profile
viewpoint
Petros Angelatos petrosagg @balena-io Seattle, WA https://petrosagg.com Founder of @balena-io

petrosagg/armv7hf-python-dockerhub 43

ARM docker image that builds python from source on dockerhub

balena-io/node-lkl 25

NodeJS native bindings to the Linux Kernel Library project

esarafianou/harmonise.it 5

Practice music harmony rules online

petrosagg/bitcoin-coinflip 2

Flip a coin on the Bitcoin Blockchain.

petrosagg/docusign-bypass 2

Bypass DocuSign's nonsense policy that disallows printing and other actions

petrosagg/BulletJS 1

Bullet port in Javascript

petrosagg/deniable-fde 1

An implementation and proof of a plausible deniable full disk encryption scheme based on Linux

startedrust-lang/datafrog

started time in 6 days

startedkingluo/pgcat

started time in 6 days

issue commentbalena-io/docs

Document weirdness around Go and non-MMX CPUs

I think that's right. Trong can answer this with certainty

On Fri, Feb 7, 2020, 10:50 Gareth Davies notifications@github.com wrote:

I'm going to guess this is no longer relevant given we are several Golang versions past this and also likely referencing legacy base image?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/balena-io/docs/issues/344?email_source=notifications&email_token=AAHFLHGUGXAPG5RIZ56LYP3RBWUNRA5CNFSM4CTVOZYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELEEVOY#issuecomment-583551675, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAHFLHGCAIR6LIKRJ3XUJULRBWUNRANCNFSM4CTVOZYA .

petrosagg

comment created time in 10 days

startedkeybase/saltpack

started time in 12 days

startedsmallstep/certificates

started time in 13 days

startedytdl-org/youtube-dl

started time in 20 days

startedarendst/Tasmota

started time in 25 days

startedct-Open-Source/tuya-convert

started time in 25 days

CommitCommentEvent
CommitCommentEvent
CommitCommentEvent

push eventpetrosagg/papagal

dependabot[bot]

commit sha 23bd00e79db9acf228bf6fbe79526605327a2098

Bump lodash from 4.17.10 to 4.17.15 Bumps [lodash](https://github.com/lodash/lodash) from 4.17.10 to 4.17.15. - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](https://github.com/lodash/lodash/compare/4.17.10...4.17.15) Signed-off-by: dependabot[bot] <support@github.com>

view details

Petros Angelatos

commit sha 00320f5f07253bc980c1aefd1c0e8b4a1a2be9ff

Merge pull request #9 from petrosagg/dependabot/npm_and_yarn/lodash-4.17.15 Bump lodash from 4.17.10 to 4.17.15

view details

push time in a month

PR merged petrosagg/papagal

Bump lodash from 4.17.10 to 4.17.15 dependencies

Bumps lodash from 4.17.10 to 4.17.15. <details> <summary>Commits</summary>

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+33 -14

0 comment

1 changed file

dependabot[bot]

pr closed time in a month

push eventpetrosagg/papagal

dependabot[bot]

commit sha a2158f5afdccbbec2891edc3bae83246cf5e364f

Bump mixin-deep from 1.3.1 to 1.3.2 Bumps [mixin-deep](https://github.com/jonschlinkert/mixin-deep) from 1.3.1 to 1.3.2. - [Release notes](https://github.com/jonschlinkert/mixin-deep/releases) - [Commits](https://github.com/jonschlinkert/mixin-deep/compare/1.3.1...1.3.2) Signed-off-by: dependabot[bot] <support@github.com>

view details

Petros Angelatos

commit sha 8c86da79958510a593378f12ad4d21de35a8ad1c

Merge pull request #7 from petrosagg/dependabot/npm_and_yarn/mixin-deep-1.3.2 Bump mixin-deep from 1.3.1 to 1.3.2

view details

push time in a month

PR merged petrosagg/papagal

Bump mixin-deep from 1.3.1 to 1.3.2 dependencies

Bumps mixin-deep from 1.3.1 to 1.3.2. <details> <summary>Commits</summary>

  • 754f0c2 1.3.2
  • 90ee1fa ensure keys are valid when mixing in values
  • See full diff in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by doowb, a new releaser for mixin-deep since your current version. </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+33 -14

