Best practices by Dustin Kirkland https://manpages.ubuntu.com/manpages/focal/en/man5/update-motd.5.html
- No mention of curl running as root - No mention of the exfiltration of private data done via User-Agent - No mention of the novel concept of advertising via motd - No mention of using motd-news as telemetry - No mention that motd-news is part of core Ubuntu "base-files" and cannot be removed Feel free to guide me to the correct info on your website or update your documentation. Additional discussions on Twitter https://twitter.com/lusis/status/880446088083329024 https://twitter.com/astarrb/status/880170781841514496 https://twitter.com/lelff/status/1210619413885575168 https://twitter.com/hessu/status/1269994718018056199 https://twitter.com/nikitonsky/status/1073714951104184320 https://twitter.com/wamdamdam/status/1044197012353298433 https://twitter.com/marcodavids/status/1245054456955314178 ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
