, sane thought.
Weak minded attitude, you might as well go use Windows.
@@STONE69_ Projection. I can kick a distro to the curb and replace it with a few simple terminal commands. There's only one Windows.
Manjaro: "We need your data to find out what our users want."
Users: "We don't want opt-out data collection."
Manjaro: "No, not like that."
users: how do we increase marketshare
devs: we make better defaults and seamless installations from telemetry to identify problems
users: no not like that
CRAZY how all the best platforms and programs use it. almost like it always makes it better
@@BrentMalice Thanks to Microsoft, telemetry became an evil thing.
The users of Manjaro arent as upset by this as the people who dont use manjaro. Most people dont care about an automatic hardware survery that is clearly disclosed.
did you ever install debian ?
@@MrSpotlightKid Debian prompts you whether to enable telemetry and no one complains about Debian. The Manjaro devs call such a prompt “user hostile”.
I don't mind sharing my data with a FOSS project if they're going to use it to actually fix and improve the things they make that I use. My main issue is when they suck up the data by default without ever asking and then turn around and use that for marketing or sell that info to someone else.
Me too, if it is done right. In example in KDE Plasma there is a slider (Opt-in BTW) to set levels of how many data is sent. And it shows for each level what kind of data is sent and you can view sent data too. They do not collect anything that could identify me too. This is something I have enabled, because its acceptable.
They Manjaro will sell it.
The dev (romangg) locked the topic 7 days ago, and the API endpoint went down today.
"A few people also like to overdramatize these kind of topics with emotional language like “disgusting” and “shameful”, while in the end we only talk about a few hardware metrics and no personal data at all."
These things are hardware: Whether it's desktop/laptop/other, what motherboard/vendor's UUID, CPU arch/model/cores/threads, how much RAM you have, how big your drives are, what GPUs you have, how many displays you have, what connection types they are.
These things are not hardware: Timezone, install date, uptime, locale, cli/gui/dm/wm/display/compositor, how long it's been since you updated, what branch you're on, how many packages, how many out of date packages, how many mirrors, whether you also have Windows installed, whether you use a UEFI bios, what audio driver you use, what video driver you use, your display resolution, your display arrangement, your kernel version, your release version, and a *SHA256-encoded unique machine ID.*
Regardless of how insignificant they might seem, this is much more than "a few hardware metrics", and I think it's a reasonable response from the community, given the demonstrated ability of databrokers and their ilk to de-anonymize people based on things like: how many apps on their phone, which apps, their window/screen resolution (tor), location... Fingerprinting is only going to get better (worse).
I was not talking about this one instance but more in the broader general sense. This was just the catalyst. I mentioned in the video that this could absolutely be too much data and it matters how they sanitize it. Overall the idea of doing this isn’t necessarily a bad thing, but it is possible they could do it badly.
The fact that they're displaying data makes it feel less 'surveillanc-y', to me...
Yeah, you still need to trust them that they're displaying all the data that they collect and aren't collecting anything else under the hood.
I like your channel because it has a moderate opinion, linux desktop adoption won't come frome extreme adoptions
I agree. I'm ready to let some open source prog to collect telemetry for aggregated information with my clear permission.
Also, it is very Important to show us and let us to select exactly what will be sent.
People will do anything for money and sometimes they'll be greedy. Gotta have that in mind.
I think opt-in with opt-out/refinement during installation/usage. A common library with a settings page, accessed within the settings panel and the application, to choose what is acceptable to communicate.
Opt-out is NOT ethical (and almost certainly a violation of GDPR here in the EU). Maybe such a practice is acceptable to you, but it is not for me. Manjaro is now permabanned from all systems I control or have a say in. And if Arch does something like this, I'm leaving it, too. And if GNU/Linux follows your advice and implements this everywhere, I'm leaving it for BSD. The line has to be drawn here. This far and NOT further. No opt-out stuff. Not ever.
