Project

General

Profile

Privacy issue #2037

[networkmanager] Connects to apollo.archlinux.org without asking to check for Connection.

vahidrezaborhani - almost 2 years ago - . Updated over 1 year ago.

Status:
confirmed
Priority:
privacy issue
Assignee:
-
% Done:

0%


Description

hi!
(sorry for my english)
/usr/bin/NetworkManager frequency connected to apollo.archlinux.org by default and without sending warning or connection request to user. (risk of leaking user IP)
networkmanager use it for checking interent connection, so please disabled it by default for user prvicy.
tnx.

History

#1

Updated by freemor almost 2 years ago

  • Subject changed from [networkmanager] Please put your reasons here (register first if you haven't) to [networkmanager] Connects to apollo.archlinux.org without asking to check for Connection.
#2

Updated by bill-auger over 1 year ago

  • Priority changed from bug to privacy issue
  • Status changed from open to confirmed

i came across this while refactoring parabolaiso - that heartbeat URL is defined in /etc/NetworkManager/conf.d/20-connectivity.conf - i have added an analogous target file to the parabola repo web root, and set that as heartbeat URL for the LiveISOs

https://git.parabola.nu/parabolaiso.git/tree/configs/profile/root-image/etc/NetworkManager/conf.d/20-connectivity.conf?h=unified
https://repo.parabola.nu/check_network_status.txt

AFAIK that is a necessary part of the functionality - its not clear if networkmanager would function properly without that phone-home feature

#3

Updated by eschwartz over 1 year ago

NetworkManager works fine without the "connectivity" check enabled, it will simply... not be able to perform connectivity checks to determine whether you are caught behind some silly wifi network's Captive Portal.

See:
https://jlk.fjfi.cvut.cz/arch/manpages/man/NetworkManager.conf.5#CONNECTIVITY_SECTION
https://wiki.archlinux.org/index.php/NetworkManager#Checking_connectivity

And note that it is possible to install a conf.d/ override which disables it, see NetworkManager.conf(5) for more details.

...

By default, the archlinux package for networkmanager is configured to perform this check, and to do so through a server controlled by archlinux.org

Note that this is NOT a privacy issue. In the past, access to this file was logged by archlinux.org, this was an accident as we don't intend to retain logs for something we have autoconfigured without asking users whether they wish to connect, and when we realized it was being logged by the nginx defaults, we explicitly disabled the access log via https://git.archlinux.org/infrastructure.git/commit/?id=68fbaca2ef9f31f624f117899848f4288d6b39d1

You are of course free to decide that you don't want to rely on our commitment to completely disable logging.

#4

Updated by bill-auger over 1 year ago

much like my recent reply to the request for an onion address for the website, this request ignores the fact that pacman necessarily "phones home" every time you use it - it would not work if it did not contact the distro's servers, and you could never upgrade the system - any one who is paranoid about pinging a server that is operated by their distro, probably has not a full grasp of the "big picture" - if you do not trust your distro, then you already have a much larger problem then a simple ping to their webserver

i added the target file to the parabola server as not to ping the arch server - that was probably the appropriate thing to do anyways for any fork; and it should allow for any parabola system to be fully functional without ever communicating with any 3rd party servers - if it were necessarily communicating with any other 3rd party, i could accept that as a privacy bug

also, as the ping URL can be any other web page on the internet, anyone can of course retain this functionality privately, by changing it pint to a server that they operate; or as eli says, the feature can be disabled entirely by each user

lastly, network manager is not the only way to connect a parabola system to the internet - there are already alternatives provided, even some user-friendly ones, such the wicd GUI tool

Also available in: Atom PDF