|
|
|
|
|
|
by fiddlerwoaroof
2175 days ago
|
|
|
Yeah, it sounds like they’re designing a way for package authors to get usage stats: imo, this extra piece of data doesn’t really help the server owners de-anonymize because it’s less identifying than the data the server is already collecting as an http server (especially if it’s in an unlogged part of the request like a header or a post body). But, even if it is a privacy risk relative to the server owners, it’s preferable that data derived from this uuid be shared with package authors, rather than IP-based data, because it’s based on a less-identifying datasource, which means that even if someone were to breach the database, they’d have less ability to de-anonymize people. Also, I find this whole discussion to be somewhat irrelevant when talking about a service serving up arbitrary code to be executed on your machine: if you don’t trust the server owners, you really shouldn’t be executing the code they serve up. |
|
|