So long as it's anonymised, aggregate and informed data collection, opt-out is perfectly fine.
how do we know whether it really is anonymised? they rely on non open-source tools which is pretty ironic in a very sad way
Which non open source tools are you referring to?
I'm against any type of data collection on my systems. Since it never stops, once someone is hooked on data collection, it will keep expanding until it can collect everything. Even if it starts out innocent enough, such as to improve the software, knowing what hardware your users have will allow you to track how often a person upgrades their hardware as well as their general budget. At some point, it will become too hard to resist, and selling the data you have collected thus far will seem like the only logical option. I ditched Manjaro 6 months ago so it won't effect me. It was obvious after that Proprietary Office stuff they started shipping
I don't care how innocuous telemetry is *right now*. By implementing opt out telemetry at all, you're telling me it's your choice what data you collect, not mine. I'd never use an OS I have an antagonistic relationship where I have to keep tabs on every update to make sure it doesn't flip more switches I don't want flipped. That's literally one of the reasons people switch from Windows.
You're a great salesman. I've seen too many companies start out with something like this then gradually move to something worse. Sure, I can see that Manjaro may well start out with good intent. However, organizations change over time along with the people involved. Personally, I'd rather not be involved to begin with.
Europe has several timezones. Europe/Paris doesn't identify your exact location but it means your timezone is the same as Paris.
it would be interesting to have some usage data. an open source project with an open data set. everyone could decide to contribute data, and use the data to make reports
Freebsd has a website where newbies and users report willing to share their data, and it works quite well.At least it's a choice not a feature no users ask for it...
Its a tough sale for sure. Even Linux Mint does their own data analytics through Datadog for similar reasons. Its not a 1:1 here as Mint was just looking for how was downloading what edition etc but I understand distros needing to know what their users use, wants needs etc.
HOWEVER, the user needs to be consulted immediately about it (opt in or out) and fine grain control of what gets reported. I'm no developer but I can see that a simple application to do check boxes of "I want to do this, that, not this" etc.
I personally don't like data collection due to its abuse, but at the same time I understand its a 2 way street. Its one thing to be opt out and not yell your users (*cough cough* firefox) vs being upfront, honest and clear what it is what you're doing.
Masking the IP address by hashing it doesn't actually hide information, because the key space for ip addresses is so small, it is trivial to reverse the hashing and identify the IP address from the hash.
IP only relates to Matomo not this new thing. I don’t know how it’s trivial though because you’d have to know the salt and that’s unique to the instance
@@guss77 hashing is by definition irreversible, you might be thinking of encryption
@@fuseteam if you hash one latin letter using SHA1, and challenge someone to find which letter you hashed, how difficult do you think it will be? IPv4 addresses have a slightly larger key space - 4 million options instead of 26, but this difference is negligible for a computer - reversing hashes using brute force is the basis of all "proof of work" block chains and modern GPUs have hashing rates of around 100M/s - reverse hashing unsalted IP addresses is trivial.
@@michael_tunnell I was considering that they'd must salt the plaintext, but that still doesn't make a lot of sense - if the salt is a per-instance static value, then it only protects the IP address from attackers gaining access to the data but not the installation - which doesn't seem all that useful to me, unless people are expected to regularly export the logs to the public. If the salting is done per record using a key derivation function, then it is still trivially accessible to anyone who has access to the open source key derivation function.
A bit more about the power of key derivation functions and why they are irrelevant to IP hashing - in the past, the password hashing "crypt" algorithm used the first two characters of your password - stored as plain text - as the salt. Even with this mind-boggingly naive function, an alphanumeric-only 8 character password is *4 orders of magnitude* harder to brute force than an unsalted IP address. OTOH a rainbow table for reversing a SHA1 hash of an IP address using a known key derivation function is a very manageable uncompressed 80GB.
Opt-out is honestly really bad and I find it disappointing that you think this is the right way to do it. The way Debian does this is pretty nice, you get a step on the installer asking if you want to enable it. The default option is OFF, you can enable it if you want at any time.
