One implication of this that some people don't realize is that a brand new Ubuntu instance -- whether a physical host, a virtual machine, an EC2 instance, whatever -- immediately calls home to Canonical as soon as it spins up for the first time.
The functionality is included in the "base-files" package, which has a priority of "required" and is marked as an "essential" package. Thus, if you have an Ubuntu instance, it's nearly 100% guaranteed this is installed and enabled by default.
(If memory serves, this was added in 17.04 or thereabouts.)
This is what drove me to use Debian. I used to spend quite a but of time hunting down telemetry and other canonical-serving crap, but I eventually got tired of it.
With this crap and others (e.g. aggressive snapping), Canonical is eroding trust in its most important market. Inertia will only take them so far.
Unfortunately I did find such a piece of software.
Is there a way to get the direct download link to a snap? Perhaps a manual way of downloading and installing a snap, that would suffice. I ran into issues (version incompatibility which in itself is not a problem, snap made it a problem) and they made me give up on installing a product that was available ONLY as a snap. They (some company) used to release their crapware as .deb and .rpm before which was extremely easy to extract and use myself (I would just download the .deb file, then do: ar x crapware.deb && tar xvf data.tar.xz), but now it is snap-only. I could not find any direct links on Snapcraft. I do not like this direction, to be honest.
This really shouldn't be required. If you are going to build-in anti-features, at least make sure that there aren't equivalent alternatives to your product. Ubuntu lost me when they started bundling all of the Amazon crap.
I don't think this is "calling home". Ubuntu has been pretty open with their "analytics", which are are really minimal (OS version + screen size + disk size + ...). And yes, they ask for consent.
I think this motd is there to (1) advertise more complex canonical products and (2) be used for security announcements.
Also, I don't think you ever see motd on a desktop install.
I used to have a privacy.sh script for fresh Ubuntu installs back on the Amazon shenanigans days. That file has been empty for a while but I guess I need to update it again.
Almost every service that phones home tells you that it is going to do so in an EULA that it makes you agree to. It still isn't ok default behavior. Its especially gross when your whole business is built on top of the open source community.
As someone who's worked heavily with both Debian and Ubuntu - they do.
There are differences between them but I am 100% confident that I can do everything that an Ubuntu system can, especially if we're talking about infrastructure.
One thing I'm really missing from Debian is zfs.ko.
It was always a big one for me, I ran with ZFS root for 2+ years and every kernel/zfs update was a bit of a Russian roulette (I did have to perform elaborate recovery once or twice). Even if it was 100% guaranteed to compile and work, there was 1. a very scary window during which if the system hung, you're semi-bricked; 2. the long build.
Running a desktop/laptop without a time-traveling file system is quite simply not an option (especially once you get used to it).
Hmm, this seems like a solvable problem - install the kernel on disk, but don't promote it to the default kernel on reboot until all the DKMS modules have built.
At that point, you might even be able to optionally background the compile process and have it run asynchronously and update your kernel only once it builds successfully.
Alternatively, teach GRUB to be able to boot "the most recent kernel with all of this set of modules available".
As a FreeBSD user that has had root zfs for a while, and used zfs on solaris before that doing the same thing. Explain how it isn't worth it?
Made backing out of patches easy mode, snapshot, patch, reboot, if its effed up, go back to the snapshot with a reboot. The only thing I've seen that comes close is NixOS, but it takes a completely different take on those kinda things. Better in some ways. But zfs root is great, means you can just set compression on for log dirs and don't need to worry about compressing logs. Fs takes care of that for ya, now grep works fine, no zgrep etc... needed.
I honestly can't see why you wouldn't want to boot off it. Hell I just upgraded my FreeBSD nas box at home, took a snapshot of the entire pool before I did just in case things went south. It may not be as performant as some filesystems, but to be honest, with nvme ssd's, its a non issue.
So explain how it isn't worth it in your opinion? Experience for myself has proven otherwise. And made me loathe BTRFS for being so behind zfs of even 10 years ago. (I've had BTFS zero out data for a Makefile I had open while running make, if it wasn't in a git repo I would have been super pissed off)
It's not a big win because the OS shouldn't have much data of any value, for similar reasons we don't generally back up our OS installs.
It certainly shouldn't be in the same pool as your actual data, the stuff you back up. /home can live in that pool though.
I have to squint really hard to see the upside of snapshotting anything other than things like /etc - I have in the past put /etc in git just to track ad-hoc changes.
Overall, for the base OS, a minimal set of defaults + a provisioning script does me.
This is theory vs practice at its best, I've been running zroot from January 2017 until April 2019 on my primary machine, and got lots of empirical data (aka scary stories) to back up my claim ;)
a version 1 only works with b version >= 1 and <=17 is pretty basic stuff. If someone isn't doing it than submit an issue and run your own repo that does
I'm typing this from an LG Gram 17 laptop running current Debian. Before this laptop, I used a Dell Inspiron N7110 for many years, also running Debian stable. I basically never need to use anything else to get work done.
I will grant that a few things are a bit fiddly -- touchpads are iffy sometimes (and infuriating on the LG Gram because it's got a new one) and function keys sometimes don't work. The Gram had a booting problem that has since been resolved (https://bugzilla.kernel.org/show_bug.cgi?id=203617) but also had workarounds pretty quickly. So for some hardware, yeah, it's not a good experience for people used to just running Windows.
