Opt-out countme is anything but easy

How do YOU opt-out of countme?

Here is one way that does have side effects and only affects the running of the dnf command

cat /etc/profile.d/dnf.sh
alias dnf='dnf --setopt=\*.countme=0'

The only documented way I could find would be to modify each repo file in
/etc/yum.repos.d that has countme=1 to countme=0. I tried

dnf config-manager --setopt='*.countme=0' --save

but it changed more than I was aiming for (all repos even if they didn’t have a countme to start with). It seems that anytime the rpms that include those files are updated the countme gets re-enabled.

For kickstart installations while anaconda is installing packages I have

%pre
for repo in /etc/anaconda.repos.d/*
do
  sed -i 's/countme=1/countme=0/' $repo
done
%end

bz#1965813 exists but does not capture a real solution. Does anyone know how to opt-out (both during installation and once running)? To opt-out permanently?

Thanks

2 Likes

I am curious why you want that.

I dont know the technical details (please someone add them) but the countme is anonymous and just gives you a unique ID or something?

Your IP address may be enough to do that, but nonetheless the traffic is encrypted and you need to trust Fedora anyways with anything.

I see how it could be a problem that you are targetable because of that unique ID, and if certain state actors want you down, they could target only you, which could be legal, unlike implementing backdoors on everyones system.

edit: see below

As pointed out in the bz an easy way for the user to opt out was promised.

I have worked in organizations that had policy that forbad that type of counting going on. Sometimes it was due to internal reasons other times it was necessary to stay in compliance with customer contracts. Many times the lack of metadata uploading made obtaining support harder. Not being able to upload logs made support downright ugly.

But it is not just fedora who has to be trusted. ISPs, network providers, DHS and other government agencies can figure a lot out just by knowing the connection occurred even without knowing the contents of the conversation. Some deem value in that data so it may get sold to whoever will pay.

In my current capacity it is still distasteful to have any telemetry being collected by anyone no matter how righteous and unblemished they are:-) I don’t think countme comes into play with this next reason (if I turn off auto metadata updates…) but I like to have my computer be absolutely quiet when I turn it on especially in an adversarial environment like a conference or public wifi etc. It is nice to scan the airwaves passively too before deciding to risk making a connection.

I think it is healthier to always have to approve any type of telelemetry each and every time.

I am happy to know that fedora has a hard time collecting this data from all the mirror sites and has to involve the users. I would submit that going forward the more that can be done to make collecting data impossible the better. If nobody can collect it nobody can misuse it. Finding ways for users to voluntarily supply data with complete privacy is not possible so always let them pick and choose.

1 Like

This type of telemetry is not critical at all. It is just needed to know who uses Fedora and lives where likely. But I dont know.

If it is opt-in, the results are biased. This is the measurement because forums etc dont represent who actually uses it.

But for sure, if “compliance” requires your OS supplier to not know you are using the OS (which is not possible), then maybe makes sense?

I also find the point about a “network silent” system interesting. Mine is the exact opposite.

I am always using a wireguard VPN though, and there are discussions about isolated captive portal sites, but not yet there.

Hello @steppybug ,
Sorry to hear you’re having difficulty with this. You’re correct that @mattdm who is the owner of the wiki at Changes/DNF Better Counting - Fedora Project Wiki, states there that it supposed to be easily turned off. Perhaps he could join in this conversation, and we can all figure out how to turn it off.
I note the countme toggle is default true, then resets to false after first time count then returns to true state after 7 days I think the doc’s say.
This also may be of relevance in the proposal noted …

Rather than a simple boolean, we'd like the "countme" variable to act as an increment-counter. That is, it would be "1" the first week, "2" the second week, "3" the third week, and so on.

This would indicate that it is used as not just a toggle, but as a how long (in weeks) is this a Fedora system?
I moved this to the project discussion area.

1 Like

From Ask Fedora to Project Discussion

Added council, mindshare, websites-and-apps-team, workstation-wg and removed dnf, installation

It doesn’t contain a unique ID.[1] It just tells dnf to, once a week with some randomization, send 1, 2, 3, or 4 instead of 0 along with the normal user-agent metadata it always sends. The numbers correspond to broad age buckets (first week, 2-4 weeks, 5-24 weeks, 24+).

This was supposed to be age-since-system-installed, but as you’ve noticed the implementation ended up per-repo. The dnf team is actually fixing that, which should also fix this whack-a-mole problem (there should be one global age and one global setting).

I’ll talk to them and make sure that it is easy in the updated code.

That said, whereever possible, please leave this on. It doesn’t cause any additional connections that could be seen by a third party[2], the information does go over https, and the information it gives is intentionally meant to be useless for individual tracking.[3]

The resulting information is extremely useful for basic things like “hey, is KDE really significant to our users, or is the KDE SIG really loud?”[4], or “do people really use Fedora Linux for anything other than desktops?”[5] or “is this new release seeing uptake?”[6] or “are a lot of people running past the eol without updates?”[7]

This, in turn, helps us make better decisions as a project.


  1. That is what SUSE does, and it was my original proposal, but this is better. ↩︎

  2. except on ostree systems, maybe — they have a different implementation ↩︎

  3. We are also looking at adding differential privacy techniques (which add noise at the individual level which can be removed only in aggregate) but that’s a future possible improvement. ↩︎

  4. ¿por que no los dos? ↩︎

  5. very much so — yet a lot of people are very skeptical, so the data is very important ↩︎

  6. hopefully yes! ↩︎

  7. yes, but a lower % than it used to be ↩︎

4 Likes
1 Like

btw is there a place where this user data is published, in edited or unedited form?

When DNF 5 is the default, we’ll be able to use a configuration override (similar to how systemd has /usr/lib/systemd vs /etc/systemd) to just turn this off without overwriting the repo file that is RPM managed

1 Like

Yes – weekly processed data goes to Index of /csv-reports/countme every thursday. I have some scripts that process those logs into useful graphs, but they’re pretty hacky. I’m planning on updating those to use graphana sometime after the f40 release.

2 Likes

That the countme telemetry has value is wonderful yet the risk to users is nonzero. So just like anything else. Therefore user choice is important.

Many machines I’ve built do not use the fedora mirrors directly. So if I use the foreman or just pulp to pull down fedora packages from fedora mirrors but have all fedora instances pull packages locally does countme still attempt to contact fedora servers? During pulp pulls from fedora mirrors? During fedora instance pulls from pulp?

It only looks at enabled repos with the countme option enabled. With the exception of ostree systems (which don’t use DNF), it’s entirely part of the normal DNF metadata refresh. Since that goes over SSL, to an external observer, there’s no difference from a refresh call which doesn’t contain the once-weekly countme request, or from a system with countme disabled.

If you have countme enabled but only your own internal repos, only your own servers get the metadata. So, these are already not counted.

I don’t think Foreman or Pulp pull DNF metadata in the same way, although I haven’t looked at it for a while.

2 Likes