Minetest has telemetry that can't be disabled / missing privacy consent #14819
Comments
hecktest
added
the
Unconfirmed bug
|
This is very important: Minetest only checks for updates if you have at least one package installed using the ContentDB menu integration and it never sends the package list to ContentDB.
It never sends the package list - it's a heavily cached endpoint, only the Minetest version (and standard http request stuff like user-agent) is sent. Ie: https://content.minetest.net/api/updates/?protocol_version=43&engine_version=5.8.0 The response is the latest version number for all packages for the given Minetest version. No need to send a package list
I'm not against an option (update badges are annoying) but it should be enabled by default as it provides the best user experience
It's 13 lines of Lua code: https://github.com/minetest/minetest/blob/master/builtin/mainmenu/content/update_detector.lua#L50-L63
This is not true, there's also the version check to www.minetest.net
No package lists are sent to ContentDB |
Since recently, MT does not come with any content preinstalled so this condition is satisfied 99.9% of the time. Even downloading devtest will enable the beacon.
No, at worst it must be a nagging modal you present the user with at the very beginning. I'll roll my eyes and say it's one of "those" programs now, but at least it won't be malicious. I don't know in what world is phoning home without consent a good user experience, this is some high-grade corporate bullshit I'd expect from a company in a late stage of enshittification. And no, zero-click knowledge that updates to existing content have been released is not a vital feature, not even close. Even people with severe FOMO can live with a button to check. At least confine it to the content tab as your privacy policy actually states. That's the bare minimum. An informed consent dialog the first time you use the content tab would be good practice.
This is not how you measure the cost of auditing, that file has 150 lines and there's a lot more surrounding code that must be examined. It's 13 lines for you because you wrote it and know where the telemetry is. Tomorrow it could be 1000 lines, and two more requests. People shouldn't have to audit any of this in the first place. Today you download the whole JSON because it's small enough, tomorrow it might be too large and you'll decide that you do actually want to send the user's mod list, after all it's just a mod list, t̴h̶e̴r̶e̶'̸s̵ ̷n̷o̶t̸h̸i̸n̵g̸ ̶w̴r̷o̶n̷g̵ ̶w̶i̵t̶h̶ ̶t̸h̷a̴t̸, ̴̜̔a̵n̷̤̆d̵͔̈́ ̸̟̔ḻ̴̃o̵̝͒o̸͈̔k̷̝̕ ̸̖͘a̴̠͂ţ̷̓ ̵̡̄a̷͈̒l̷̳͊l̵̖̿ ̵̤͝ţ̷̑h̷̖͝e̸͔͗ ̶̼̍g̵̤̽ǫ̴̔o̶̝̿d̴̞̐ ̸̮͑w̷͍̏e̴̖̔ ̴̙̈́c̴̱̓a̶̳̒n̵̺̾ ̴̣̏ḑ̸̈́ò̷̤ ̴̫͐ŵ̶͚i̶̖̐t̶̤͐h̶̙͌ ̷̢̑t̸͈̃ḧ̴̲́a̶͘͜t̷͚̓ ̸͇̈d̷͎͝a̵̔͜t̵̺͐ȁ̵͖,l̵͈͕͕̾̃̂o̷͇̺̎͠õ̸̠͔͍͍͔k̶̨͚͔̘̑̓̆̓͘ ̶̗͆͒ȁ̶̩͖̙͜t̴̩̗̥͉̟͊̊̿ ̸̡̣̤͆̈́́h̷̝͍̫̿̈́̿o̸̱͉͕͋̋̋̐̂w̵͕̫̌͊̈ ̴̨̪̋̔̐m̵̱̱͎̑̈́͆̓ȗ̶̖̫̭̰̮͆c̵̛͓͙̔́h̵̩͇͒̌̊̎ͅ ̸̹̹̲͒̉͑͌̍͜w̷̨̦̜̠͎͆͝e̵̢̖̲̊̏̐̇̓ ̸̨̟̮̘̆̄̐̏̚͜c̵̪̞̈̀a̵̢̟̪̹̅̃̐̾́r̶̯͕̋̿͋e̵̦̰͛͋ ̷̘̗̹̼̲̔͠͝ä̸͈̗̖̝́̿̓͋b̶̨̯͕̻̽̈̆̈́͘ọ̷̦̠͔̝̐͋̽̈́u̶̩͘t̷̡͓̟͈̬̋̈́͐͛ ̵̘͕̘̆y̴̝͉̮̟͐̚ȯ̷̥̿͜ų̷̼̦̘̓,̷͚͔͉͆̏ l̵̪̘͆͒́̕͠e̵͇̣̽̓̒͒̕t̸̩̻͍̰̟̃̏͝ ̸̢͕̣͈̇̃̂ư̷͇̹̮̫s̸̖̆̒ ̸̡̥͎̯̙̀̆i̶̬̮̓͋͝n̴̟̆́,̷̺̔̈͗͝ ̵̟̩̐̂ù̶̮ͅs̷̠̙̏̈́̒̓ê̷̗̯̬̍̆͗͝ṙ̵̩̤̏̋̈́,̷̟͇̆̋ ̶̣͕̤̈́̅̆̇͘f̵͍̮̞̲͍̾̔͐̒͝é̷̛̙̩́e̴͎͓͗͜d̴͓̙̯̹́͗̔̊̔ ̶̱͌ŭ̵̟̖̩̩̓̇̌͝š̸̙̜͕͝, ,̵̛̬̦̣͍̐̒̊́̚͝ ̵̡͎̖̮̳͊̒̉ẅ̶̲̯̳͎̀̑̓̓͝ḙ̸̛̰̟ ̵̧̧̱̰̜̥́̀̾̿ḩ̶͎̫̍̿͑͗͊u̷̻͇̠̭͕͉̱̽̎̈ņ̵̻̩̞͇́̇̚g̴̖̣̞̬̣̒̋̉̏̕̕͜͝ͅe̵̹̐̊r̵̦͙͒͠
This is entirely unnecessary for fetching a JSON and there's no reason why you shouldn't be blanking this out.