But there's also lots of hardware for which it works just fine out of the box, and for experienced Linux people, it's not usually that hard to deal with the sharp edges.
> Try getting Debian working on a laptop. Those "non-free" packages in Ubuntu make a huge difference.
I'm typing this on my "workstation" but, sitting here on my desk, there's a laptop running Debian on either side of it (and there's another one across the room).
I can't read your mind so I'm not sure what issues you've encountered attempting to run Debian on a laptop. Apparently I have already figured out how to workaround them (but I've also been using Debian for ~23 years so perhaps that has something to do with it).
I have several laptops, all of which run vanilla Debian.
"non-free" is an official Debian repo. It's not enabled by default, but that's a single line edit in sources.list. And it has all those non-free video drivers etc.
There's also an unofficial Debian CD image that includes non-free packages, for those cases where you need that stuff during installation time.
I am using it on my laptops without any trouble. You simply enable the non-free repo and the only difference becomes how much purple you have in the default themes.
Of course any open source system can be changed into any other. But the question is how the default experience works for people who don't want to tinker much.
Many things. Mostly PPAs. I can install Ubuntu Stable and use the most recent version of PHP, which has been built and is stored in Canonical's servers. With Debian, that's a gamble: either wait until the Debian developers stop bikeshedding and upload a new version of PHP to experimental, breaking all my system if I install it, or I have to add a repo from some guy I don't know or trust.
They're not saying that Canonical audits the sources. They're saying that because the person running the PPA uploads the source and Canonical's servers build the packages from there, as long as you trust Canonical you don't have to worry about the binary matching the source. For the majority of us who aren't qualified to audit the source itself directly, being able to trace the binary we're running to source that someone could audit is the best we can hope for.
Of course in the years since the PPA system was introduced we've seen a lot of projects push in to reproducible builds which somewhat negates that concern, but there are still a lot of us who would rather not go through that process for every random binary we want to run. Having a third party that we inherently trust because they built the rest of the operating system building the random packages we want has an appeal. Also for the devs/packagers free hosting by the OS vendor is nice too.
I still don't understand why folks don't just build things like PHP from source. On either my desktop or production servers building a package missing from APT has never been a problem (on either Debian or Ubuntu, but I strongly prefer Debian). Then you don't have to trust anyone... /shrug
And what's even worse, if you install Docker containers you don't build and manage yourself, you're pretty much right there again with "I don't know or trust" as your means of security.
Just to expand on the "build from source" bit, apt-get can not only download packages in source form but also build binary packages in literally one single command.
This makes the cases where you want the full Debian build but with a patch or just stepping the version easy. That's useful when you need to patch a package or can't wait for an upstream security fix.
Too often I see people building upstream packages "by hand" in those cases. The packaging tools are great and any Linux user is greatly helped by taking a few minutes and learning the basics of apt preference files, package selection and source packages.
Not a downvoter, but if you think that compiling from source means you don't have to trust anyone, then I encourage you to read a paper called "Reflections on Trusting Trust" by Ken Thompson.
It's a very famous computer science paper, pretty easy to read. Nothing niche or controversial. I'm sure you'll find it interesting.
People should really expect Ubuntu to call home. This is the same OS that for a while used to send every filesystem search you did in the default GUI to Amazon so that it could include ads in the results.
I'm not even saying this is bad. Ubuntu has to fund itself somehow. But people should really know what they're getting. Ubuntu is not a privacy-focused or user-centric OS. It's the Windows of the Linux/Unix world.
Well now this just makes my "Linux Desktop recommendation guide" even harder since the whole point of Linux distros these days are supposed to empower the user to have complete control over his/her computer and OS which is what Ubuntu was supposed to be doing and is viewed as the ground zero of introducing Linux to newcomers.
> I'm not even saying this is bad. Ubuntu has to fund itself somehow.
Oh dear. You make as if its fine for the users to give themselves up to Ubuntu (and Amazon) to be mined by the distro that does call itself "privacy-respecting" and "open-source"; some may call such claims misleading in the light of this now. Due to your defeatist rhetoric in supporting these overlords, I would have to change the guide to support the devil I know that can't read my encrypted data, rather than two or eight unknown devils that can.
At least with macOS its all "encrypted" and has sane defaults with a consistent user interface and when some settings are turned off, they stay completely off.
> At least with macOS its all "encrypted" and has sane defaults with a consistent user interface and when some settings are turned off, they stay completely off.
Wait, what. You can completely disable any "phone-home" features of Ubuntu. Actually, you can make sure that this feature is disabled by removing the corresponding package of your system, something that isn't possible in macOS. And you can also audit the code, because all this code is actually open-source [1].
Also, this controversial feature of Amazon search could be disabled quite easily [2], and this motd can also be disabled [3].
So sorry, Ubuntu may have some controversial features, however saying that using macOS is more privacy-respecting than Ubuntu is a lie. They are at least at the same level, however considering that I can't get the source code of macOS and make sure that turning off a knob will stop spying on me, I still think Ubuntu is better than macOS in this point.
Privacy is not a super-set of Open Source. They're two different things; somewhat correlated, but only insomuch as the auditability and self-correction of any claims to privacy may be.
Auditability is important, but most people won't do it, and even those who do miss things; OpenSSL is fully auditable, yet security bugs are discovered every year. Its not the same thing, but its in the same vein; just becuase we're capable of catching a needle among the haystack of a million lines of code doesn't mean we will (in the case of the MOTD, its less of a needle and more of a giagantic pile of crap just laying on top).