I'm not saying the Manjaro team is acting in bad faith, but these "surprise" enable telemetry updates is one of the reasons I got away from Microsoft in the first place. Weather the amount of shared information is reasonable or not is different for each user. Maybe you're okay sharing your country, other people probably aren't. Maybe they'll update the amount of information shared, maybe they'll turn it back on in another update. This break of trust is a slippery slope.
The argument you make that a person would be too distracted to notice this new telemetry update works the other way as well. A distracted user that does not want to share their location for whatever reason can now start sharing it without realizing. Distributions should empower the user, opt-out is empowering someone else.
I would like to have a Configure button besides Yes and No.
Opt-out is a huge problem if a device phones home before you can turn it off
I agree but we don’t have any indication that this it would. Right now we’re in the wait-and-see mode. The fact that they became public with this before doing it suggest that they’ll do it right.
Totally agree, just a thought that I had in a worst case vacuum. It definitely happens in the proprietary world. @@michael_tunnell. I think like youve suggested, Manjaro needs to do this right. I like KDE plasmas slider approach at install
I think that as long as the collected data can be checked before it is sent by the user themselves, and the choice for participation is made during installation where everybody has to make the choice then that would be an acceptable option for me. Even if I would not check the data myself, enough people would check it to unearth any shenanigans/risk with said data.
This
There should be no asymmetry to withhold consent. Requiring an extra step to opt-out demonstrates little care went into it and does not inspire confidence. The simple middle ground is to present a mandatory Yes / No choice without a default. It's like a speedbump, but it's important enough to require the user to interact, and to demonstrate their choice is taken seriously.
Using a "No" answer as telemetry would be a dirty trick.
I agree, "opt-ask" is the way to go.
Even Michael's argument for opt-out seems to be basiacally: we want more people struggling to disable it or even never notice that their data is collected.
The face on the first thumbnail was hilarious
1- it should be opt-in only
2- it should list all type of data to be collected
3- any personal identifiable data should be replaced with hashed function (could be seeded with user account name for multiuser login)
1. if the user is asked before doing anything is that okay?
2. it does list all the data
3. there isnt any but still all data should be sanitized anyway
@@michael_tunnell 1. If the user is asked, I don't think it is opt-out anymore, it is "opt-ask" (the default, if no answer is given, has to be "no")
2. add a third button "configure", to choose the data to collect.
@snygg1993 1. opt-out means default yes but it is also possible to ask before yes is applied. Ubuntu for examples asks the user before ever sending anything but the question is default checked with yes so the user is always asked first but its still technically opt-out this way.
2. yes choosing what data is sent would be best
I fully agree, opt-out and there's no point bothering with implementing it at all. The statistics you'd be gathering would be miniscule.
I think your logic of “well, people aren’t going to do it if it’s opt-in, so we have to do it opt-out” is reasonable and effective but also very dangerous. That means your starting point is you assume you’re doing the right thing, and proceed to do so without spending the effort to try convince them. That is some fertile breeding ground for abusive tactics in the future. Maybe you show your current data to your sponsors and they’re still not convinced, so you go and do more aggressive data collection, all the while believing you’re still on the good side. And it will grow into a “we’ve come too far to go back” situation. And then at some point you mess something up, and somebody caught you in the act, and the whole thing blows up, and at that point you have managed to poison the well for all other people who is doing any kind of telemetry, opt-in or opt-out anyway. This is exactly how the situation about telemetry ended up here in the first place, isn’t it?
The “proper” way in my view is you have to do it the hard way, namely you can only do opt-in, and you channel most of your energy into doing PSAs and changing perception that it will always be done properly, and also still, you’ll always ask before doing such a thing. You do this to foster goodwill in advance, for the honest mistakes that you’ll eventually and inevitably make in the future. This is hard, really hard, but the price of the alternative, of not doing so is too great in my view.
If you value efficiency and effectiveness above the proper respect, etiquette, and communication, you’re gonna end up at the same place as Microsoft now. Very few “evil” entities deliberately do evil intentionally from the start. The road to hell is more often than not paved with good intentions.
