You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Makoto Yui <my...@apache.org> on 2017/06/05 09:44:31 UTC
Apache Ignite is collecting usage statics (?)
Hi,
My colleague found that Apache Ignite is periodically accessing to [1].
[1] https://ignite.run/update_status_ignite-plain-text.php
It is enabled by default setting. We evaluated
org.apache.ignite:ignite-core:1.9.0.
Corresponding code is [2]
[2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
It does check whether Ignite is latest version or not, maybe with
usage tracking (?).
Posting JVM env variable [3] should not be sent because it may include
sensitive information such as password.
[3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
Is this allowed in the ASF's policy?
I guess old codes before contributing to ASF is still remaining though.
Thanks,
Makoto
--
Makoto YUI <myui AT apache.org>
Research Engineer, Treasure Data, Inc.
http://myui.github.io/
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Apache Ignite is collecting usage statics (?)
Posted by Konstantin Boudnik <co...@apache.org>.
Completely agree with the settlement and this will be deal with both
on dev@ and private@ of the project.
Cos
--
Take care,
Konstantin (Cos) Boudnik
2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
Disclaimer: Opinions expressed in this email are those of the author,
and do not necessarily represent the views of any company the author
might be affiliated with at the moment of writing.
On Mon, Jun 5, 2017 at 6:58 PM, Makoto Yui <my...@apache.org> wrote:
>> Konstantin,
>
> I think enabling user tracking itself (or sending user information) by
> default could be an evil behavior.
> It would be okey for enterprise softwares but not expected for OSS
> softwares' behavior.
>
> For users, It would be unexpected network traffic to 'ignite.run' in
> the background.
> https://whois.icann.org/en/lookup?name=ignite.run
>
> Security (sending ENV variables) is another distinct issue.
>
>> Roman,
>
> I'll file it to <se...@apache.org>. Thanks!
>
> Makoto
>
> 2017-06-06 9:22 GMT+09:00 Konstantin Boudnik <co...@apache.org>:
>> IANAL, but as far I as I could tell ASF doesn't dictate what and how a
>> project should implement the handling of the security data. That's
>> largely up to the PMC and the community to deal with the issues like
>> this. Hence, I urge you to open a JIRA ticket against Apache Ignite
>> and move the discussion there.
>>
>> Cos
>> --
>> Take care,
>> Konstantin (Cos) Boudnik
>> 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
>>
>> Disclaimer: Opinions expressed in this email are those of the author,
>> and do not necessarily represent the views of any company the author
>> might be affiliated with at the moment of writing.
>>
>>
>> On Mon, Jun 5, 2017 at 2:44 AM, Makoto Yui <my...@apache.org> wrote:
>>> Hi,
>>>
>>> My colleague found that Apache Ignite is periodically accessing to [1].
>>> [1] https://ignite.run/update_status_ignite-plain-text.php
>>>
>>> It is enabled by default setting. We evaluated
>>> org.apache.ignite:ignite-core:1.9.0.
>>>
>>> Corresponding code is [2]
>>> [2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
>>>
>>> It does check whether Ignite is latest version or not, maybe with
>>> usage tracking (?).
>>> Posting JVM env variable [3] should not be sent because it may include
>>> sensitive information such as password.
>>> [3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
>>>
>>> Is this allowed in the ASF's policy?
>>> I guess old codes before contributing to ASF is still remaining though.
>>>
>>> Thanks,
>>> Makoto
>>>
>>> --
>>> Makoto YUI <myui AT apache.org>
>>> Research Engineer, Treasure Data, Inc.
>>> http://myui.github.io/
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>
>
>
> --
> Makoto YUI <myui AT apache.org>
> Research Engineer, Treasure Data, Inc.
> http://myui.github.io/
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Apache Ignite is collecting usage statics (?)
Posted by Makoto Yui <my...@apache.org>.
> Konstantin,
I think enabling user tracking itself (or sending user information) by
default could be an evil behavior.
It would be okey for enterprise softwares but not expected for OSS
softwares' behavior.
For users, It would be unexpected network traffic to 'ignite.run' in
the background.
https://whois.icann.org/en/lookup?name=ignite.run
Security (sending ENV variables) is another distinct issue.
> Roman,
I'll file it to <se...@apache.org>. Thanks!
Makoto
2017-06-06 9:22 GMT+09:00 Konstantin Boudnik <co...@apache.org>:
> IANAL, but as far I as I could tell ASF doesn't dictate what and how a
> project should implement the handling of the security data. That's
> largely up to the PMC and the community to deal with the issues like
> this. Hence, I urge you to open a JIRA ticket against Apache Ignite
> and move the discussion there.