Self-Correction is important, but even fewer people will do it. Defaults Matter. People just don't dive into VSCode and rip out Microsoft's analytics tracking code en mass. It doesn't happen. People use the defaults.
In the face of these two assertions; Open Source is important in the fight for Privacy, there's no doubt about that. But even more important than that is Trust. Its not enough to see the code; its important that the organization and people writing it have a demonstrated history of caring about the privacy of their users, and that they've taken both "table-stakes" and "above and beyond" steps to assert their position on the matter on behalf of those users.
Canonical does not have this demonstrated history. They barely lurch in the right direction, against their collective wills, when we care enough to crusade across the internet to convince them that they're wrong. By comparison; Apple does care. You can complain that its in the interest of their profit margins (OF COURSE IT IS) or that its genuine (I'd bet my net worth that this is also true); it doesn't matter. They productized full disk encryption with hardware security modules. They don't just support hardware MFA; they make it the default. When they realized phones wouldn't have the power to do natural-language processing on voice in the same way servers do, they didn't just throw their hands up and move everything to the server like Google did; they made better silicon. That's their history; Canonical's history is sending keystrokes to Amazon so they can sell you more expensive toilet paper. The most knowledgeable Ubuntu users turn this off; the most vulnerable won't even know its happening.
Everyone is welcome to their own opinion on this, and you're also welcome to place the value of open source above the value of privacy; but I take the stance that Privacy isn't negotiable, and its more important than a product being open source or having privacy if you tweak the knobs in just the right way.
> Self-Correction is important, but even fewer people will do it. Defaults Matter. People just don't dive into VSCode and rip out Microsoft's analytics tracking code en mass. It doesn't happen. People use the defaults.
I concur, defaults matter. I am not saying that Ubuntu is a distro for privacy conscious people, however by default macOS and Ubuntu should have similar levels of tracking (however I do believe that Apple OS phone home much more than Ubuntu, AFAIK the actual tracking/telemetry of Ubuntu is minimal while macOS has the standard for a proprietary OS [1]). That is, much better than Android or Windows, however worse than a distro like Debian, for example.
> In the face of these two assertions; Open Source is important in the fight for Privacy, there's no doubt about that. But even more important than that is Trust.
Sorry, there is no way to trust closed source software. I really think it is strange people claiming that Apple are respecting their privacy and when Apple does things that are controversial to privacy (like the time they're got tracking GPS in iOS devices) they just say "hey, Apple does respect my privacy so it is fine".
For another example, Apple must receive everything you type in Spotlight so they can show search suggestions, exactly the same as the Ubuntu case, however in Apple case it is fine for some reason. Go figure.
I think you're right that you shouldn't trust Canonical, however you shouldn't trust Apple either just because they say in public that they love privacy and because of some of the things they divulge to public, because in the end this is all propaganda: while it is really nice that they have things like encryption by default (BTW, encryption does not increase privacy because if Apple wants they could still read every file in your system), you can't trust Apple that they don't do other nefarious things.
Just to conclude, I think Apple is more trustful than say, Google or Microsoft. However I wouldn't put macOS as a more privacy OS than even Ubuntu (since like I said, the amount of telemetry in Ubuntu should be minimal compared to macOS, and we can never know because it is closed source), and Debian and other Linux distros is really above anything macOS can offer in terms of privacy [2].
[1]: I don't know macOS, however I have an iPadOS and by default it enables by all kinds of analytics, and also generates a unique track ID for ads (you can disable both, however this is the default and at least the option to disable track ID for ads is not shown in the Welcome Wizard, maybe the analytics is shown however I don't remember).
BTW, just looking at the information that Apple makes available in iPadOS about "Analytics Data" it has WAY more information than anything that was said in Ubuntu in this thread (if you want to check just go to Settings->Privacy->Analytics Data). I think macOS should have something similar, but maybe someone else can confirm to me.
[2]: Privacy, not security or other things. Security is something questionable, however I do think most recents version of macOS seems more secure than your traditional Linux distro.
> I don't know macOS, however I have an iPadOS and by default it enables by all kinds of analytics, and also generates a unique track ID for ads
1) Apple aggressively asks about analytics, doesn’t “default on”. Every major update to the OS it asks you again, so your claim Apple does as Ubuntu there is flat wrong.
2) the unique tracking ID is app specific and resets on user request or app uninstall. This is far better than what was there before on a privacy front.
1) Saying "I want to enable analytics" and marking all options to send analytics by default (since they know most users don't read anyway) is what I am saying that Apple "defaults on". This is still better than other OSes, however if you really are a "privacy first company" is not enough.
However sure, I didn't explain correctly and I don't remember the last time I setup my iPad (this is the only Apple device I have so this will what I will be using for comparison).
2) It still shouldn't exist, or at least they should ask in Wizard because this option I am sure they did not ask because I had to search on how to disable it (and the way to disable it isn't obvious either).
Then you must not be up to date then, because at least iOS 12 and iOS 13 both re-asked after updating.
> It still shouldn't exist
In a utopian world, I agree. But there are legitimate business needs for something like this to exist, and if you don’t provide a method with an acceptable compromise (neither side likes it, but that’s usually the case with a “compromise”) between user privacy and business need and mandate only it’s usage (which Apple did), then apps will do far worse. Just look at the shenanigans pulled on the web.