0 comment

1 changed file

dependabot[bot]

pr closed time in a month

push eventpetrosagg/papagal

Petros Angelatos

commit sha 88d9fd76094f7c50aec7dc911cfa193c5cfd3d85

implement starred messages Signed-off-by: Petros Angelatos <petrosagg@gmail.com>

view details

Petros Angelatos

commit sha 7097ec9522847fb0ce38fc4a3789ea9e49eb75b5

final details of star feature and better toolbar layout Signed-off-by: Petros Angelatos <petrosagg@gmail.com>

view details

Petros Angelatos

commit sha 2608a72e7607d4dacd44dc9a0600db8c8f85b1b2

bump version, update README Signed-off-by: Petros Angelatos <petrosagg@gmail.com>

view details

push time in a month

startedoutline/outline

started time in a month

startedMPC-SoK/frameworks

started time in a month

PR opened joshporter1/codenames

Add Greek dictionary
+570 -1

0 comment

2 changed files

pr created time in 2 months

push eventpetrosagg/codenames

Petros Angelatos

commit sha 2039145c824d2920093e1f926c837a5e5ead1124

add greek dictionary Signed-off-by: Petros Angelatos <petrosagg@gmail.com>

view details

push time in 2 months

create barnchpetrosagg/codenames

branch : greek-dict

created branch time in 2 months

fork petrosagg/codenames

👾 Realtime Codenames game that you can play on your phone, TV, or laptop

https://codewords.tv

fork in 2 months

startedjoshporter1/codenames

started time in 2 months

startedmui-org/material-ui

started time in 2 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

@tcurdt to be clear I don't think GDPR is stupid, in fact I quite like it and even used my rights as an EU citizen. From our talk with lawyers it didn't sound like there need to be a notice just for loading content.

On loading the webpage, it is not a requirement to write the image. If you attempt to write one with no internet it will work just fine. We use the webpage to display a featured project while the write is happening. The featured project is a DIY project, usually with a raspberrypi, that our team has created for the users of etcher. For example currently it walks you through making a bluetooth sound receiver that connects to your stereo.

We believe that this is high quality content that helps both the users by presenting an interesting project and our organisation to continue funding the development of this project.

rradar

comment created time in 2 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

@thefaj you can claim things about "most of the rest of us" as much as I or anyone else can. It's your personal opinion, I'll grant you that much.

Putting that aside, I didn't mean to sound patronizing and I apologize if I sounded that way. I'm pointing out that displaying a webpage inherently includes doing a TCP connection, just like when visiting a webpage. If you have a suggestion on how to do that I'd be very interested to hear the solution and even implement it, but as far as I know you can't load a webpage without a TCP connection from your IP.

rradar

comment created time in 2 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

@tcurdt I just tried this myself with Etcher v1.5.70 and the "Anonymously report errors and usage statistic to balena.io" option disabled and I saw no connections to mixpanel, google, doubleclick, or any other analytics service. Can you retry your test with the latest version?

To be clear, there were connections to our static site, balena.io, which are used to display the featured project and are not sending tracking information.

And ask for users permission before exposing a users IP!

@rradar did Github ask you if you want to log your IP before connecting to Github? No, because this is how the internet works. Etcher loads a small content page from the internet as part of its functionality, you can't do that without doing a TCP connection just like you can't have a webpage on the internet without receiving connections from an IP address

rradar

comment created time in 2 months

startedcomnik/declarative-dataflow

started time in 2 months

startedjuxt/crux

started time in 2 months

issue commentbalena-os/meta-balena

Enable fstrim.timer by default

Why not just mount the filesystem with the discard option?