Well said 👏
So I'm at 9:28 seconds and I have to point out that if it's opt out, doesn't it mean that before you opt out you'll be sending the data regardless? Say you install Manjaro, it goes though it's setup. Unless the opt out comes during the setup process, you're going to arrive at a desktop while in the background data is being "collected". Then you'd have to find how to opt out unless a popup appears telling you could opt out.
This is all crap. I remember back when I was first looking at Linux and for whatever reason I decided against Manjaro. I'm glad I went with something else.
Whenever a distribution (i.e. fedora recently) tries to convince that this type of data collection "will improve next releases" it NEVER seems to be accompanied with a committment to report regularly to the end-users / contributors how their data actually resulted in specific improvements that would otherwise not have been possible. I still have to meet the first person/blog that explains with some clear examples which improvements can actually be expected? I basically just don't want those Kb/Gb data to flow out of my network without understanding the purpose.
Fedora is a spy, just like Windows and will be implementing Ai. Garbage Distro.
Here's the things about machine IDs/fingerprints. Just as easy as this "installed base tracker" can get them, so can other processes and use it as trackable device fingerprint that could eventually be matched to a regular personal identity by having more data matched to it. I don't feel comfortable with any fingerprinting and print-collection in databases out there. Those could be considered even worse than IP address tracking.
Opt-out is not okay, regardless of what data is sent. Unless before sending the data, the user is provided with the a popup to send it or not and the ability to see what data is sent. There should be also an explanation to why this is being done and the option to disable this entirely. Only then it is acceptable to have this option enabled by default to me.
I agree. Opt-Out done poorly is unacceptable but if it’s done properly then I’m okay with it. That’s the basis for making the video to say opt-out can be done properly
I always opt in, especially for KDE
I too share info with KDE, but wouldn't with Manjaro. Besides I found Endeavour OS (really Antergos first) after Manjaro pissed me of too many times, and have had a great time using them and haven't switched distro's, not even tried others ever since, Endeavour OS with KDE is like the perfectly tailored suit to me, because I get to be the tailor!
When you say always, do you just mean foss, or everything? Also curious about your opinion on it and why you always opt in.
@@swagmuffin9000 Good question . Only FOSS. I want to help these projects as much as I can. I also donate to KDE.
As long as it is for improving the software and the OS I don't mind.
They really need data to improve you know....
I suspect this is mostly an issue because of what Microsoft is doing. If MS wasn't doing their thing most people not be concerned. I do agree there should be an opt in instead and I have no problem with the choice being given during installation even if, as you said, opt in is already checked. If it is too much trouble to click a box then perhaps they shouldn't be using any computer.
its ok to opt in
~manjaro
Is there no way to check how many downloads there are from the repos? Sorry if that's a dumb question. Also, want to get started coding an application to allow users to decide what data they want to send.
This is a good question and the answer is that Downloads are not a reliable way for many reasons. 1. Some people download once and use multiple times. 2. Some people download multiple editions to try them out and multiple distros ultimately landing on one but trigger data for dozens. 3. Some people get downloads from mirrors not from the original source so they aren’t traceable at all. 4. Some people use torrents which also skews the data
I like the thumbnail :D
I like Manjaro Cinnamon...but mine is already installed. Like you, I'll keep a weather eye out if an update slaps this opt-out on my existing distro. Aloha!
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
@@michael_tunnell Mahalo for your prompt reply!
I did watch, and I'm intrigued. I'm an old man in his 7th decade of life.
For my part, I don't approve of the timezone part of this metric-gathering change.
My threat model could never require such granular security...but very few people live in Hawaii. As a result, when I do browser fingerprint tests...as you can imagine...my browser signature is nearly always unique.
That's just a silly browser. What do pentesters and security people think about this stuff on their machines?
No big deal for me. Much aloha to you!