> Then you must not be up to date then, because at least iOS 12 and iOS 13 both re-asked after updating.
I am up-to-date to iOS 13, however since iOS 13 was basically my worst recent experience with an OS update (tons of things broken and took a while to fix it) you will have to excuse me that I don't remember they asking my privacy settings.
> But there are legitimate business needs for something like this to exist
I didn't say it shouldn't, because I understand. However if Apple is really privacy, they should put this option in wizard with default off, and say something like "if you want personalized ads turn this on". The fact that they turns this on by default and don't show in wizard is my point.
> However if Apple is really privacy, they should put this option in wizard
I agree with you in theory, but read my point again. If everyone disabled it, then app developers would find a worse way (privacy wise) to accomplish the same goal.
I honestly don't know what advice to give people at this point (they keep asking me) other than "try building a simple OS with busybox and a kernel so you can make an informed decision based on your needs."
Literally everything you can't read and understand the code to seems to be actively hostile, I'm surprised clang doesn't call home.
Don’t you think it’s weird that we let all processes on a computer have unrestricted access to the network/internet by default? Isn’t that the problem? Access beyond the computer should be by consent only.
I am not surprised. It seems like every piece of software with enough people and commercially-oriented interests will silently phone home now. Whether it's open-source doesn't matter, they'll still do it regardless of what others think.
Tbh I find the Ubuntu message of the day quite useful.
The "adverts" are benign. Right now it says to check out microk8s and also to look at livepatch.
But logging in and seeing a summary of: loaf, disk usage, processes, number of users logged in, IP addresses, memory usage and swap usage, kernel version and also last login time and from what IP.
That's pretty useful stuff to me.
Also if you're in the position to care about motd, you're going to have the skill to change it yourself.
> The "adverts" are benign. Right now it says to check out microk8s and also to look at livepatch.
My distro shouldn't be advertising to me. Call me "old school" but this has no place in Linux. Also, if you're in a position of trusted compute then you don't want this sort of information leaving your network.
> Also if you're in the position to care about motd, you're going to have the skill to change it yourself.
Yeah - and I feel I shouldn't have to add it to my images/recipes/whatever to fix this. I use Linux for a lot of reasons, and some of the most important ones are that it doesn't advertise to me and/or leak data. This is telemetry and it's unacceptable.
Alternatively: Why not let the people actually making the distros decide what and what not to throw in them? Users can decide what to use, and users have decided to let Canonical win.
I don't use Ubuntu, and you don't have to either! It's almost like there are millions of Linux distributions!
> Alternatively: Why not let the people actually making the distros decide what and what not to throw in them?
I'll argue that utilization of Linux comes with certain "expectations" which is why so many of us decide to use it in the first place. Some of those expectations include (but are not limited to) rock-solid stability, "be good at one thing", lack of bloatware, sane update/upgrade cycles/policy, privacy, and security.
I've been using Linux professionally for just over 15 years now, sometimes in highly compliant/systems-critical infrastructure. The privacy and security bullet points above are the most important factors to me when designing and/or hardening systems.
> I don't use Ubuntu, and you don't have to either! It's almost like there are millions of Linux distributions!
Actually - I had to at my last position. When people make technology decisions they often go with the most popular/"safe" options and then dictate the decision to those implementing it. Welcome to corporate America (which is where the jobs are). Everything new was spun-up with Ubuntu as a base distro and you better believe I manually opted-out of this "feature".
---
There's a big problem when the most popular distro starts making moves like this as it sets precedent that it's OK. Canonical has made the decision against privacy/security in regards to their motd and that's a huge issue, and I argue it goes against the ethos of Linux and OSS.
There's a big problem when the most popular distro starts making moves like this as it sets precedent that it's OK. Canonical has made the decision against privacy/security in regards to their motd and that's a huge issue, and I argue it goes against the ethos of Linux and OSS.
You're using "OSS." "OSS" is the word that caused this situation! "OSS" was intentionally a term to make free software corporate. Canonical's just doing what people who use and coined "OSS" started: making free software corporate.
In the Free Software world, this is bad, but in the corporate world that "open source" advocates have brought among us, this is normal. It's perfectly fine: open-source software is for-profit, not for the common good.
I dislike the idea of tying particular political or economic philosophies together with a tech stack like Linux.
Everyone can distribute linux distributions however they see fit, it's an open platform and if that includes telemetry by default that's fine too as users have choice. I don't think anyone uses a Canonical distro and is genuinely upset or surprised about this particular benign case.
The linux distribution space is truly one of the few places where we can't make any excuses about market power or lack of choice. There are a billion distributions, almost all of them free. Users will pick accordingly, and my sense is that virtually nobody cares about this particular case of telemetry.
I am upset, and I do use ubuntu, and I am reconsidering that.
It isn't about politics nor economics. It's about privacy and control. That is linked with Linux for a lot of users. And Linux users have a pretty good situation in regard to this.
But it is starting to erode and if allowed can only get worse.
It is unacceptable and the fact that canonical don't realize this is why I'm thinking of alternatives.
Especially considering the use case. Either they haven't got a clue, or they are testing the waters. Does not look good any way you look at it.
>> I am upset, and I do use ubuntu, and I am reconsidering that.
Good for you, but don't you sort of expect this with Ubuntu? It's obviously pushing in a different direction from the likes of Debian. I'm not sure most reasonable people have much sympathy for you here.
