Does Fedora make connections to Amazon AWS, CloudFront, Highwinds, Stackpath and Google?

When I boot the system and when I leave it on without running browsers, etc. I’m noticing connections to Amazon AWS, CloudFront, Highwinds, Stackpath, Google, etc, connections to fedoraproject.org are few and far in-between, does a normal Fedora distribution rely on these services for anything? Does DNF Dragora or system update service use these?

I didn’t see any notification from DNF Dragora later that there were updates to be installed.

My browser is set to clear everything on exit and I wasn’t running any browser. I didn’t know if there were any background processes. I installed Fedora KDE, it developed problems, so I switched the DE to Cinnamon, there is Chrony installed, but no geoclue.

I never use GNOME and I don’t have any online accounts on Fedora and there are no cloud services connected to Fedora.

1 Like

Hello @novicefedora, welcome to the forum! Please take a minute to go through the introductory post in the #start-here category if you’ve not had a chance to do so yet. It includes useful information on using the forum effectively.

No, these are probably various analytics etc. scripts running in your browser session. Some browsers now run in the background even if the window isn’t open, for notifications and that sort of thing. To start with, Try killing all your browser processes and see if these connections are still there? (A lot of users use extensions to block these “trackers”)

Thanks for information that Fedora doesn’t use these services and information about introductory post.

No, these are probably various analytics etc. scripts running in your browser session. Some browsers now run in the background even if the window isn’t open, for notifications and that sort of thing.

I use Firefox and it is set to clear everything when I close it, so before I turned on the PC, I would have closed it in my last session. And I don’t use any extensions which show notifications. Next time I’ll try your suggestion.

Appreciate this is old, but I’d like to correct this.

The correct answer is “very possibly”. For example, this morning my computer was almost unusable. System monitor told me something was downloading huge files and eating all my bandwidth (I don’t have much). iftop showed me the downloads were occurring from AWS CloudFront on port 443. Huh?!

I killed the browser, it carried on. Then, on a hunch, I killed gnome-software and it stopped. So actually gnome-software, in the background and without warning, was downloading updates - probably from a mirror behind AWS CloudFront - so actually the answer is YES. Fedora absolutely can be downloading from software mirrors in the background, which might be hosted by any one of these named services.

If you’re seeing mystery connections to cloud-based CDNs moving a lot of data, and you don’t have a browser open, it’s probably gnome-software.

2 Likes

This is true, perhaps it’s pairing/syncing with one of the Amazon servers as the new updated apps get uploaded to the repos.

Even then, with needing to sync metadata, it should not be doing a massive download.

If I do a “dnf clear all” which clears the cache, followed by another dnf command, it is not a huge amount of data that gets downloaded to sync the metadata, usually <100 MB.

If gnome software is downloading that huge amount of data then it seems there is a problem with the way it works. BTW, I have removed packagekit so I don’t see the previous issue I had with with the auto-updates and have not noted huge background data downloads.

It may not be gnome software, but rather packagekit that is doing the downloads, since packagekit was downloading updates and had them ready to install at shutdown.

I don’t think any of the mirrors are on AWS. One can see the full list here:

https://admin.fedoraproject.org/mirrormanager/

I don’t know how FlatPaks from FlatHub are distributed though, so that’s a possibility.

https://flathub.org/about

It could be either FlatPaks, PackageKit, or indeed both. I think one of the packages due for upgrade was Fedora Media Writer, which wasn’t showing up in dnf upgrade (I tend to run dnf separately in a terminal and regularly) and there were two ThinkPad firmware updates queued.

Be that as it may, here in userland the ‘fix’ was to kill the gnome-software process. So regardless of the semantics of exactly what is downloading in the background, the summary of components that makes up Fedora can absolutely cause the kinds of connections the OP was asking about. That’s all I wanted to make clear. :slight_smile:

1 Like

It shouldn’t be packagekit, unless a user has a non-Fedora repository installed that is served using one of these services.

Is this Fedora media writer from the repositories? If yes, then it’s probably a case of packagekit/Gnome-software and dnf being out of sync. They have their own metadata etc. and so the updates they show depend on how up to date their metadata is. But if it’s from the standard repos, I’d be surprised if it pulled from AWS.

Firmware updates come from LVFS, and I don’t know what services they use to host firmware:

https://fwupd.org/

Killing gnome-software may not be enough actually. You can check for flatpak updates using the terminal for example:

flatpak update

I don’t think there’s an automatic process that does this automatically like gnome-software, but there’s nothing stopping a user or a sysadmin from setting up a simple cronjob.

Next, dnf has a systemd timer that regularly updates its metadata, so if there’s a repository being served from AWS, it will be periodically pulled from.

So yeh, your conclusion is correct—Fedora can create these connections, in a similar way that accessing a website that hosts resources there will. I guess what we want to clarify is that:

  • the standard fedora repos are not hosted on AWS (as you can see from the mirror list above)
  • FlatHub/LVFS have their own hosting, so it’s possible that they use AWS etc.
  • third party repos may be hosted anywhere: the user needs to verify these, and should not install them if they’re unsure
  • stuff that uses CDNs etc.

The stuff enabled in Fedora by default can be trusted. There are strict privacy policies in place, and any tool that tries to collect data etc. is patched downstream to stop it from doing so (and in cases where this cannot be done, the software is not included in Fedora).

https://fedoraproject.org/wiki/Legal:PrivacyPolicy