On 2024-06-19 at 14:50:42, Jeff King wrote: > On Wed, Jun 19, 2024 at 04:01:57PM +0200, Christian Couder wrote: > > > One possibility is to send just the `sysname`, described as 'Operating > > system name (e.g., "Linux")', field of the struct utsname filled out > > by uname(2) by default. > > That would be better to me. I still don't love it, but I admit it's > coming more from a knee-jerk response than from some rational argument > against people knowing I run Linux. > > Since HTTP user-agent fields are common, we can look at those for prior > art. curl sends its own version but nothing else. Most browsers do seem > to include some OS information. My version of firefox gives its own > version along with "Linux x86_64". So basically "uname -sm". If we choose to enable this, this is the right level of detail, yeah. We could also allow a distributor to set this value at compile time, much like Debian does for Postfix and OpenSSH. For Postfix, it's simply "(Debian)", which doesn't give much information. To me as a server administrator interested in statistics, it's useful to me to know OS name and version (as in, how many users are still using an ancient version of CentOS?), since that tells me about things like supported TLS versions which is helpful, but as a user I don't think that's an appropriate level of detail to share. And I also worry about fingerprinting and tracking, which is a giant problem with HTTP user-agents. This is especially true if you're using something like FreeBSD RISC-V, which is just not that common. > > And then there might be a knob to deactivate it completely or to make > > it more verbose (which might be useful for example in a corporate > > context). > > Yes, I think we should definitely have an option to suppress or override > it, just like we do for the user-agent string. I definitely think we should have both. I'm sure we'll have some server maintainer or repository administrator who tries to reject "bad" OSes (like someone who doesn't like their employees using WSL, for example). We've already had people propose to reject access based on the version number in the name of "security", despite the fact that most Linux distros just backport security patches and thus the version number is not usually interesting in that regard. Again, HTTP user-agents tell us that people will make access control decisions here even though they should not. We'll want to honour people's decisions to remain a mystery or to work around broken server implementations, or just to make it harder to track or fingerprint them. I also think the documentation should state that for the user-agent and os-version fields that they are merely informative, can be changed, and MUST NOT be used for access control. That doesn't mean people will honour it, but it does mean that we can and should feel free to break implementations that don't comply. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
