#97045 Please track package versions

#97045#5
Date:
2001-05-10 22:14:34 UTC
From:
To:
It might be useful to also send data about the package versions (this might
allow statistics about, for instance, how many people are using glibc 2.2-3
versus 2.2-4). Of course, the package versions should be reported only if they
are from the Debian archives (and not a local package version, which might have
sensitive info in the version part).

To find out if the package came from a Debian archive, take a look at
sources.list, ask the user which lines are mirrors of the official Debian
archive, and snoop at apt's cache of Packages files to get the version numbers.

#97045#10
Date:
2001-05-11 05:22:28 UTC
From:
To:
I'm not sure this is a good idea.  First of all, it might accidentally leak
personal information that people don't want given out.  Secondly,
popularity-contest is only reliable because it's based on a _lot_ of people
voting; if we start dividing votes up between every version of kde (for
example) then we're depending on individual submissions, which are easily
corrupted or faked.  Plus using individual information is a bit of a privacy
invasion anyway (even with names removed).

The most interesting information for me would be how many people are:

	- running the "original" stable without changes

	- running the latest stable with updates

	- running the very latest unstable

	- running (like me) stable with a few packages upgraded from
	  unstable.

	- etc.

If we could find a way for popularity-contest to generalize something like
that and send it along, I think that would be okay.  Sending more specific
information makes me nervous.

Maybe we should just send the contents of /etc/debian_version.

Have fun,

Avery

#97045#13
Date:
2001-05-12 00:54:05 UTC
From:
To:
----- Forwarded message from cesarb -----
possible).

How about this:

Do the following: create a page which lists "milestones" for the releases, and
make popularity-contest download it (put it in some debian.org host, so people
don't get nervous about leaking the fact that they use popularity-contest).

Put in it information for key packages, like this (feel free to change the
format, this suggestion is too hard to parse):

	potato
	potato+r1
	potato+r2
	potato+r3
	woody
	sid
base-files
	<=	2.2.0		potato+r3
	=	2.2.8		woody
	>	2.2.8		sid
libc6
	=	2.1.3-17	potato
	=	2.1.3-18	potato+r3
	=	2.2.3-1		woody
	>	2.2.3-1		sid

The first part gives the "order" of the releases, and the sections give the
"hints" to guess the Debian version. So, having base-files <= 2.2.0 means the
version is potato+r3, potato+r2, potato+r1, or potato (the <= applies also to
the order, not only to the version)

You'd have to code a script to extract the needed info daily from the Packages
files, and use only the "basic" packages (base, required, important, standard).

(I know this is too complex. I have this bad habit. Feel free to simplify.)
----- End forwarded message -----

#97045#20
Date:
2013-05-16 15:42:40 UTC
From:
To:
package popularity-contest
retitle 97045 Please track package versions
stop

It would be very useful to maintainers to know what versions of packages
are in use and with what relative frequency.

#97045#25
Date:
2013-07-28 14:22:37 UTC
From:
To:
It would be very useful to maintainers to know what versions of packages
are in use and with what relative frequency.

#97045#30
Date:
2013-07-29 12:58:12 UTC
From:
To:
Hello Thomas,
I have no plan for popcon to report package versions. This would reduce privacy
and reduce the anonimity of the system too much.

On the other hand, popcon now provide separate statistics for stable, so you
can estimate the packages version frequency.

Also I think you are overstating the usefulness of packages version, unless people
use package outside of stable/testing/unstable, which then would increase the
privacy/security issue.

Cheers,

#97045#33
Date:
2013-07-29 12:58:12 UTC
From:
To:
Hello Thomas,
I have no plan for popcon to report package versions. This would reduce privacy
and reduce the anonimity of the system too much.

On the other hand, popcon now provide separate statistics for stable, so you
can estimate the packages version frequency.

Also I think you are overstating the usefulness of packages version, unless people
use package outside of stable/testing/unstable, which then would increase the
privacy/security issue.

Cheers,

#97045#38
Date:
2014-10-31 21:24:05 UTC
From:
To:
Hello,
It would be really interesting to start reporting also the version of
the package, for example it could answer questions like: how many have
installed the last upload in sid vs the version in testing? I think
the default visualization should remain as is, but with the
possibility to drill down on versions.

I dont honestly see how reporting a version cloud leak any personal
information or violate one's privacy, as long as we report versions
released on debian archives.

Thanks for considering,

#97045#43
Date:
2014-11-03 22:10:15 UTC
From:
To:
The time granularity of popcon is larger than the current delay between
sid and testing, so I doubt it would work.

If you still use an outdated version of a package with a security hole, you
might not want to broadcast the fact, even if the package was part of the
Debian archives in the past, and even if you do not know yet about the hole.

Cheers,

#97045#48
Date:
2014-11-03 22:39:56 UTC
From:
To:
Hello Bill,
could be in the archive for weeks/months but they will still have the
older version.

but there is no correlation between who submitted the report and the
value in it, so just knowing that there someone with the popcon active
on their machine with a security hole (which is different than
*exploitable*) is no much more knowledge than "there are system still
running linux 2.0 on the internet, let's go exploit them".

Cheers,