This article describes the extension of the Fedora 32 user count mechanism to rpm-ostree based systems. It also provides tips for opting out, if necessary.
How Fedora counts users
Since the release of Fedora 32, a new mechanism has been in place to better count the number of Fedora users while respecting their privacy. This system is explicitly designed to make sure that no personally identifiable information is sent from counted systems. It also ensures that the Fedora infrastructure does not collect any personal data. The nickname for this new counting mechanism is “Count Me”, from the option name. Details are available in DNF Better Counting change request for Fedora 32. In short, the Count Me mechanism works by telling Fedora servers how old your system is (with a very large approximation). This occurs randomly during a metadata refresh request performed by DNF.
Adding support for rpm-ostree based systems
The current mechanism works great for classic editions of Fedora (Workstation, Server, Spins, etc.). However, rpm-ostree based systems (such as Fedora Silverblue, Fedora IoT and Fedora CoreOS) do not fetch any repository metadata in the default case. This means they can not take advantage of this mechanism. We thus decided to implement a stand-alone method, based on the same logic, in rpm-ostree. The new implementation has the same privacy preserving properties as the original DNF implementation.
Time line
Our new Count Me mechanism will be enabled by default in the upcoming Fedora 34 release for Fedora IoT and Fedora Silverblue. This will occur for both upgraded machines and for new installs. For instructions on opting out, see below.
Since Fedora CoreOS is an automatically updating operating system, existing machines will adopt the Count Me logic without user intervention. However, counting will be enabled approximately three months after publication of this article. This delay is to ensure that users have time to opt out if they prefer to do so. Thus, default counting will be enabled starting with the testing and next Fedora CoreOS releases that will be published at the beginning of August 2021 and in the stable release that will go out two weeks after.
More information is available in the tracking issue for Fedora CoreOS.
Opting out of counting
Full instructions on disabling this functionality are available in the rpm-ostree documentation. We are reproducing them here for convenience.
Disable the process
You can disable counting by stopping the rpm-ostree-countme.timer and masking the corresponding unit, as a precaution:
$ systemctl mask --now rpm-ostree-countme.timer
Execute that command in advance to disable the default counting when you update to Fedora 34.
Modify your Butane configuration
Fedora CoreOS users can use the same systemctl command to manually mask the unit. You may also use the following snippet as part of your Butane config to disable counting on first boot via Ignition:
variant: fcos
version: 1.3.0
systemd:
units:
- name: rpm-ostree-countme.timer
enabled: false
mask: true
Fedora CoreOS documentation contains details about using the Butane config snippet and how Fedora CoreOS is provisioned.
Paul W. Frields
I really hope people will refrain from opting out here. The Fedora folks go to great pains to make sure the counting information doesn’t compromise privacy. The metrics are very helpful to the community leaders for example in making a case for resources for projects. So this is truly a case of “help them to help you.”
Sam
The fact that I didn’t see any information about it when it was released was the deciding factor for me to remove this distro from my critical systems and take the mirror offline. The problem is not how harmful this counter is, but how it was smuggled in. I don’t want to be forced to read the fine print, every detail of the release notes, or posts like this to avoid deliberate intrusions. That is one of my main criteria for using and supporting open source projects. I suggest trying something like this with an opt-in dialog/prompt, as they do with many commercial products. If this then suddenly appears to be too intrusive, it may be time to reconsider.
Timothée Ravier
I can sympathize with the fact that we should have announced it sooner. However, some pieces needed to land in rpm-ostree for our instructions to disable counting to fully apply.
Note that we did not really “add” counting with this release. It was already there in rpm-ostree just like in DNF since Fedora 32, just not working properly and in all cases. And disabling it was also harder than what we wanted. Thus the work that we did to make sure that if you’re counted, this is done correctly and if you don’t want to be counted then you can easily never get counted.
Sam
Thank you for taking the time to reply. I was referring to F32 and should have written that clearly. I am still a fan of Fedora and have confidence in the work you all are doing. That is why I expressed my concerns. Again, I’m not worried about this counter as it is now, but about how such changes are distributed and configured (opt-out instead of opt-in). Technical limitations or chicken/egg issues can undoubtedly make life difficult for developers. Avoiding the slippery slope systematically is certainly more costly, but I think it’s worth it.
Users should be in control, even if it means less data for statistics. If asked and it’s clear that no critical data is leaving the machine, I would enable the option. In fact, on the remaining systems, I’ve never bothered to disable the counter.
rugk
As a Fedora users, I don’t see a problem here for me. It was announced before it was enabled and as for Fedora CoreOS when you’re at the official announcement mailing list (which is recommend), you also got a mail today. So nothing was hidden or so.
After all… even if you’ve missed that, here is a big Fedora Magazine article just talking about this little counter.
Apart from that it looks quite privacy-sensitive and does not even use an UUID as far as I understand, see https://fedoraproject.org/wiki/Changes/DNF_Better_Counting#Proposal
This is even better than counting per IP (for privacy and usefulness) as an IP has more sensitive information (entropy) than that.
And given it provides a real advantage to Fedora, I’m quite happy to use this.
Also their changes page promises a “public stats page”, so I’d be very interested to see this. 🙂
Alix Tamburo
I happened to see this by chance and am now wondering if this is currently active in Fedora 34 KDE as it first seemingly was implemented two version ago. How would one check? The only mentions I can find are related to rpm-ostree. It’s unfortunate that a feature that does seem to be designed with privacy in mind is not more transparently presented to the user.
Timothée Ravier
You can use the following command to list the repositories where the Count Me feature is enabled:
symson
Just include a clickable gui app “Fedora Survey” which DOES NOTHING BY DEFAULT – but allow the user to customize a one-time survey or on-going daemon with very granular detail.
probably 80 plus percent of Fedora users would be glad to send anonymized (and some non-anonymized) info to the team. It’s really not that hard. Absolutely NO ONE would mind. People like being counted. Anything beyond this will just end in upsetting users!