Ask
And I'll approve
Go behind my back
Time to install new distro
How do you feel about this case? Manjaro isn’t going behind users back since they are telling people up front about it and it’s not opt-out yet so no one has been affected by it unless they chose to
@@michael_tunnell "they are telling people up front" sounds like "it's written in the terms and conditions" to me.
@snygg1993 imo hearing what it “sounds like” and not what happened is problematic.
They decided to do data collection so they made a very public forum post on it and asked people to participate to test the tool and see what it does. They made it clear they plan to do Opt-Out in the future when the tool is ready, this means it’s opt-in right now. How it’s done matters but has not been defined yet so their transparency of it suggests it will be handled well, not what it “sounds like”
Why wouldn't metrics from the software repository be sufficient? It doesn't give up any information about the user (except IP address etc) and if you already have mate-desktop 1.28.2-2 will you generally download it again? No. If an organization has exactly 19 computers behind your NAT, it will generally show exactly 19 downloads to mate-desktop (for example). Now there are some software repository caches meant to reduce downloads for large organizations, maybe they could gather metrics from them to compensate? I dunno.
I just "undoned" Manjaro
Why?
Umm... no opt-out telemetry is NOT OK! it will NEVER be OK! I don't use manjaro and I will now never use it!
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
It's amazing how much manjaro fucks up. What a horrid distro.
good more people should do this. no ones gonna go out of their way to turn it on lol.
unless your proofreading every line of code, they could just be stealing your stuff anyways. if they say they aren't abusing data you may as well believe them too
Theres's only 1 time zone in France if you wonder ;)
Most of Europe. I set some country and not mine.
Edit: was good thumbnail
I generally chose to allow Debian to know what I install when they ask during the install process
If not forced im ok with that
Personally I don't have an issue with this but its a shame that this is coming from Manjaro. Its not like Manjaro needs more people to hate it.
Well it has been awhile since Manjaro screwed something up 🤣. I do expect them to do the right thing but probably in the "wrong way" given their history... something something certificates multiple times . In all seriousness its not a distro I use but I look forward to seeing if they can change my opinion on the subject for sure. I believe even Fedora has talked about this as well so its a matter of time before it comes to a distro near you.
Yes but this is ohh man disastrous
@samarthnagar2939 please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
@@michael_tunnell Your thumbnail plays into glancing youtube users forming such opinions.
@VraccasVII it was meant as a joke because of the name being a bit odd but I totally agree and so now there's a new thumbnail
Great video and thanks!
Those saying "opt-out is never ok" did you watch the whole video?
Do you guys _want_ the linux to grow on the desktop? If yes how _would_ you proof to application developers that our userbase is large enough to be worthwhile?
opt-out is never ok.
If you would have watched the video, then you would know that even Michael's argument is basiacally: it has to be opt-out, so that more people don't know how to disable it or even never notice that their data are collected.
According to Michael's own definition, that is spyware. It might be legal and it might be done by all big corporations, but spyware is never "ok".
@snygg1993 that’s not at all what I said. I said it should be presented to the user prior to doing anything and giving the option to do it or not. That’s not even close to spyware
@@snygg1993 That is not what he said, he specifically said that the UX for opt-in would annoy the user too much for them to bother to opt-in,
Also please address the other questions, as those are the reasons why you _want_ users to opt-in (or not opt-out) in the first place
Manjaro just made it to my "never load this OS" list.
Is there a way they could add data collection and you’d be okay with it? If so what’s the criteria?
@@michael_tunnell there is nothing they could do that would make it ok. I left MS years ago because they behaved in a similar manner. Now. that same mentality is finding it's way into Linux. They didn't ask if I was ok with it, they just announced they were going to do it. I've been running Arch for the past 5 months and I couldn't be happier. I've been distro hopping for quite a while until I finally decided to try Arch Linux... So, I'm home....
The other distros that collect data at least ask if it's ok and give the option to participate. Apparently Manjaro is taking a page from Microsoft's playbook and is just doing it regardless of how users feeld about it. that's not Ok.