Ereski

comment created time in 2 months

pull request commentbalena-os/meta-balena

Enable sixaxis in bluez

@resin-jenkins test this please

zvin

comment created time in 2 months

startedTimelyDataflow/differential-dataflow

started time in 2 months

starteddgraph-io/dgraph

started time in 3 months

startedperkeep/perkeep

started time in 3 months

startedsveltejs/svelte

started time in 3 months

startedgraphql-rust/graphql-parser

started time in 3 months

startedn8n-io/n8n

started time in 3 months

startedAdapton/adapton.rust

started time in 3 months

Pull request review commentbalena-os/meta-balena

resin-supervisor: Fix for race condition when supervisor starts on boot

 runSupervisor() {         --restart=always \         --net=host \         --cidenv=SUPERVISOR_CONTAINER_ID \-        -v /var/run/balena-engine.sock:/var/run/balena-engine.sock \+        -v /var/run:/var/run \

I don't think we should switch to such a wide bind mount, who knows what issues can come up with conflicts between the two systems in /var/run. I also think we should go for @robertgzr's idea

ZubairLK

comment created time in 3 months

pull request commentgtklocker/security-class

Remove bitcoin tipping

Who owns this address? Also, no one has ever sent anything there

https://www.blockchain.com/bch/address/174aNr4bHZPbTgsm3xudqVKqjZYNPwKK28 https://www.blockchain.com/btc/address/174aNr4bHZPbTgsm3xudqVKqjZYNPwKK28

dionyziz

comment created time in 3 months

starteddavidpdrsn/juniper-from-schema

started time in 3 months

startedbalena-os/healthdog-rs

started time in 4 months

startedmgottschlag/vctools

started time in 4 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

But don't assume and proceed, because then in some set of cases you do what the user does not want, which is a universally bad thing, regardless of the benefits to you or to other users.

@sneak we do not operate under a moral framework that includes "universally bad things". To see why this makes no sense, imagine someone really not wanting to see the color blue on their screen. According to you, all software should ask for consent before displaying the color blue, otherwise "in some set of cases you do what the user does not want". I expect that you'd assume and proceed in your software because the benefits of using colors in your product outweigh the annoyance of the people that don't like blue.

In a similar manner, we are weighing the annoyance of some people having to opt out with the benefits to everyone else from improving the software and we think this is the right way to approach this.

To be clear, we're fanatic on the way we approach this issue, not the outcome. In fact it's very possible that we end up making it opt-in. If we were sure about the outcome the issue would be closed.

It's just tiring having the same group people shouting and shouting as if they are some sort of moral oracle bringing justice to the world.

rradar

comment created time in 4 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

Hiding behind an "is it illegal?" to mask the fact that you violate user consent is not something you should be doing. It is rude and immoral, and you should strive to conduct your business in an ethical and respectful fashion.

@sneak we are in agreement on this. The reason I brought up legality was only because there were claims that we are breaking the law, which had to be addressed. If you read my comment above I try to steer the conversation away from the legality and towards what is best for Etcher.

It turns out that collecting user data without explicit consent means that you end up violating the consent of your users in a fraction of cases where that's not what the user wants.

It is only "not a clear-cut decision" if you don't mind violating the consent of your users, which is a despicable stance, if indeed you hold it. Please default data collection to off. Ask users on a first launch with a modal, if you wish. But do not use the network without explicit permission.

The problem is that this decision is not in a vacuum. I could reformulate your statement as "It is only "not a clear-cut decision" if you don't mind ignoring the fraction of users that cannot use the software because of their peculiar setup." Is ignoring accessibility not despicable?

Doing things with a user's computer that they don't want makes your software malware.

This is not the widely accepted definition of the term malware. You are using it to have this extra "punch" in your message. That's not good faith discourse. From Wikipedia:

Malware (a portmanteau for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network.

But even ignoring that, how far can you stretch this definition? What is allowed for software to do on a user's computer in the first place? You say you shouldn't use the network, but one could say it shouldn't use the disk to store state, not take too much real estate on the screen etc.

There is a reason we are ok with some things but not others. This reason, at least for us, is not a deontological one. Since ethics have come up a lot, we are thinking under a consequential framework. When this decision was made we had concluded that having data opt-in will cause some damage to users that don't want to get tracked at all, but it would be less than the damage caused by not improving Etcher from error reports. That's it.

Everything else being equal I would choose no tracking every time too. But everything else is not equal.

Finally, the reason this issue has remained open is because we agree we should re-evaluate what the best state for Etcher is at the moment. For example, we understand that a lot of the big issues have already been fixed from previously collected data, and that at the current size of the user base it could be that the people that would opt-in make a representative sample. If we had a clear way forward I would have closed the issue stating our position.