"We've already breached your trust earlier" isn't how you do damage control, I don't know why did you think that would help your case. The version check can be neutered by blanking out its URL in the settings, the content check cannot without entirely breaking CDB access. Either way, Minetest has joined the ranks of mildly malicious software that you have to examine carefully with your internet connection off on first use, and scrutinize its very long settings list, looking for "gems" such as this one. Except there isn't a setting for the CDB fetch. If you download MT from Github or from any of the free software repos it lives in, you won't know that it phones home. Even the requests that are made are a lot of information. Even without a modlist, this information isn't very anonymous because you could correlate it with IP addresses from You are not taking this breach seriously and that's very worrying. I want to run a server-game but I cannot, with a clear conscience, require my users to use a client with such a shaky privacy record. I like the idea of MT being a generic shell that can connect to various 3D MUDs but there has been constant friction on this ground and a fork is becoming more and more attractive. Speaking of conscience, here's an example of a repo that you've duped with this change: How to fix this situation
|
sfan5
added
Bug
|
Related: #7629
@rubenwardy The fact that something as mainstream as Ubuntu has a policy like this should raise a flag that maybe this is something you shouldn't be doing, not a "haha, let's do this, maybe they won't notice, dumb users don't know what's good for them". You might be running afoul of more repository policies than I've initially thought. This also means that this is a problem of culture here, not just an isolated incident. Start respecting your users or they'll flee and start forking. Today it's a HTTP request, tomorrow it'll be a If this was up to me, I'd forbid having any home-pings on by default in every distribution except these two cases:
Zip versions and source distributions should never phone home and probably not even nag the user about it. Someone downloading the .zip and unpacking it manually is very unlikely to want this feature in the first place. Overall, making unnecessary requests just isn't good practice. In light of the recent xz backdoor attempt revelations, I'd say that every moving part in a program can be an accessory to a security breach, and a possible place for a later malicious contributor to hide an actual backdoor. |
|
The update check was added in #7629 (5.6.0), the CDB update check in #13807 (5.8.0).
For HTTP requests it makes Minetest assembles an user agent with its own versions as well as the version of your OS.
This is not technically necessary for any of our use cases. But it has helped us with abuse prevention and gauging which versions are still in use and where in the past.
We don't have a special process for announcing changes that touch privacy. It's a boring change log entry like everything else.
This is obviously on us. But an argument could be had on how much due diligence downstreams are expected to perform, when they didn't notice an anti-feature being added. Think "trust but verify". FWIW Debian is aware and has disabled the update check. I don't see any changes related to CDB in their patches. In short:
|
An abuser can just spoof this user agent. The only utility I can see here is filtering out confused spiders, which can be done with a generic "Minetest" useragent string with no extra info.