>> It isn't about politics nor economics. It's about privacy and control. That is linked with Linux for a lot of users. And Linux users have a pretty good situation in regard to this.
Privacy and control are intermingled with politics and economics. A quick analysis of Ubuntu and Canonical would have suggested that this risk exists for you.
>> But it is starting to erode and if allowed can only get worse.
You are naive if you think that it won't erode further in your view. Economics and the desires of Ubuntu audience will result in further "features" like this. It's inherent in their mission and they don't particularly care about you.
>> It is unacceptable and the fact that canonical don't realize this is why I'm thinking of alternatives.
They do realize this. They just don't care. You are the type of customer they want to fire because you aren't their audience, yet fight their choices.
>> Especially considering the use case. Either they haven't got a clue, or they are testing the waters. Does not look good any way you look at it.
It doesn't look good to you, but it's a trade-off with their users because it's intrinsically tied to their audience, economics, politics, etc. Don't forget that audiences can change. The customers that brought them to this point may not be those who take them to their next goal. It's just business. You can say Linux is more than business, but it doesn't really make an impactful argument.
> I don't think anyone uses a Canonical distro and is genuinely upset or surprised about this particular benign case.
I've had to use Ubuntu in an environment with high security needs/regulations. I've had to disable this exact feature because leaking OS versions, network information, etc. externally via that user agent string was unacceptable from a security standpoint.
I was upset that something as simple as a motd had been retooled to leak data.
> and my sense is that virtually nobody cares about this particular case of telemetry.
And in my real-world experience I've been paid to care. When forced to work with Ubuntu (which is everywhere these days) I have to "reign it in" with custom images/scripts/etc.
> I dislike the idea of tying particular political or economic philosophies together with a tech stack like Linux.
This isn't "political or economic philosophies" this is security 101. Leaking data like my OS version, IP addresses, when admins are doing their work, etc to the public internet is a hard "no" for anyone who's operating in any semblance of "best practices".
not doubting your experiences but just out of interest if you can tell, what security-relevant sector uses stock ubuntu and exposes themselves to the internet like this? I've never seen a setup like that before.
PCI environment for a household name ecommerce application with millions of users.
Also we didn't use stock Ubuntu - I/we had to get it to not phone-home... it was just extra layers of "we shouldn't have to do this" in regards to managing the OS.
I left the company when it was apparent that "security culture" were just buzzwords they would repeat in meetings to make themselves feel better vs. an actual core competency. They had more resources assigned to migrating our WordPress blog to K8s than they did for the credit-card handling infrastructure.
Honestly Ubuntu was one of the least of my worries, but after the experience of getting it to "shut up" and stop phoning home I made the decision to never recommend it moving forward as a security best practice.
I still consider originating IP address to be a leak - what about private intranets, processing-only infrastructure etc? Not everything is a traditional public-hosting model.
In the screenshot posted you can see the following data is being sent out:
And yet, technology stacks aren't exempt from social and economic dynamics. Technology stacks are tools, means to a wide variety of ends. And as such, if they are freely available, people can and will use them for whatever purpose or need they seem fit.
As such, linux is just as much a product and a service as it is a technology tied to very real markets and niches. And it with that come the exact same concerns you'd find in any other market.
Your observation is totally correct: there are tons of distributions and there is plenty of choice and people don't care.
But that choice is far from granted, and it's not an argument that deprecates questions about moral responsibility: Are companies providing a service/product entirely responsible for the consequences? Or are customers entirely responsible for their own choices and behavior? Or is it both?
Let's use an analogy to demonstrate. Bread is a great example.
The vast majority of people eat bread daily. And so there's a huge demand. But the market has consolidated in some places and so many people end up buying bread from retail chains. Sadly, such bread is a processed food and contains many ingredients that aren't that healthy such as emulgators (E-numbers), or loads of sugar.
You could argue that people still have a choice: You could go to an artisanal baker. Or you could bake your own bread: the recipe isn't that difficult and requires few raw ingredients. So, why aren't people doing that when they know retail chain bread isn't good for them? Three reasons: because artisanal bread is expensive; it's a different shop from a centralized retail shop and making decent bread takes time and skill. Consumers simply calculate cost/benefits: buying cheap bread is far more convenient in the short run, even though the long term consequences may cost more.
Okay, so how does that hold up with Linux? Same thing.
Ubuntu is huge because it was successful in it's marketing early on; and it did a bang up job in creating an effective onboarding experience for new linux users. You can argue about their design choices over the past 15 years, but in the end, they have been ahead of the competition when it comes to tapping into a new generation of users.
As time went on, what you see is that the Ubuntu community has spawned a huge volume of documentation: tutorials, videos, stackoverflow posts,... Google "how to install sound drivers in linux" and your first hit will be tutorial for Ubuntu. Whereas trying to find the same information for lesser known distributions might be just a tad harder.
And that's what makes all the difference. Convenience. If you spend an evening trying to fix your damn audio after first installing Slackware, and all you find is Ubuntu tutorials, you will likely just switch over to... Ubuntu. Especially if you aren't particularly interested in the design philosophy of Slackware, or who these Canonical people are anyway. You simply want to listen to your favorite Spotify playlist, right?
So, the issue here is that both retail chains and Canonical understand that the vast majority of people simply want convenience and they will easily choose it over principle or their own self-interest. And so, it's extremely tempting to exploit that.
