>In addition, the team is working with renowned art historian and curator Dr. Lowery Stokes Sims, who is providing additional mentorship and professional development.
In art as in politics - nothing says grassroots like the additional mentorship and professional development by a renowned establishment member.
I recently implemented my own npm vulnerability audit tool for the CIO department of a major org - it just adds 'vulnerability' in red next to any npm-based project in their spreadsheet.
This is a losing proposition that will only lend credence to the inherently violent opt-out approach to data collection.
Instead how about a do-not-hire-or-collaborate-with registry of the individual contributors participating in projects that employ those tactics and see how they like trying to opt out of it.
Negative punishment will not work for this, you would be going after the symptom instead of the problem. Don't make it harder for people that write these changes, make it harder for people to force others to. There will always be another developer, and there's no guarantee you'll know their identities. If you're looking to bring attention and make a statement at the potential expense of others that's one thing, but practically speaking this approach can't work.
Practically speaking, that's the only approach that can.
Although it's often hard to tell, most software developers aspire to being treated like professionals rather than specialized serfs, and part of being a professional is accepting responsibility for your work.
Of course it doesn't preclude holding their employers responsible as well.
Netlify deleted my issue comment naming the developer who put `force: true` in their cli (sending a telemetry event when disabling telemetry) even though his name is still available in `git blame` in their public repo.
I completely disagree with your definition of spyware. A crash report, absent any PII, is not spyware to me, and does not require my advance consent to be sent.
You're entitled to your own definition, of course, but I hope that for the good of society as a whole, you and people with your tyrannical/authoritarian attitude toward issues that can (usually) be resolved civilly with never hold positions of power.
Crash reports contain memory dumps, and private information.
Additionally, they disclose client IP when submitting, which is city-level geolocation of a user of a particular piece of software.
They're fine if you get advance consent from the user before transmitting. Sending the contents of memory (especially after a crash, where it contains by definition unexpected things) is a serious security issue/data leak, if done automatically.
My position is the opposite of authoritarian: it's that these sorts of interactions should happen only with the full, informed, advance consent of both parties involved. Authoritarian is a good way to describe devs who feel completely entitled to all information about their software running on computers which they do not own or have any rights to.
> Crash reports contain memory dumps, and private information.
No, they don't. You're ascribing characteristics to them that they do not have. Maybe your crash reports have memory dumps and private information in them, but that means that they're poorly-engineered - there's nothing about a crash report that requires it to have that information in it. This should be clear to you, because you're a programmer.
> Additionally, they disclose client IP when submitting, which is city-level geolocation of a user of a particular piece of software.
Most people, including me, do not care about city-level geolocation information - and for those that do, Tor or a pastebin service are options. Again, you're ascribing certain characteristics to crash reports that they do not have, and you should know better, because you're a programmer, and being a privacy...enthusiast, you're certainly familiar with Tor.
> They're fine if you get advance consent from the user before transmitting.
...which leads to far less crash report data, insecure systems due to disabled auto-update, and selection bias in your telemetry data.
> Sending the contents of memory (especially after a crash, where it contains by definition unexpected things) is a serious security issue/data leak, if done automatically.
More assumptions that are false. Who said that a crash report has to contain a memory dump? A stack trace, complete with annotations that allow private data to be redacted, is both a useful crash report and will not leak any personal information.
> My position is the opposite of authoritarian
I was referring to an earlier comment you made:
> That is another website on my to-do list: one that names and shames spyware developers who create these commits.
This is authoritarian. Or tyrannical, if you like. The syntax doesn't matter - what matters is that you're attempting to use your power as an individual to try to impose your own beliefs on the majority. Beliefs which, by the way, are not held by the majority.
> Authoritarian is a good way to describe devs who feel completely entitled to all information about their software running on computers which they do not own or have any rights to.
This is blatantly false. You're perfectly free to not run any of this software - there's no "authoritarian" going on. You are free to rewrite whatever software you want, or, because most of the interesting stuff is open-source, fork it and remove the telemetry bits. Let me state it again: developers building some functionality into a tool is not authoritarian, as long as the user isn't compelled to use the software in the first place (which is true the overwhelming majority of the time).
You, meanwhile, are trying to force other people to change the software that they have been writing, according to your own whims. That's authoritarian.
C# and F# are great examples of how MS is willing to allow people out of their ecosystem to use them with all their efforts with .NET Core and having it run places other than Windows.
npm is trivial to replace with yarn and a custom registry.
The word “boffin” is a colloquial British term for a smart person (conjuring up an image of someone in a white lab coat and glasses) and is used in an affectionate way. The British version of TheReg (.co.uk) often refers to
boffins in this way. It’s probable that this piece was written by the British team and then reposted to the US site.
What are the odds that the chips that don't feature AMT/ME don't have it physically as opposed to it just being crippled in firmware ? In which case if one is worried about government backdoors this should alleviate exactly zero concerns.
>In addition, the team is working with renowned art historian and curator Dr. Lowery Stokes Sims, who is providing additional mentorship and professional development.
In art as in politics - nothing says grassroots like the additional mentorship and professional development by a renowned establishment member.