We would be extremely happy if you could provide different angles from which you can make an argument between the inconvenience of opting out without a modal and better software without resorting to "This is bad, full stop" type of statements.

rradar

comment created time in 5 months

issue closedbalena-io/etcher

Option in settings to disable ad tracking (Revived)

  • Etcher version: Latest and ongoing
  • Operating system and architecture: Any
  • Image flashed: Doesn't matter
  • Do you see any meaningful error information in the DevTools? No need to.

This is Take 2 on an issue that has wrongfully been closed and locked now. We have the right to fight for our privacy, if an issue goes offtopic there are mods who are able to steer it into the right direction, no need to lock it directly. The issue in question is #2599 .

Etcher is currently showing tracking ads without the users consent and are also tracking people located in the EU which is against the GDPR, as pointed out by many other users on the old now wrongfully closed issue. They also do not show any warnings about this when showing those ads.

All we ask for is an option to turn this ad-tracking off, nothing more, yet Balena ignores such requests happily as of now. If this issue is once again ignored the GDPR will be informed of this action.

closed time in 5 months

EpicLPer

issue commentbalena-io/etcher

Option in settings to disable ad tracking (Revived)

@EpicLPer the issue was closed because the question was answered. The lock happened 16 days later after the issue went offtopic.

But to recap, the "tracking ads" are actually useful projects relevant to the community. We are not interested in removing them as they help both the users and us to continue fund the development of etcher.

Etcher is currently showing tracking ads without the users consent and are also tracking people located in the EU which is against the GDPR

Collecting anonymous data without consent is fine under GDPR. We have no intention of breaking any law and we have consulted our legal team to ensure that. You can my detailed comment here https://github.com/balena-io/etcher/issues/2766#issuecomment-531437542

EpicLPer

comment created time in 5 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

@thefaj I have repeated this many times but for some reason you seem to ignore it. We're not using Google Analytics. We're only using Mixpanel and Sentry.

Secondly, we actually do send anonymous data and strip events from personal information. If you believe this is false you have to provide counter evidence. The code is there for you to inspect. Until then your claim means nothing.

This is a dangerous product made by unethical people.

Personal insults are not allowed in this community, please remove this comment. Next time there won't be a warning.

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Option in settings to remove Ads

@rradar we don't consider the etcher featured project to be ads and we have no intention of removing them for reasons explained above.

Incidentally, this happened yesterday https://www.reddit.com/r/raspberry_pi/comments/dahfkq/balenasound_project_working/ . In case you wanted concrete evidence that these "ads" are not evil and benefit the community.

In any case, you're free to use whatever software you want. We'll be here if you change your mind :)

Locking the thread as it has gone offtopic

dhoney

comment created time in 5 months

startedrust-lang/rust-bindgen

started time in 5 months

Pull request review commentbalena-io/open-balena-vpn

logging improvements

 export class VpnManager extends EventEmitter {  	public start(): Bluebird<true> { 		this.process = spawn('/usr/sbin/openvpn', this.args(), {-			stdio: 'ignore',+			stdio: ['ignore', 'pipe', 'pipe'], 		});+		// proxy logs from the child process stdout/stderr+		this.process.stdout.pipe(es.split()).pipe(+			es.map((data: string) => {+				this.emit('log', VpnLogLevels.n, data);+			}),+		);+		this.process.stderr.pipe(es.split()).pipe(+			es.map((data: string) => {+				this.emit('log', VpnLogLevels.W, data);+			}),+		);

If you're not going to do further processing it's better to do a on('data', ..) handler after you pipe to es.split. This will make the stream flowing and you don't have to use es.map.

However, this is not a good way of handling logs because there is no backpressure mechanism. If for whatever reason we get flooded with logs it will just accumulate in RAM.