The question then becomes whether it's morally right to tap into that and take more from your customers or users then what they are bargaining from. Especially when they aren't really aware you're doing it. Either by using ingredients that aren't prohibited, but clearly unhealthy, or by using techniques to gain more insights about their behavior. Especially when everyone sells them "Linux doesn't do that unlike Apple, Google or Microsoft".
And so, ever more people will keep choosing Ubuntu over other distributions, even when they do have a free choice.
The mere existence of a choice isn't a defining factor at all, it's everything else: available tutorials, number of users, onboarding experience, how quick they can get things working and so on.
Tis where the discussion does turn political. The public space is regulated through laws for many reasons. But such rules and laws aren't static. They can change through political discussion and ever changing power balances. And so, consumer protection laws exist not just to protect individual consumers, but also to ensure that large, unintended second order effects of new products and services don't cause shocks that might derail an arguably stable society.
If retail chains are free to add more and more unhealthy ingredients to their food products because that clearly drives costs down and attract more customers, the societal cost will be an increasing number of people who suffer from health concerns linked to consuming those products. Not because people don't mind their health, but because convenience forces them, and the alternatives are simply too costly.
By the same token, if companies are free to build in all kinds of telemetry sending scripts, that won't stop people from using those products as they prove to be really convenient. But the societal cost will be that private enterprises are able to derive very accurate profiles about who we are, and what we want, and use those in ways that don't align with the interests of users of their software.
I find features like this to be useful as well - as long as I've opted-in. This is not a "sane default" - this is telemetry enabled out-of-box which is something that I'm vehemently against with Linux.
What systems do you come in contact with? What sort of responsibilities do you have on your job site? Anything critical?
And look you dont need to answer those questions either, but take it from me, that kind of thinking and attitude will tank a business and eventually compromise or overburden IT, who will just jail-firewall Machines running that kind of code because its impossible to reign-in in a militerized zone such as a company with over, say, 150+ employees, let alone anything major.
The adverts are telemetry, which I don't appreciate being forced to deal with, and especially in open source. At best, it is delivering a broken product to fix, a typically shitty corporate behavior that attempts to grab something in their interest at the cost of being customer-antagonistic.
Not like it is the first time. - in the past, Ubuntu has demonstrated a willingness to sell surveillance of their user base to a third party[1].
It makes me trust the company less and worry that if their fortunes or management changes, they'll do slimier, less obvious things.
I suppose this all is ultimately a positive thing. Greed heads serve the function of keeping distro-churn up when they do something gross enough to chase people off, which helps keep the ecosystem healthy.
My company puts hosts info into the motd (I think via the global bashrc, but it could be a cronjob/deployment utility that triggers the update). It's very useful to find out the vitals at a glance when you remote into a random box.
I've never seen the motd come up on my laptop. When I open up a GNOME Terminal, it doesn't print the motd by default. I've only seen it when I ssh into another machine, or log into a console. If this is supposed to be phoning home for analytics purposes, isn't it missing a big chunk of data?
Also, wouldn't apt be a much better source of analytics data? Yes, there are apt mirrors which aren't controlled by Canonical, but most people would be hitting ftp.{countrycode}.ubuntu.com, or at the very least be downloading http://mirrors.ubuntu.com/mirrors.txt.
> The default configuration is that this "motd-news" feature is enabled and that it will check https://motd.ubuntu.com for updates. That check is not done at login time, but is periodically done (every twelve hours or so) and the result is cached.
I’ve returned to vanilla Debian as of late and it’s refreshing. My gripes are the guided installer always insisting I need a swap partition and no sudo out of the box, but those are easy enough to overcome.
It’s nice to see only a handful of processes running on a new setup.
Agreed about the swap partition but Debian has supported sudo out of the box for many years, the UI is just unintuitive. If you leave the root password empty the Debian installer will install sudo for you.
You are right, there is indeed text indicating that.
However, even the text itself is worded to leave out the sudo implication to the end of the whole paragraph, which is typically skipped by anyone who simply wants their OS installed.
Not anymore. It was removed in stretch, I think. The reason is that systemd won't let you into single-user mode if the root password is unset.
edit: If, after installing, you install sudo and manually disable the root password, you won't be able to boot to the rescue or emergency targets; a valid root password is now required by default.
If you want them to work without a password, like classic "single-user mode", you can edit both the rescue and emergency unit files, and add the --force flag to sulogin.
How that part of the installer works is kinda stupid, too.
The popularity-contest package is installed, you're asked whether you want to participate, and then the package is uninstalled when you say no -- as opposed to asking and then installing the package if you say yes.
You almost certainly do want swap (in the 99.9% case).
I had a better / more elaborate explanation bookmarked somewhere but can't find it now, the tldr is a "modern" OS (past ~2-3 decades) wants the freedom to manage anonymous (malloc) and named (mmio) memory between physical RAM and disk devices. Disabling swap means the OS must always keep the anonymous pages in physical RAM, which negatively impacts any IO-bound workload (can't cache) and, ironically, puts more pressure on the disk.
So unless you have an extremely specific and finely tuned use-case with lots of benchmark data, the OS will almost always make a better call.
You do probably want swap, but the comment you are replying to is talking about a swap _partition_ and that is not the only way to do swap. Using a file instead makes it easier to change the size of your swap, some people prefer that.
