http://bugzilla.opensuse.org/show_bug.cgi?id=955802 Bug ID: 955802 Summary: libzypp AnonymousId lacks informed user consent and option to disable Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.1 Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: libzypp Assignee: zypp-maintainers@forge.provo.novell.com Reporter: astieger@suse.com QA Contact: qa-bugs@suse.de Found By: Security Response Team Blocker: --- /var/lib/zypp/AnonymousId contains a per-installation unique identifier which is sent as the X-ZYpp-AnonymousId header A constant device ID sent in the clear to all hosts including openSUSE mirrors (boo#955801 ) and third parties is a clear privacy issue. This data is useful to openSUSE / SUSE to determine usage and adoption of the openSUSE. This must be balanced with privacy consideration. The user must be able to give his informed consent. I do not need this happening, the user has no option to turn this off. Add an option to not generate a unique ID, and get the user's informed consent prior to generating it. Add option to not send this header, and get the user's informed consent prior to enabling it. ... for wiping and re-generating it... The information to the user must contain correct information about how the ID is transferred. At the moment it is in the clear and to all hosts including mirrors and third party repositories. -- You are receiving this mail because: You are on the CC list for the bug.