Not for this PR, but logs should be normal streamed piped end-to-end without going through simple event emitters.

wrboyce

comment created time in 5 months

Pull request review commentbalena-io/open-balena-vpn

logging improvements

 export class VpnManager extends EventEmitter {  	public start(): Bluebird<true> { 		this.process = spawn('/usr/sbin/openvpn', this.args(), {-			stdio: 'ignore',+			stdio: ['ignore', 'pipe', 'pipe'], 		});+		// proxy logs from the child process stdout/stderr+		this.process.stdout.pipe(es.split()).pipe(+			es.map((data: string) => {+				this.emit('log', VpnLogLevels.n, data);+			}),+		);+		this.process.stderr.pipe(es.split()).pipe(+			es.map((data: string) => {+				this.emit('log', VpnLogLevels.W, data);+			}),+		);

Is this stream in flowing mode? We have to make sure it doesn't buffer forever

wrboyce

comment created time in 5 months

issue commentbalena-io-projects/balena-wpe

Add support for Pimoroni Hyperpixel 4.0

@philletourneau the hyperpixel screen, once configured, should work our of the box with balena-wpe. Apparently our raspberrypi images don't include the overlay by default, see https://github.com/balena-os/balena-raspberrypi/issues/221. But in the meantime you can test this by adding the overlay in the overlays/ directory in the boot partition of your SD card and then enabling the right config.txt options through the balenaCloud dashboard

philletourneau

comment created time in 5 months

issue commentbalena-os/balena-raspberrypi

Hyperpixel not working

@shaunmulligan @floion can we include the hyperpixel overlay to our images? It looks pretty popular

drewcovi

comment created time in 5 months

issue closedbalena-io/etcher

Setting for offline mode (don't transmit any data)

Would be great if etcher could be used offline.

Actually it can be used offline already. But it would be great if etcher would have setting to don't tell x companies in y countries that I flash a image right no with etcher.

This is some related to #2766 and #2599 or this https://forums.balena.io/t/serious-privacy-concerns-with-etcher-1-4-4 for example.

The setting could be called:

Comply with EU Laws

closed time in 5 months

rradar

issue commentbalena-io/etcher

Setting for offline mode (don't transmit any data)

since the conversation has derailed again about making the data collection opt-in versus the current opt-out situation I'll close this issue in favour of #2766

For anyone reading the thread from the future, a setting for offline mode already exists in the settings page of Etcher.

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Setting for offline mode (don't transmit any data)

Agreed. Too many developers assume that surveillance is acceptable. “Ethics” needs to be a requirement in computer science courses.

@thefaj totally agreed, ethics absolutely need to be taught. So many people make the mistake of assuming their ethical framework is the only right one and imposing it on others. Very annoying when it happens.

There is no acceptable reason to have this malware in the app.

There is no malware in this app. Stop using words in the wrong way to make the issue sound worse. We are collecting anonymous usage data that has unquestionably helped fix all sorts of bugs in Etcher and made it a better app. You might even be benefiting from all this as you use it!

(And how does somebody “accidentally” include a third party library?)

That's a good question. The way this happened is because etcher loads some content from the internet inside an iframe. This content lives in our marketing website, balena.io, that includes google analytics and other libraries.

Unfortunately, the static site generator we use included these libraries in all the pages, including the ones loaded by etcher, which is how they accidentally got loaded.

We have fixed the inclusion of these now and are preparing for a new release

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Setting for offline mode (don't transmit any data)

@petrosagg etcher transfers a hell lot of (unnecessary and probably illegal in Europe) data to various company's over existing network connections. Best is to call this a bug (your lawyers will tell you same)...

There we go again with the illegal claims. No, not all data transfers are illegal, you're wrong on that. We are in fact (including me personally) talking with our lawyers and that's not the case. We're spending time money and effort to ensure that we are compliant with all legislation. If you have a legal claim at least make the research and claim something specific.

Problem is there is NO reason for the user to give etcher any access to the internet at all. If I turn my network connection physically off (turning wifi off and/or unplug my ethernet) etcher will just burn the image and verify it like it should. Same is using etcher witch little snitch or open snitch (app based firewall) and block all network access and therefor block all unauthorized calls.

We never claimed that internet access is required to flash. Of course Etcher works without internet, I'm not sure what argument you're trying to make. The reason we're collecting usage data is to ensure there are no regressions or new bugs in the wild. I've analysed the rationale multiple times in other issues. If a user cares about Etcher there is a legitimate argument to be made that allowing internet access helps a project that you like. And again, we're talking about anonymous usage data here.

Users have undoubtedly benefited from our continued effort to reduce error reports from Etcher. You might not care about other users, that's ok. You might not care that Etcher is as robust as it is, that's also ok. But we care about both of these things which is why the defaults are what they are. You can always change the behaviour in your settings page and Etcher will respect it.