Again, what about sticking to a sensible default that covers the 99.9% case? The installer is hinting you to do the right thing (to create some swap), even if it doesn't provide all the possible myriad options. Swap files vs dedicated partitions have different trade-offs, if you start going that route it's easy to start blaming the installer for having less power/flexibility than invoking debootstrap directly.
I would say you have that a bit backwards, Ubuntu exists because of Debian - not the other way around. This would be like saying children are the reason parents exist.
Ubuntu has given me PTSD for anything that ever slightly resembles it so I will take a pass on Debian - many other distros out there.
This would be like saying children are the reason parents exist.
From an evolutionary standpoint, kind of.
In nature there are a bunch of species that have one/all of the parents die after the offspring are conceived/born. The same applies for Linux distributions a surprising amount of the time.
What this means in this context is that Debian is still relevant and useful rather than a relic. It's the biggest community-based rather than company-supported distro and rejects such features.
“uninstall ubuntu” makes things easy enough and its just two words. I actually consider it sage advice, not even cynical. Its very unacceptable behavior.
These are the kinds of packages that get uninstalled immediately, and then configured in my config-management to remove on sight. Debian luckily doesn't do crap like this.
I mentioned it in another comment but this functionality is included with the "base-files" package:
$ sudo apt remove base-files
...
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
base-files bash
...
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
?]
Have fun with your broken system after removing that!
The best you can do is disable it (and hope it isn't silently re-enabled later):
HN commenters sometimes ask why bother with DNS-based ad blocking when one can just install a browser extension.
This is why.
There seems to be one assumption that all online advertisers and telemetry implementers make. They assume the user is not in full control of name resolution. ("Full control" as used here means relying on whitelists not third party blocklists.)
In this case, they assume motd.ubuntu.com will be resolved without any user input. "Without any user input" here means the user never looked at the domain "motd.ubuntu.com" and made a decision whether it was needed or not.
I'm assuming Canonical wont remove it due to it "increasing customer synergies" or similar.
Perhaps we make a package that patches this out? I'm thinking of something that detects this file and replaces it rather than a manual process. That way it gets fixed whenever "base-files" or whatever gets its updates. Make it a depend on base or similar.
Somebody with a sharper set of teeth and specialised dorsal fin might want to do an audit for similar shenanigans. Canonical have "prior art" for this kind of thing. I doubt this is the only addition.
This is perhaps an unpopular opinion, but I wish Canonical would just charge a small amount to download Ubuntu. I don't pay money for Ubuntu, everyone I know doesn't pay for Ubuntu. Nothing is free. Individuals and corporations need to make money. I just hate that adds are the default instead of charging me a few dollars for useful software.
Yeah, unfortunately there are some really big issues nobody has a workable solution to yet:
- There is a vast income discrepancy across the world. For some people $1000 for an Ubuntu copy would be cheap and for others $10 would mean going hungry. Not to mention all the people who have no good way to pay online, such as people without a bank account. (And without a bank account, how do you even get started with cryptocurrency on a minimally powered machine?)
- Ideally the price would be as much as it's worth to each user, but there's no way to determine what each user thinks it's worth (except in a utopia of perfectly honest customers, which presupposes perfectly honest businesses).
- As much as I hate ads they are probably one of the easiest ways to get a relatively steady income stream no matter who the users are.
Yes, I agree. I think there is going to be a move away from the free/spyware based model back to actually paying for the services/product. There is far too much corruption with the former.
I'm not sure if this data they're collecting (if they even are storing it long-term) is even being sold.
Like the other commercial Linux distros, Canonical profits from support.
Also, now it seems that even when you pay for the product you're not guaranteed to have something that doesn't include spyware. Windows 10 is a great example of this.
Right now I am using vanilla Debian. They have tons of packages available and they aren't pretending to be anything other than free. I really like RHEL/Centos. Buying RHEL for personal use is a bit expensive and they are pretty sparse for available packages, EPEL helps but is still way behind Debian. Once EPEL fills out more for Centos 8 I will probably switch to that. RHEL/Centos are just bulletproof if they have the software you need/want. Fedora is nice, but the constant updates (including major kernel versions) just don't work for my use case. I need a stable kernel. I work a lot with hardware and need my drivers to keep working.
I think jumping to the conclusion that there will be banner ads is a bit of an over reaction. Right now the adds are fairly innocuous, but it is still frustrating that adds are the default instead of just charging me a few dollars. I have no idea, but I would think $5 or $10 would be far more than they could get showing me a couple adds. Though if they decided to charge even $5 to download Ubuntu people would lose their minds more than they do with small adds like these, and so here we are.
# If we're not forcing an update, and we have a cached motd-news file,
# then just print it and exit as quickly as possible, for login performance.
# Note that systemd should keep this cache file up to date,
asynchronously
if [ "$FORCED" != "1" ]; then
if [ -r $CACHE ]; then
echo
safe_print $CACHE
else
: > $CACHE
fi
exit 0
fi
None of that code in the tweet actually runs at login.
1.) no software I've ever written is installed and enabled, by default, on pretty much every Ubuntu instance created in the last ~2.5 years (whether the "owners" of those instances want it or not),
2.) I certainly never claimed to write 100% bug-free code (in fact, I will freely admit that I absolutely DO NOT write bug-free code!), and
3.) this discussion really isn't about me or any code that I have written.
(If you're the one that wrote whatever caused the bug and my comment caused your feelings to get hurt, sorry, but software bugs are a fact of life.)
Comparing some annoying adverts to a nuclear power plant operation system failing is... Something.