I don’t know why you are saying that Manjaro is doing that. They are giving the user the option to do it or not. They haven’t even started the opt out process yet, it’s still testing phase and currently opt in. The question is how they do opt out, they might do it right or they might screw it up…we don’t know yet because it’s not happened yet
Isn't that going against the GDPR ? I've my doubt that this is legal. Manjaro is run by a german company so I think they technically can't do this. At least not without being opt-in by default.
No, the GDPR is about Personal Identifying Information and none of the data is personally identifying
@@michael_tunnell Ok. Guess I'm gonna have to replace the OS on family member's laptops. This doesn't seem too bad but I won't always be around to see how this evolve and the point of putting linux there was to secure their personal data footprint.
I dont think they would go as far as to violate the GDPR because they are based in Germany so I dont think Manjaro is a good solution for anyone who needs maintenance from someone else like friends and family because imo Arch and anything based on Arch are the worst options for that since it moves so much. I would just give them something Ubuntu based to lower my commitment to manage it
@@michael_tunnell Nope. Ubuntu is a constant bugfest with hacky solutions. Only thing that can go wrong with a basic user on arch are updates. And updates are not an issue if you pay attention.
@@michael_tunnell You may have a point about manjaro specifically though cause I definitely encountered my fair share of showstopper bugs with their update cycles. Maybe pure arch is actually a better bet... but definitely feel more hostile to new users.
Manjaro has always been a wierd distro.
Does this effect Mabox distro?
its not in Manjaro yet so not sure but thats up to Mabox devs also please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
@michael_tunnell Thanks. No opinion was formed. I was merely asking if you knew anything about Mabox. No worries.
Every time i hear about Manjaro it's always because of some controversy.
Opt-in by default collection of PII is illegal under the GDPR. Someone who works in marketing/advertising should be well aware of that. It's inherently impossible to anonymize PII or it wouldn't be PII to begin with.
Exactly. This might even get Manjaro into legal trouble here in the EU.
None of the data in question is classified as personal information and therefore GDPR is not applicable.
Since it's “open source”, it should be possible to screw with the data it's reporting. Pollute the data stream!
Why? They aren’t doing anything wrong in the first place plus if they sanitize and do it in aggregate it won’t matter because each machine will have a unique ID
Love your work MT.
RIP Manjaro.
i'll never use it again.
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
Neither will I. I don't trust anyone who collects data opt-out. You ask me politely before any collecting, and I'll consider it. You go behind my back and you're done.
Opt-Out does not equal “behind your back”, they are separate things. It is possible to be Opt-Opt and completely transparent
@@michael_tunnell People nowadays has trust issues. We can all thank Microsoft for that.
i hope they learn from microsft and make this disabled by default with maybe apop up to ask to enable it
the problem with Microsoft doing what they do is not comparable to what Manjaro is doing as Manjaro doesnt take personal data and Microsoft does. Opt-Out isnt always bad, from Microsoft it always but thats a different story
@@michael_tunnell thanks for clarifying im not big on any sort of data collection haha i do understand as a dev tho
I hope everyone who is cursing Manjaro so much for these don't use an Android or iOS device...
personally i hate telemetry , i am one of many linux users who dropped Microsoft windows for the telemetry crap , if all distros implement it then whats the point of using linux? my point is if distros REALLY need users data in the installer they ask if the user says NO then no telemetry tools installed.
What? Manjaro started to become like Windows Copilot AI and Recall spyware?
No, this is vastly different from what Windows is doing. I don’t think they need as much data as they are requesting but Manjaro is not requesting any personal data and they are giving the user the option to participate or not. Microsoft is taking everything about your computer and everything you do in it and you have no choice. These are very different things
@@michael_tunnell
Thank God... The last thing we need on Linux is a home made spyware like Windows did.