This is just not acceptable. Not to balena, not to google, not to anyone. All data belongs to me, all data stays on my device. Easy? easy!

This is, like, you know, your opinion. Which for the millionth time, is 100% respected and welcomed. Please disable data collection from your settings. Easy? easy!

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Setting for offline mode (don't transmit any data)

The opt-in discussion is happening in #2766. I'll keep this issue open for a while in case @rradar meant something other than the setting that already exists.

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Mixpanel, Google Analytics, etc spyware!!!

locking in favour of #2766

thefaj

comment created time in 5 months

issue commentbalena-io/etcher

Mixpanel, Google Analytics, etc spyware!!!

you have no intention to fix it.

I fail to see how an open issue about discussing making it opt-in is "no intention to fix it" but I can't help with that :)

thefaj

comment created time in 5 months

issue commentbalena-io/etcher

Mixpanel, Google Analytics, etc spyware!!!

I'm well aware of what Mixpanel and Google Analytics are capable of.

As I mentioned above, we're not using Google Analytics

An IP address is personal information.

That's true, which is why we don't log the IP addresses https://help.mixpanel.com/hc/en-us/articles/360000679006-Managing-Personal-Information#disable-geolocation-tracking

This is about basic user respect—privacy and security are not about avoiding ad networks.

There are many aspects of caring for the users. Having a robust piece of software that cares about fixing obscure edge cases in one of them. Respecting their privacy and security considerations is another one.

Etcher currently does both. You can disable data collection from your settings page if that's what you want. This option exists and will continue to exist.

If you have a constructive comment about how to balance performance and error report benefits with making the data collection opt-in benefits please join the discussion on #2766

Shouting your moral positions on what is the right thing and hugely misrepresenting reality (calling Etcher spyware is absurd in so many levels) won't get very far. You have to acknowledge that both options are damaging users in some way. It maybe be a clear choice for YOU, but we care about the users as a whole, not who shouts the loudest.

thefaj

comment created time in 5 months

issue commentbalena-io/etcher

Mixpanel, Google Analytics, etc spyware!!!

There's nothing anonymous about including Google Analytics or Mixpanel.

As detailed in #2766, Google Analytics was included unintentionally and is being removed.

Anything sent over is personally identifiable data

No, this couldn't be more wrong. Personally Identifiable Data is data that you can give to someone and tell you "this looks like thefaj". It's not a subjective opinion you have over the data. If Etcher loads mixpanel and starts sending random numbers as events, it's not personal. If Etcher loads mixpanel and sends the time it took to flash a card of a particular size, it's not personal. If Etcher loads mixpanel and sends the username of your computer, it's personal.

As also detailed in #2766, we're not interested in personally identifiable data. We don't care what images you write or when you wrote them. What we care about is "Did this new release of etcher perform as well or better than the previous version?".

I'd say you should keep this issue open since it makes it more apparent to users that you're giving their personal information over to many large surveillance companies without their knowledge.

I'm sorry, but you're misrepresenting reality. We're only using Sentry (for when Etcher crashes) and Mixpanel (to track things like flashing speed, success to failure ratios, etc). We're neither sending personal data nor selling to any nefarious ad network to sell you stuff.

thefaj

comment created time in 5 months

issue commentbalena-io/etcher

Setting for offline mode (don't transmit any data)

@rradar @thefaj Etcher already supports this by turning data collection off in the settings panel. There is a bug with the data collection libraries that results in a single HTTP request when you require() the library. We're fixing this problem by only requiring the dependency if the checkbox in the settings page is checked. This will be released in the following days.

Is there something else this issue is referring to?

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics

Easy! I want to flash complete privately. #2890

@rradar I think we're confusing what this issue is about. You can already disable usage statistics from your settings so if you want to flash completely privately by all means use this feature. It's why we put it there in the first place.

The only current bug with the feature, which we are working on right now and we'll release a fixed version in the following days, is that some libraries make a call to a remote server even if you merely require() them, without doing any API calls.

But please try to keep the discussion on point. What we're discussing here is if anonymous usage statistics should be opt-in. User choice is and will continue to be a feature of Etcher.

rradar

comment created time in 5 months

issue commentbalena-io/etcher

Option in settings to remove Ads

@Kurgol we care about the users of Etcher as a whole. I have explained the reasoning of the decision for this in #2903, but I will elaborate a bit more.