Either it passes their standard for phoning home (incorrectly imo, since minetest now needs packages to function), or they're unaware because it's not easily discovered. I don't know if a repo should ping for updates like this, no decent software repository I know of does this unprompted. Pacman, pkg_add, apt (probably) and others all require manual action to perform an update, and will download the new index opportunistically when they need it. Just like an OpenBSD user doesn't expect pkg_add to fetch its list from the mirror every time they start the computer, they probably don't expect MT to do this whenever they start that. |
The context of this statement is that Debian (and with it Ubuntu) is notoriously slow to update which causes worse user experience, wasted support effort for ancient versions and in part also leads to a situation where modders have to consider supporting old versions, because those are in wider use than they should be. I say this to be clear that "We want to add tracking which Ubuntu rightfully prohibits but maybe they won't notice" is absolutely not the intent of what ruben said. |
sfan5
changed the title
It's a lousy argument, why should I allocate time for monitoring your bad practices when I can just fork you. The fact that I downloaded 5.8 without checking the changelog means that Minetest had an excellent reputation in my regard prior to this. This is why I'm furious, this was one of the "good" programs that I didn't suspect one bit. After all, if it's in the OpenBSD ports tree and dozens of other FOSS repos, it's probably legit. Guess not. I'll just add that what I see here is an attempt to emulate practices that are already going out of style due to years of backlash and changing legal landscape. Kind of like some poor countries that copy legislation that's about to get repealed in the country of origin. There are serious problems with the utopian "always online always updated rolling release" model, especially in a lemonade stand sized "company" such as this one. Any fault in an ambitious system like this will have cascading effects, and there is likely a finite amount of exploits standing between a criminal and your users' machines. I don't think you have the resources to pull this off correctly. Right now, my personal safety could depend on your server's security, and I didn't even know about this until yesterday. Maybe you should trust your users' intelligence a little more and assume they're very well capable of clicking a version check button every now and then. Do mods have version compat manifests? If not, fix that. Create safer ways for users to discover that they need to check for updates instead of hammering a central server. |
I second this, honestly just an "update package list" would do. This is a minor inconvenience, yet provides privacy by default. Also for users who don't care that much you can add "enable automatic package list updates" or something.
MTG was so bad, most players would jump to CDB for mods/games anyway.
Although I agree with you that Minetest should ask before doing any connections, I think that having such high levels of trust for a ... computer game especially with such heavy security concerns is wrong in the first place. Your security/life shouldn't depend on a game and if it does then maybe unplug the machine from the internet. Anyway, just 5 cents from someone who doesn't know what he's talking about. |
|
Just to throw in my two cents, github and literally every website are collecting far more information about you than Minetest, and yet you seem to have no trouble using them. An option/setting to disable update checking may be warranted, but freaking out like this isn't. :D |
|
@kromka-chleba Somebody from this very community has attempted to extort me before, and I happen to have invested a significant amount of time into a potentially commercial project. So yes, you have no idea what you're talking about. MT attracts plenty of crooks and weirdos. Remember the guy who phoned one of the core devs' workplaces? A sufficiently motivated idiot with a grudge is all it takes. @NathanSalapat Why do you assume that I have no trouble using Github? I'm forced to because this engine keeps breaking and the maintainers decided to use this site instead of self-hosting a bug tracker. This is also a bad practice, especially now that any commit is a donation of code for MS Copilot to launder. Github's security is probably still a lot better than whatever debian box the CDB is being hosted on, and GH employees risk a lot more by acting maliciously. |
|
Off topic. (feel free to delete) As somebody that was also targeted by OC with death threats and the like, I just started using a VPN for everything. |
|
@hecktest Okay, I understand your point more now and agree this is serious. Providing a flag to disable CDB integration and also making |
|
@NathanSalapat A VPN won't help you if someone accidentally (or "accidentally") introduces a hole into the update checker, and finds a way to trick the CDB server into sending you a payload. Not running the request every time you start the executable could mean a difference between finding out about the hack from an announcement a few days later, and finding it out the hard way immediately. A zero-tolerance policy for unprompted requests means that any damage from such a hack would be severely limited. You say I'm freaking out. The very fact that you're alive right now is because billions of your ancestors in direct line have "freaked out" about things. The ones that didn't got eaten. I'm trying to point out a hole in software you're using (and dangers to MT's reputation and legal standing) and you're calling me names. The devs have already acknowledged the issue and are trying to reasonably discuss this, while the rabble came to have a contest about who can make the dumbest comment. |