>
> Cos
> --
> Take care,
> Konstantin (Cos) Boudnik
> 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
>
> Disclaimer: Opinions expressed in this email are those of the author,
> and do not necessarily represent the views of any company the author
> might be affiliated with at the moment of writing.
>
>
> On Mon, Jun 5, 2017 at 2:44 AM, Makoto Yui <my...@apache.org> wrote:
>> Hi,
>>
>> My colleague found that Apache Ignite is periodically accessing to [1].
>> [1] https://ignite.run/update_status_ignite-plain-text.php
>>
>> It is enabled by default setting. We evaluated
>> org.apache.ignite:ignite-core:1.9.0.
>>
>> Corresponding code is [2]
>> [2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
>>
>> It does check whether Ignite is latest version or not, maybe with
>> usage tracking (?).
>> Posting JVM env variable [3] should not be sent because it may include
>> sensitive information such as password.
>> [3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
>>
>> Is this allowed in the ASF's policy?
>> I guess old codes before contributing to ASF is still remaining though.
>>
>> Thanks,
>> Makoto
>>
>> --
>> Makoto YUI <myui AT apache.org>
>> Research Engineer, Treasure Data, Inc.
>> http://myui.github.io/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
--
Makoto YUI <myui AT apache.org>
Research Engineer, Treasure Data, Inc.
http://myui.github.io/
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Apache Ignite is collecting usage statics (?)
Posted by Makoto Yui <yu...@gmail.com>.
Konstantin,
Thank you for creating a ticket. Will monitor it.
Makoto
2017-06-06 10:50 GMT+09:00 Konstantin Boudnik <co...@apache.org>:
> Makoto, I have created IGNITE-5413 to track this issue. Thanks for reporting!
> --
> Take care,
> Konstantin (Cos) Boudnik
> 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
>
> Disclaimer: Opinions expressed in this email are those of the author,
> and do not necessarily represent the views of any company the author
> might be affiliated with at the moment of writing.
>
>
> On Mon, Jun 5, 2017 at 5:22 PM, Konstantin Boudnik <co...@apache.org> wrote:
>> IANAL, but as far I as I could tell ASF doesn't dictate what and how a
>> project should implement the handling of the security data. That's
>> largely up to the PMC and the community to deal with the issues like
>> this. Hence, I urge you to open a JIRA ticket against Apache Ignite
>> and move the discussion there.
>>
>> Cos
>> --
>> Take care,
>> Konstantin (Cos) Boudnik
>> 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
>>
>> Disclaimer: Opinions expressed in this email are those of the author,
>> and do not necessarily represent the views of any company the author
>> might be affiliated with at the moment of writing.
>>
>>
>> On Mon, Jun 5, 2017 at 2:44 AM, Makoto Yui <my...@apache.org> wrote:
>>> Hi,
>>>
>>> My colleague found that Apache Ignite is periodically accessing to [1].
>>> [1] https://ignite.run/update_status_ignite-plain-text.php
>>>
>>> It is enabled by default setting. We evaluated
>>> org.apache.ignite:ignite-core:1.9.0.
>>>
>>> Corresponding code is [2]
>>> [2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
>>>
>>> It does check whether Ignite is latest version or not, maybe with
>>> usage tracking (?).
>>> Posting JVM env variable [3] should not be sent because it may include
>>> sensitive information such as password.
>>> [3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
>>>
>>> Is this allowed in the ASF's policy?
>>> I guess old codes before contributing to ASF is still remaining though.
>>>
>>> Thanks,
>>> Makoto
>>>
>>> --
>>> Makoto YUI <myui AT apache.org>
>>> Research Engineer, Treasure Data, Inc.
>>> http://myui.github.io/
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Apache Ignite is collecting usage statics (?)
Posted by Konstantin Boudnik <co...@apache.org>.
Makoto, I have created IGNITE-5413 to track this issue. Thanks for reporting!
--
Take care,
Konstantin (Cos) Boudnik
2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
Disclaimer: Opinions expressed in this email are those of the author,
and do not necessarily represent the views of any company the author
might be affiliated with at the moment of writing.
On Mon, Jun 5, 2017 at 5:22 PM, Konstantin Boudnik <co...@apache.org> wrote:
> IANAL, but as far I as I could tell ASF doesn't dictate what and how a
> project should implement the handling of the security data. That's
> largely up to the PMC and the community to deal with the issues like
> this. Hence, I urge you to open a JIRA ticket against Apache Ignite
> and move the discussion there.