I am confident in saying that this would never happen because Linux is very much a privacy focused platform so any data collection would be done in a minimal way that doesn’t disrespect the users. I can’t imagine any distribution would do anything even remotely close to what Microsoft does
@@michael_tunnell
That's very good to know. Thanks for clarifying.
please dont use manjaro, linux mint is super easy to install
Why? It is also a decent distro. (As long as you don't use the aur, everything remains stable)
@@bhargavjitbhuyan9394 It's just a worse Arch linux really. They hold back packages by 2 weeks to make it more "stable" but in reality, you just get the same bugs as upstream arch, but 2 weeks later. If you want an "easy" arch-based distro, just go with Endeavour, Garuda, Cachyos. There are far better options than Manjaro.
@@bhargavjitbhuyan9394 it's arch on a fragile software set that can't handle different kernels and can't use the AUR
why bother?
endeavouros
@@whentheyD it is quite simple to use, boots fast and can be installed by a beginner and it has good hardware support. Why would a beginner need a different kernel than the stock one? Why would a beginner need the aur? There are flatpaks and snaps. If you want to use something else, it's your choice. But don't criticize something that's not meant for you. I have used Vanilla arch in the past as well. I don't use manjaro but don't criticize something that's not meant for you.
Makes me glad I've switched away from using Manjaro
What did you switch to?
I'm not happy with this I switched to Linux from Windows in April because of Microsoft behaviour and privacy
I'm using Manjaro and I don't want them to collect my Data
It should be opt In only if you want most people won't notice or fiddle with settings
People don't want their data to be used and sent somewhere 😢😢
So goodbuy Manjaro just switched to Open Suse
I hope Linux won't do the same like Microsoft?
please watch the video before making decisions on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this kind of thing
They are only collecting data about your hardware.
@@bhargavjitbhuyan9394 gateway drug to windows level telemetry
@@bhargavjitbhuyan9394 gateway drug to microsoft level telemetry
I think its one thing to make it opt in, not tell your users nor ask you on first boot (or at installation) your preferences (make it opt out there then?) vs just doing something and making your users "figure it out" hopefully they make the right decision.
I used to love Mankato. This sucks
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
Google keeps deleting my comments, even though I am not doing anything wrong or violating any tos. 😡
Sorry to hear that, I looked in the held and hidden section for your comments but I don’t see any
@@michael_tunnell
I was talking about throughout my youtube surfing and participation in video comment communities in general. 😉
if things like this are future Linux then I'm going back to my private Windows 11 :)
Ya Manjaro is the least trust worthy. I bet it will even use old fashioned http.
Telemetry in Manjaro? Time to move to a new distro. rm -rf Manjaro*
One more reason to avoid Manjaro.
What distro do you use?
@michael_tunnell currently, Tumbleweed.
"I sure wish would port to Linux!"
"The vendor needs to know your machine really exists to make it worthwhile to them"
"I don't like that" (wash / rinse / repeat)
To me it seems mainline arch is the way to go these days.
please watch the video before forming an opinion on what is happening, it's not some Microsoft type thing and it could actually be good for the ecosystem to do this and I explain why in the video
@@michael_tunnell That's okay. I did watch your video all the way through. It's totally valid to not want any sort of telemetry on my system though.
It's totally valid to not wanting telemetry but if the distro gives the user the option to decline the telemetry then I dont see any contradiction to not having it because for that user they dont have it. As long as Manjaro does it right and gives the user the option to participate then I think its okay to have it because for your individual case you could just say no to it.
🐧🐧🐧
AI generated thumbnail sucks, I’m out :(
The base of this is AI but I customized it a lot
Actually check out the Wordpress vs WP Engine video on the channel, that’s AI generated too and I like that one. What do you think
Moldjaro needs telemetry because they suck at development.
Russian Troll here - sad to say, but after 5 years of subscription - I see me unsubscribing, as your country has led wars - and therefor I can no longer accept your effort ... :,[
lol 😆
Just don't use any arch derivative distro, use arch instead. The only exception to this is artix.
Nothing wrong with Endeavouros, Cachyos, Garuda. It's really only Manjaro that I would never ever recommend.