I assume you would agree that an abandoned project would be a bad outcome for Etcher users. Doing that would be not caring about our users. The fact of the matter is that 98.5% of all commits ever made to Etcher is from balena employees. You can't just ignore this fact.

This is the reason that it's excellent and will continue to be. I understand that you may not like being shown a tutorial for a project while flashing a card, but you have to acknowledge that the continued investment in the development of Etcher is directly benefiting the users.

Removing the featured project would be not caring about Etcher having a sustained future. If there is an argument why the featured project making more damage than good for the average user we'd be very interested to hear. Acting on the will of a single user while ignoring everyone else is akin to doing statistical claims using anecdotes.

On GDPR, please see the detailed comment here https://github.com/balena-io/etcher/issues/2766#issuecomment-531437542.

dhoney

comment created time in 5 months

issue closedbalena-io/etcher

Mixpanel, Google Analytics, etc spyware!!!

  • Etcher version: 1.5.x
  • Operating system and architecture: Mac
  • Image flashed: Yup
  • Do you see any meaningful error information in the DevTools? Nope

Why is this app sending my private data to Mixpanel, Google Analytics, Google Tag Manager, and resin.io without my knowledge???

RESPECT USER PRIVACY and tell us why you want to send our personally identifiable data to these surveillance companies. Then give us the ability to OPT IN.

closed time in 5 months

thefaj

issue commentbalena-io/etcher

Mixpanel, Google Analytics, etc spyware!!!

@thefaj see the detailed response here https://github.com/balena-io/etcher/issues/2766#issuecomment-531437542 but the tl;dr is that we intend to collect anonymous usage data for the improvement of etcher. Any personally identifiable data sent is a bug and we're currently investigating with our legal team which data is PII and which isn't.

Closing as duplicate of #2766, let's keep the discussion in one place

thefaj

comment created time in 5 months

issue closedbalena-io/etcher

Remove or create opt-in setting for advertisements

  • Etcher version: 1.4.9+
  • Operating system and architecture: any
  • Image flashed: any
  • Do you see any meaningful error information in the DevTools? no

I'd like the team to consider removing ads from the tool. If not, consider making ads opt-in via the settings panel. I find the advertisements distracting and annoying when monitoring image flash progress.

Partial workaround to remove some of the advertisements:

  • In ${XDG_CONFIG_HOME}/balena-etcher-electron/config.json, add this line: featuredProjectEndpoint": "http://127.0.0.1"

The discussion began in issue #2599, but got closed referencing #2766, which I find to be a completely separate issue about data tracking.

Since the original question about removing the feature projects was addressed and the discussion moved to data collection concerns I'm closing this in favour of #2766

It was discussed, but the team did not make any announcements / decisions about this, leaving it an open question / feature request.

closed time in 5 months

nyanshak

issue commentbalena-io/etcher

Remove or create opt-in setting for advertisements

It was discussed, but the team did not make any announcements / decisions about this, leaving it an open question / feature request.

Indeed the previous thread was a bit messy and I should have been a bit clearer on what the resolution was.

As my co-founder Alex commented here, we consider the featured project page to be meaningful and interesting to the people that use etcher while at the same time helping promote our products that help fund the development of etcher. What we include there is high quality content carefully built by our team that guides you through building a particular project. The gap between this and irrelevant ads from an ad network is vast.

For the above reasons we are not interested in removing it or making it opt-in for the time being.

nyanshak

comment created time in 5 months

issue closedbalena-io/etcher

Option in settings to remove Ads

  • Etcher version: 1.4.9
  • Operating system and architecture: Mac OSX
  • Image flashed: fincm3
  • Do you see any meaningful error information in the DevTools? No

<!-- You can open DevTools by pressing Ctrl+Shift+I (Ctrl+Alt+I for Etcher before v1.3.x), or Cmd+Alt+I if you're on Mac OS. -->

I would like the team to consider adding a feature in the settings panel to choose not to show the Ads that show up in Balena-Etcher when flashing an image. I find the functionality distracting and taking up unnecessary screen real estate when I'm monitoring my image flash progress.

