Given what the telemetry sends over, it's better to keep it default on, so people that don't know what to chose will still contribute to their statistics.

Really, I'm annoyed at this modern "any telemetry is evil malware" movement.
Anonymous technical telemetry is ok and very useful, people should stop freaking out for the sake of it, this is fucking opensource.

You know what the telemetry software does EXACTLY because you see the source, so you're not justified in freaking out unless it does indeed something fishy. It's not like with closed source where any telemetry can be very bad because you don't know what it is sending home.

A Mid-tower ATX case, lol. For $350 I can buy a used iPhone and make phone calls. Can your build make phone calls? Or fit in your pocket?

Also a crap PSU, a crap SSD and he is forgetting 50-60$ to buy the cheapest shittiest AM4 CPU that is supported by the UEFi firmware so he can flash the latest version to run Raven Ridge APUs at all.

I didn't say it's evil and I don't believe Canonical is evil either, I'm just saying that it's nicer to give people a real choice by making it opt-in.

Btw, not to break your spirit, but you do know that source can be altered during compiling, right? i.e. you see abc in the source code, but when building binaries abcD is put in. Again: I'm 100% sure Canonical isn't doing that, but it *could* happen so even FOSS doesn't make anything 100% safe.

Is Opt-out an irreal choice?

Really, this is just a default setting, but there is exactly nothing stopping people from not sending data from the installer (it provides an option for this) and then you can freely uninstall packages you don't want, or change their config, or whatever.

Lol what?
You mean they could modify the source and then compile the modified source.

I'll introduce a concept called "reproducible builds" which everyone half-serious in FOSS provides if they want to have any kind of believability.

For example in Debian and derivatives you can pull down the EXACT sources used to build a specific package, inspect/modify it and then compile and package it with commands described here



If you just pull the sources and compile, then the package will have the EXACT same checksum of the package in the repos, and this will confirm that no motherfucker has tampered the binary packages offered on official repos.

Pretty much all distros have a similar system to allow the user to pull sources and build his own package. That is what their own build system does too, and that's why the checksums match, you are using the same sources and the same compiler version and the same libraries the build bots are using to generate the binary packages you find in the repositories.

Regarding: the reproducible builds thing: distros may do that, but not every developer does or can do that (I was talking about FOSS in general, not distros per se). I mean: let's, for example, say you go to the Chrome Web Store and install an extension that happens to be FOSS. How do you know the source code (on GitHub) is the exact same as the code in the extension binary published in the Chrome Web Store? I can't think of a way to reproduce that. Sure, you can load the source and install the extension from the locally cloned folder, but that wasn't my point.

If you are worrying about reproducible builds of Chrome extensions I have some bad news for you...

That said, webextensions (the extensions used by Firefox, Chrome and derivatives) are not binaries, they are text files (javascript stuff is compiled on execution) zipped up in an archive that has a signature. There is no compilation to reproduce, just extract them and use diff or whatever other text compare tool.

Closed source ones will probably be obfuscated some way, but then again you have no source to compare them to, so we aren't discussing that.

Plugins are another matter entirely, but they are not exactly common nowadays, usually restricted to Flash and some DRM or codec stuff that is meh but unavoidable.

I don't know, for me telemetry is spyware with another name, just to trick people into believing it's something else not so bad for them.
For me, collecting data about the user, including the devices he/she's using is bad and it affects the individual's privacy and security.
Why do they need this data all of a suddend to improve Ubuntu?
Who's looking at this data?
Who are they sharing it with?
Where are the answers?
Why should we believe them?
Why they got this idea now, after being best friends with Windows 10 maker?
Is it coincidence?

BTW, how do you know that is run inside the installer only, have you looked at the source code, do they delete the feature after install?
I'm sorry but I don't believe the whole "We need to look at your hardware before we can write good software"
They develop mostly user-space software not kernel drivers for hardware.

Explain how privacy and security are at risk if the telemetry is (as usual) anonymous.

The difference between (true) telemetry and spyware is that spyware sends data that is NOT anonymous, while telemetry sends over data that can't be used to track down the specific users.

True telemetry sends over technical info about what the software is doing, or what the hardware is doing, but does not send over names, IPs, MAC addresses, emails, or whatever else. It is anonymous, there is no privacy nor security violation unless you can track down the user of the telemetry, and in most cases the system does not need that nor can be hacked to extract that, it's completely irrelevant for the telemetry gatherer to know who each of its users are and where and what is their firstborn's fingerprint, sensitive data isn't sent nor stored anywhere.

And again, telemetry is useful when most of your users can't provide info back on their own, or can't be arsed to file bug reports (automated bug reports are very meh but better than nothing). Firefox does this with crash reports, KDE/Plasma also has a service for this, for example.

Because they have limited resources, and knowing what is the most popular software or hardware configuration would mean they can prioritize it.

They said (in the announcement I linked to you, you illiterate) that it was supposed to be published publicly somewhere. This will probably happen at the release of Ubuntu 18.04 (which is imminent I guess), as the commit adding this feature to the installer is dated 15-03-2018.

In the mailing list post, also repeated above for your convenience, because somehow you can't fucking read an official announcement and answer your own questions in 5 minutes or less.

Because it's all opensource so you can easily check that the data sent over is indeed telemetry and not spyware. See below for links.

They got friends with Microsoft only lately? Hmmm? Is this what you really think? They didn't totally have the same ideas for a long time before Windows 10 appeared. Like their whole continuity thing with mobile devices, or their use of a relatively touch-oriented UI on a PC.

That said, it's actually a smart idea if you are a business (i.e. paying people to create the distro), and long overdue for Ubuntu.

Can I remind you that RedHat and SUSE certify hardware? That's another way of making sure that they KNOW what hardware will their customers use, for the same reasons explained above (so they can make sure that user experience on there does not suck). Is people losing their mind over this fact? No.

It's just that on consumer hardware you can't rely on certifications, as no OEM will ever care.

You know right that the installer software is called Ubiquity and just like any other installer software it does NOT run outside of the install process?
This is the source code, at the commit that added this telemetry feature. You can see if it is indeed an evil thing sending over your baby's fingerprints or not, instead of screaming bloody murder from your armchair. https://bazaar.launchpad.net/~ubuntu.../revision/6596

Ah come on, stop imagining things in your head.
They said it's about prioritizing more popular packages/software and also on specific hardware support, not that it is about "writing good software".

Even rocks know that Canonical runs a patched kernel with their own modifications. They have kernel developers. The fact that they don't upstream as much as they could is another matter.