If it was just about the ads, I'd agree. But comparing it to BSD is silly. BSD doesn't have scriptable motd and I'm supposed to act like that's obviously better? Eh.
I am partially responsible for at least 200 individuals, let alone those who depend on them. Now if you think the digital safety off 200 isnt comparable to the digital safety of say, 200,000, well. “It is with the first link that a chain is forged”.
Look, Nothing against you, you dont seem to have a systems exposure i do. Im not a fullstack dev, maybe you are and its fair to just see your own machine and expect everything else to work.
Car builders and bridge builders see different problems to solve, and see risks differently too.
I'm saying the modes of failure and effects are different. Digital safety and protecting people's lives are two different things. Both important, but different. But even besides that, you ought to be using a different tool for that.
Is it fine to have the server I use for my personal site and projects use a dynamic motd, perhaps even reach out to the network? Yeah. It can be useful. Should a CA signing machine do that? Obviously not.
I'm saying that acting like one is unambiguously better for being less featureful is wrong. That's all.
I reread what i wrote and it can comeoff as condescending, though it wasnt meant that way. I meant to actually say is that my attitude is specifically forged by my experience.
What you think is fine, i don't think is fine, because we see the use case from two different perspectives.
You also see benevolent usage, i see abuse potential. System security and usability are always at each other’s neck in a never ending act of balancing.
The number of people switching to BSD because of this is exactly 0.
Further, as an avid user of Ubuntu, who reaps the benefits of millions of work hours of Debian &/or Ubuntu employees, I'm ok with advertising whose source code I can audit, and modify even.
And to think that the majority of dissenters are commenting from their closed source Macs & iPhones, or their equivalent commerical competitors, on Google funded browsers tracking their every click, is all a little ironic
Even if everything you wrote is 100% true (and I think it is), that's all tangential. The point is that nobody should be curling anything in a login script, not "HAHA DERP BSD BETTER".
People having emotional reactions as if some tribe they imagine they belong to has been insulted by someone else who they imagine belongs to some other imaginary tribe, instead of just, "yeah that's wrong nobody should do that, let's do better" has always been one of the most off-putting things to me about the whole free software community, such as it is. It was annoying on Usenet in the mid-'90s, it was obnoxious whenever RMS prioritized that sort of thinking over actually just turning the other cheek and making the world a better place, and wow does it not do anyone any good decades later.
My theory is that people get sucked into these black holes of rational thought because, like me, a lot of people drawn to the open source world tend to be obsessive introverts who often feel more comfortable with computers than people, and like me, are susceptible to getting sucked into feelings of belonging and camaraderie with often imaginary subcultures/tribes/families online or elsewhere, when in reality the only common thread is they're random people from mailing lists trying to work together towards a very narrow range of common goals.
The instant people get sucked into the dark side, next thing you know they're going around IRL saying stuff like "ACTUALLY it's guh-noo SLASH lee-nooks and anything else is disrespectful and I will personally feel disrespected by anyone who defies me". And then all is lost and this whole thing becomes a net negative for everyone involved. No fun, no fun at all. Nobody should feel personally insulted by anyone pointing out obvious technical flaws in anything really, including their own work, but certainly not in open source operating systems that they may or may not even contribute to.
> The number of people switching to BSD because of this is exactly 0.
Perhaps. There is at least one person who is now less likely to use Ubuntu after learning this: me. I have typically used a mix of Debian and Ubuntu for both desktop VMs and servers; now I am more likely to use Debian, which takes a significantly stronger privacy stance.
I am commenting from an iPhone though. Safari is not Google funded and does not track every click, but I do believe that Apple is getting the kind of OS version stats that Ubuntu’s motd script sends. Relatively tame for commercial software, honestly, but Linux is a different story.
This is just yet another quite literal example of how many GNU/Linux distros are becoming more like Windows - they do all sorts of things now that they were never asked to do, and it's up to us to fix things after a clean install.
> many GNU/Linux distros are becoming more like Windows
And others aren't. Though I disagreed with the SystemD move, I've quite enjoyed arch for years. There are also some excellent other options, for instance, Alpine is a Musl/Busybox/Linux distro that works great on old machines. I think most Linux users will move to a different Linux before moving to BSD for comfort reasons.
True enough, but if the distro I used did that, I would move elsewhere. That distro only updates /etc/motd when the first line contains 'Linux', otherwise it is left untouched. The update only is changing the first line to the the output of "/bin/uname -sr"
> Further, as an avid user of Ubuntu, who reaps the benefits of millions of work hours of Debian &/or Ubuntu employees, I'm ok with advertising whose source code I can audit, and modify even.
Despite all of this, the number of people switching from Win/Mac to Linux is in negative territory. Why? Because they first advertise their switch on a blog-post or Twitter, then they later realize that they can't do basic tasks or keep up with new features added on Windows and Mac. They then have to live with half-working unstable hacks which they then ultimately switch back or dual boot.
It's a bit misleading for Ubuntu to call itself "open-source" and "privacy respecting" when they're teaming up with Amazon planting adware and telemetry in the OS, which gives the impression that they already abandoned the idea of "privacy".
The functionality is included in the "base-files" package, which has a priority of "required" and is marked as an "essential" package. Thus, if you have an Ubuntu instance, it's nearly 100% guaranteed this is installed and enabled by default.
(If memory serves, this was added in 17.04 or thereabouts.)