Thanks!

closed time in 5 months

dhoney

issue commentbalena-io/etcher

Option in settings to remove Ads

Since the original question about removing the feature projects was addressed and the discussion moved to data collection concerns I'm closing this in favour of #2766

dhoney

comment created time in 5 months

issue commentbalena-io/etcher

Opt in for error reports and usage statistics (comply with European laws)

Hi everyone. I wanted to give an update to where we are with this issue. There are multiple issues raised so I will address them individually.

We should separate the discussion between what's legal and required by GDPR and requests that go beyond what the law requires. Specifically, GDPR requires opt-in consent for personally identifiable data, not for anonymous data collection. It is not our intention, nor is it useful for us, to collect personal identifiable information (see Purpose section bellow). So the first question is "Are we collecting personally identifiable information by mistake?" and the second question is "Is making the usage statistics opt-in the best decision for the project?"

Personal data collection

We conducted an extensive audit of all the data we collect from the Etcher application to make sure no personally identifiable data is collected by mistake. Collecting data by mistake might sound strange, but it can easily happen in a desktop application. For example, the mixpanel library will include information about the current system user by default when ran in an Electron app. Whenever we became aware of such issues in the past we prompty fixed them.

The results of our investigation showed that Etcher will make connection to the following systems:

Connection Included intentionally
Sentry YES
Mixpanel YES
Google Analytics (&doubleclick) NO
Go Squared NO
Facebook Pixel NO
Gstatic.com NO
jquery NO
Cloudfront NO
facebook.com/facebook.net NO

The large number of unintended connections happened as a side-effect of loading content from our balena.io website that includes these libraries automatically. Action item: We are removing all instances of those connections from Etcher

Furthermore, we audited all the data we collect to make sure none can be characterised as personally identifiable. To do this properly are consulting our EU based lawyers that can provide an expert opinion on what the GDPR and EU law in general requires. It is important to refrain from making legal claims unless someone is intimately familiar with the legislation. Unfortunately, there have been a number legal claims in this and other threads with questionable validity.

To make this extremely clear, we are taking the law seriously and are investing time, money, and effort, to consult experts in the field to guide us on this matter. We do this because it is the right thing to do. We've done it before (for balenaCloud) and we'll happily do it for all the products we offer.

Even though our conversation with our legal team is still ongoing we have identified a couple of cases where PII is sent to our data collection system. Sentry, our error collection tool, will log a stacktrace when Etcher hits a critical error that can potentially include a path in the system which includes the username of the user. The IP address of the event was also logged. Action item: We are fixing both of these problems and will remove or anonymise any data our legal team deems PII

Purpose of data collection

With the legal stuff out of the way, I wanted to touch on the reason we are collecting data which will hopefully help guide the discussion about whether it should be an opt-in or opt-out feature.

For most software engineers writing an image flashing application sounds easy. After all, at the very core it is a simple block copy operation that we've known how to do for ages. It can't possibly be that complex. However, this is far from the truth! After releasing etcher for the first time, and as the tool was gaining adoption we were seeing it run in more and more obscure combinations of systems. This produced a (very) long tail of issues that we couldn't have predicted or tested during development. It was through constant sieving through error reports and measuring success rates across deployed versions that we managed to reach the level of quality that you see today.

When we say that usage data helps develop etcher we're not talking about some abstract possibility. This is very real and has shaped the etcher we know and love. The list of bugs fixed is endless.

Discussion on making collection opt-in

With the full context fleshed out we can now re-engage in the discussion of making data collection opt-in. As mentioned above, we have to make the decision that is best for the project and somehow balance what the users expect from a privacy point of view with what the users expect from a robust piece of software point of view. Given the benefits we've already seen this is not a clear-cut decision. At the same time the userbase of Etcher has grown tremendously and one could argue that most issues have already been seen. Unfortunately I don't have a concrete way forward to offer just yet, but we haven't ruled it out as a possibility.

Finally, to further steer the discussion towards the right direction I will change the title of the issue to just the opt-in discussion. @rradar if you still think there is a legal issue please open a separate ticket clearly explaining the problem. Rest assured that we are working with our legal professionals to ensure we are not breaking the law.

rradar

comment created time in 5 months

more