>
> Cos
> --
> Take care,
> Konstantin (Cos) Boudnik
> 2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
>
> Disclaimer: Opinions expressed in this email are those of the author,
> and do not necessarily represent the views of any company the author
> might be affiliated with at the moment of writing.
>
>
> On Mon, Jun 5, 2017 at 2:44 AM, Makoto Yui <my...@apache.org> wrote:
>> Hi,
>>
>> My colleague found that Apache Ignite is periodically accessing to [1].
>> [1] https://ignite.run/update_status_ignite-plain-text.php
>>
>> It is enabled by default setting. We evaluated
>> org.apache.ignite:ignite-core:1.9.0.
>>
>> Corresponding code is [2]
>> [2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
>>
>> It does check whether Ignite is latest version or not, maybe with
>> usage tracking (?).
>> Posting JVM env variable [3] should not be sent because it may include
>> sensitive information such as password.
>> [3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
>>
>> Is this allowed in the ASF's policy?
>> I guess old codes before contributing to ASF is still remaining though.
>>
>> Thanks,
>> Makoto
>>
>> --
>> Makoto YUI <myui AT apache.org>
>> Research Engineer, Treasure Data, Inc.
>> http://myui.github.io/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Apache Ignite is collecting usage statics (?)
Posted by Konstantin Boudnik <co...@apache.org>.
IANAL, but as far I as I could tell ASF doesn't dictate what and how a
project should implement the handling of the security data. That's
largely up to the PMC and the community to deal with the issues like
this. Hence, I urge you to open a JIRA ticket against Apache Ignite
and move the discussion there.
Cos
--
Take care,
Konstantin (Cos) Boudnik
2CAC 8312 4870 D885 8616 6115 220F 6980 1F27 E622
Disclaimer: Opinions expressed in this email are those of the author,
and do not necessarily represent the views of any company the author
might be affiliated with at the moment of writing.
On Mon, Jun 5, 2017 at 2:44 AM, Makoto Yui <my...@apache.org> wrote:
> Hi,
>
> My colleague found that Apache Ignite is periodically accessing to [1].
> [1] https://ignite.run/update_status_ignite-plain-text.php
>
> It is enabled by default setting. We evaluated
> org.apache.ignite:ignite-core:1.9.0.
>
> Corresponding code is [2]
> [2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
>
> It does check whether Ignite is latest version or not, maybe with
> usage tracking (?).
> Posting JVM env variable [3] should not be sent because it may include
> sensitive information such as password.
> [3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
>
> Is this allowed in the ASF's policy?
> I guess old codes before contributing to ASF is still remaining though.
>
> Thanks,
> Makoto
>
> --
> Makoto YUI <myui AT apache.org>
> Research Engineer, Treasure Data, Inc.
> http://myui.github.io/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Apache Ignite is collecting usage statics (?)
Posted by Roman Shaposhnik <ro...@shaposhnik.org>.
Hi Makoto!
thanks for the report. I don't see it so much to be a legal issue as
to be a security
issue. With an additional angle of being really obnoxious to the users
(but arguably
a lot of software is).
Can you please forward your request to security@apache.org just make
ASF-wide security team aware of this?
This is especially suspect given ignite.run doesn't have any ownership
information
associated with it and appears to be a random GoDaddy domain name.
Thanks,
Roman.
On Mon, Jun 5, 2017 at 2:44 AM, Makoto Yui <my...@apache.org> wrote:
> Hi,
>
> My colleague found that Apache Ignite is periodically accessing to [1].
> [1] https://ignite.run/update_status_ignite-plain-text.php
>
> It is enabled by default setting. We evaluated
> org.apache.ignite:ignite-core:1.9.0.
>
> Corresponding code is [2]
> [2] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/ClusterProcessor.java#L81-L82
>
> It does check whether Ignite is latest version or not, maybe with
> usage tracking (?).
> Posting JVM env variable [3] should not be sent because it may include
> sensitive information such as password.
> [3] https://github.com/apache/ignite/blob/1d0b0765134a81e6626a9ef1c70939085f954847/modules/core/src/main/java/org/apache/ignite/internal/processors/cluster/GridUpdateNotifier.java#L313
>
> Is this allowed in the ASF's policy?
> I guess old codes before contributing to ASF is still remaining though.
>
> Thanks,
> Makoto
>
> --
> Makoto YUI <myui AT apache.org>
> Research Engineer, Treasure Data, Inc.
> http://myui.github.io/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org