|
@kromka-chleba You don't have to disable CDB integration, literally just don't make an unwanted HTTP request to the CDB server every time the program starts. |
|
Some distros could want to disable CDB integration to encourage using packages from the repository? |
|
Maybe, but that's out of scope for this issue. The issue is about unsolicited network requests. |
|
IMO, would be cool to have the option to disable the check (and the privacy policy should be updated if it doesn't speak of this feature), maybe with a popup at first startup asking something like "Enable online services?", but honestly checking for package updates is a great feature overall. I personally tend to clone Git repositories for my mods/games and auto update everything regularly (I use CDB to discover them anyways), but for non-technical users or mobile phones having a notification for available updates is an important feature. Without it I would often forget to check for update on the content tab before starting to play on Android. I strongly disagree that this feature should be off by default. And really, why would sending a stupid MT version + OS as user agent be a problem?? What could CDB do with this data? A graph with used MT versions and OS at best. Since it's how internet works, CDB will have access to my IP (which reveal my rough location) unless I use a VPN, this is much more impact-full data in case the CDB owner becomes malicious. I am for passing the Minetest version, as it's useful to estimate how much are the different versions used. OS isn't really needed I guess but I honestly don't care.
This project is open-source. As long as you have a public repo there is nothing you can do if someone wants to gather code to feed an AI model. Yes, GitHub train an AI. So does GitLab and Bitbucket. But even if you host your own instance of Forgejo, Gitea or GitLab, you have plenty of web crawlers solutions that are able to scan the entire internet, look for instances of these services and download the code. And you can't even block at all if they use a random user agent. Any publicly available data can be gathered by any people or robots. AI being ethical or not is another debate, but complaining about your code being used by GitHub while building a open-source software which is by definition accessible by anyone is ridiculous. |
|
I'm against automatic update checks when Minetest starts unless I have explicitly enabled them.
Does NTP time synchronisation also count as a home-ping? |
|
I agree with @hecktest . We should have a simple rule for Minetest: "No network requests, unless explicitly requested by the user." (And I do not care what Github, or the OS, or whatever are doing, this is about Minetest.) Update: I removed that code from my local MT. Thanks @hecktest for bringing this to our attention. |
|
I honestly think we should have a debian mode which will allow 2 stages of removal of all these pertaining issues: Something along the lines of: enum Telemetry {
// Will allow the game to work as it does now, unchanged.
full,
// Will disable the engine from sending out any os information but can access server list and contentdb.
slight,
// Will disable the engine from talking to the server list and contentdb, with the contentdb tab removed.
none
};In this implementation, the lua code will detect that the engine flag, somehow. Subsequently executing only the desired implementation. With Having If This is simply an idea of how to make everyone happy depending on how the end user and linux distro maintainers want to package or compile the game. This has been a long time issue so I thought I would finally chime in with my full thoughts after processing the distress around this issue. Let me know your thoughts on it. |
|
Closing to split the issue into individual complaints |
|
Just thought it's worth to mention:
https://github.com/minetest/minetest/blob/master/builtin/settingtypes.txt |
Minetest version
Summary
MT now phones home to check for content updates. Countless issues:
Since there are way too many packages in existence to download the full list, it probably sends the server the installed package list.- Does the code narrow it down to packages that came from CDB or do you literally receive a list with "mibi" in it every time I connect?Overall, this is behavior I'd expect from mobile trash, not from free software.
Tagging @rubenwardy because this is his pet project. Very, very disappointed in this direction. I should have been more vigilant when this feature was first being championed because of course it was going to lead to this, people who want to build shiny online systems for everything will eventually shove updates, telemetry, analytics and other trash down your throat.
People have hard forked for less. I'll kick MT off my firewall whitelist for the time being; I'll wait and see how you handle this issue before making any move.
Steps to reproduce
Download the shitware called Minetest, enable terminal logging and try to run it without a network connection. Notice a new message in the terminal.
The text was updated successfully, but these errors were encountered: