
BSD vs. Ubuntu motd(5) - lelf
https://twitter.com/lelff/status/1210619413885575168
======
jlgaddis
One implication of this that some people don't realize is that a brand new
Ubuntu instance -- whether a physical host, a virtual machine, an EC2
instance, whatever -- immediately calls home to Canonical as soon as it spins
up for the first time.

The functionality is included in the "base-files" package, which has a
priority of "required" and is marked as an "essential" package. Thus, if you
have an Ubuntu instance, it's nearly 100% guaranteed this is installed and
enabled by default.

(If memory serves, this was added in 17.04 or thereabouts.)

~~~
vetrom
Rather older. This sort of thing started rolling out when Landscape came out,
c.a. 12 years ago. Does Red Hat have something similar in RHEL?

~~~
samtrack2019
RHEL doesnt need to since to get packages access you need to register your
system with your rhn account...

Fedora or CentOS does not

------
jlgaddis
To disable the part of the MOTD which calls home, setting

    
    
      ENABLED=0
    

in /etc/default/motd-news should be sufficient.

To get rid of the entire "dynamic" MOTD, disable the timer unit:

    
    
      $ sudo systemctl disable motd-news.timer
    

Alternatively, stop supporting companies that covertly slip spyware like this
into their software. Debian is wonderful, of course.

(I'm on an iPad and going from memory, but I _think_ this is correct --
someone will correct me if it isn't!)

~~~
deith
If Debian offered the same things Ubuntu does, people wouldn't use Ubuntu.
But, alas, they don't.

~~~
folkhack
As someone who's worked heavily with both Debian and Ubuntu - they do.

There are differences between them but I am 100% confident that I can do
everything that an Ubuntu system can, especially if we're talking about
infrastructure.

~~~
panpanna
Try getting Debian working on a laptop. Those "non-free" packages in Ubuntu
make a huge difference.

On servers, not so much difference. Well unless you are using k8s, etcd, juju
and all that jazz

~~~
jlgaddis
> _Try getting Debian working on a laptop. Those "non-free" packages in Ubuntu
> make a huge difference._

I'm typing this on my "workstation" but, sitting here on my desk, there's a
laptop running Debian on either side of it (and there's another one across the
room).

I can't read your mind so I'm not sure what issues you've encountered
attempting to run Debian on a laptop. Apparently I have already figured out
how to workaround them (but I've also been using Debian for ~23 years so
perhaps that has something to do with it).

~~~
panpanna
Getting things like wifi and GPU acceleration working on laptops can be
problematic with pure Debian.

You _can_ do it but on Ubuntu it just works.

------
jlgaddis
See also:

\- Bug #1701068, _" motd.ubuntu.com currently shows media item (HBO's Silicon
Valley using Ubuntu)"_ [0]

\- Dustin Kirkland's explanation here (on HN) back when this first happened
[1].

\---

[0]: [https://bugs.launchpad.net/ubuntu/+source/base-
files/+bug/17...](https://bugs.launchpad.net/ubuntu/+source/base-
files/+bug/1701068)

[1]:
[https://news.ycombinator.com/edit?id=14663947](https://news.ycombinator.com/edit?id=14663947)

------
LeoPanthera
People should really expect Ubuntu to call home. This is the same OS that for
a while used to send every filesystem search you did in the default GUI to
Amazon so that it could include ads in the results.

I'm not even saying this is bad. Ubuntu has to fund itself somehow. But people
should really know what they're getting. Ubuntu is not a privacy-focused or
user-centric OS. It's the Windows of the Linux/Unix world.

~~~
rvz
Well now this just makes my "Linux Desktop recommendation guide" even harder
since the whole point of Linux distros these days are supposed to empower the
user to have complete control over his/her computer and OS which is what
Ubuntu was supposed to be doing and is viewed as the ground zero of
introducing Linux to newcomers.

> I'm not even saying this is bad. Ubuntu has to fund itself somehow.

Oh dear. You make as if its fine for the users to give themselves up to Ubuntu
(and Amazon) to be mined by the distro that does call itself "privacy-
respecting" and "open-source"; some may call such claims misleading in the
light of this now. Due to your defeatist rhetoric in supporting these
overlords, I would have to change the guide to support the devil I know that
can't read my encrypted data, rather than two or eight unknown devils that
can.

At least with macOS its all "encrypted" and has sane defaults with a
consistent user interface and when some settings are turned off, they stay
completely off.

~~~
swiley
I honestly don't know what advice to give people at this point (they keep
asking me) other than "try building a simple OS with busybox and a kernel so
you can make an informed decision based on your needs."

Literally everything you can't read and understand the code to seems to be
actively hostile, I'm surprised clang doesn't call home.

~~~
sjwright
Don’t you think it’s weird that we let all processes on a computer have
unrestricted access to the network/internet by default? Isn’t that the
problem? Access beyond the computer should be by consent only.

------
userbinator
I am not surprised. It seems like every piece of software with enough people
and commercially-oriented interests will silently phone home now. Whether it's
open-source doesn't matter, they'll still do it regardless of what others
think.

------
Jonnax
Tbh I find the Ubuntu message of the day quite useful.

The "adverts" are benign. Right now it says to check out microk8s and also to
look at livepatch.

But logging in and seeing a summary of: loaf, disk usage, processes, number of
users logged in, IP addresses, memory usage and swap usage, kernel version and
also last login time and from what IP.

That's pretty useful stuff to me.

Also if you're in the position to care about motd, you're going to have the
skill to change it yourself.

~~~
folkhack
> The "adverts" are benign. Right now it says to check out microk8s and also
> to look at livepatch.

My distro shouldn't be advertising to me. Call me "old school" but this has
_no_ place in Linux. Also, if you're in a position of trusted compute then you
don't want this sort of information leaving your network.

> Also if you're in the position to care about motd, you're going to have the
> skill to change it yourself.

Yeah - and I feel I shouldn't have to add it to my images/recipes/whatever to
fix this. I use Linux for a lot of reasons, and some of the most important
ones are that it doesn't advertise to me and/or leak data. This is telemetry
and it's unacceptable.

~~~
Barrin92
>This is telemetry and it's unacceptable.

I dislike the idea of tying particular political or economic philosophies
together with a tech stack like Linux.

Everyone can distribute linux distributions however they see fit, it's an open
platform and if that includes telemetry by default that's fine too as users
have choice. I don't think anyone uses a Canonical distro and is genuinely
upset or surprised about this particular benign case.

The linux distribution space is truly one of the few places where we can't
make any excuses about market power or lack of choice. There are a billion
distributions, almost all of them free. Users will pick accordingly, and my
sense is that virtually nobody cares about this particular case of telemetry.

~~~
folkhack
> I don't think anyone uses a Canonical distro and is genuinely upset or
> surprised about this particular benign case.

I've had to use Ubuntu in an environment with high security needs/regulations.
I've had to disable this exact feature because leaking OS versions, network
information, etc. externally via that user agent string was unacceptable from
a security standpoint.

I was upset that something as simple as a motd had been retooled to leak data.

> and my sense is that virtually nobody cares about this particular case of
> telemetry.

And in my real-world experience I've been paid to care. When forced to work
with Ubuntu (which is _everywhere_ these days) I have to "reign it in" with
custom images/scripts/etc.

> I dislike the idea of tying particular political or economic philosophies
> together with a tech stack like Linux.

This isn't "political or economic philosophies" this is security 101. Leaking
data like my OS version, IP addresses, when admins are doing their work, etc
_to the public internet_ is a hard "no" for anyone who's operating in any
semblance of "best practices".

~~~
Barrin92
not doubting your experiences but just out of interest if you can tell, what
security-relevant sector uses stock ubuntu and exposes themselves to the
internet like this? I've never seen a setup like that before.

~~~
folkhack
PCI environment for a household name ecommerce application with millions of
users.

Also we didn't use stock Ubuntu - I/we had to get it to not phone-home... it
was just extra layers of "we shouldn't have to do this" in regards to managing
the OS.

I left the company when it was apparent that "security culture" were just
buzzwords they would repeat in meetings to make themselves feel better vs. an
actual core competency. They had more resources assigned to migrating our
WordPress blog to K8s than they did for the credit-card handling
infrastructure.

Honestly Ubuntu was one of the least of my worries, but after the experience
of getting it to "shut up" and stop phoning home I made the decision to never
recommend it moving forward as a security best practice.

------
aritmo
I remember seeing this on twitter some time ago. It was discussed a lot.

edit: google found this article
[https://lwn.net/Articles/726902/](https://lwn.net/Articles/726902/)

------
quicklime
I've never seen the motd come up on my laptop. When I open up a GNOME
Terminal, it doesn't print the motd by default. I've only seen it when I ssh
into another machine, or log into a console. If this is supposed to be phoning
home for analytics purposes, isn't it missing a big chunk of data?

Also, wouldn't apt be a much better source of analytics data? Yes, there are
apt mirrors which aren't controlled by Canonical, but most people would be
hitting ftp.{countrycode}.ubuntu.com, or at the very least be downloading
[http://mirrors.ubuntu.com/mirrors.txt](http://mirrors.ubuntu.com/mirrors.txt).

~~~
JdeBP
You don't correctly understand when the script is being run.

* [https://git.launchpad.net/ubuntu/+source/base-files/tree/deb...](https://git.launchpad.net/ubuntu/+source/base-files/tree/debian/motd-news.timer)

* [https://git.launchpad.net/ubuntu/+source/base-files/tree/deb...](https://git.launchpad.net/ubuntu/+source/base-files/tree/debian/motd-news.service)

------
debiandev
And this is why Debian exists.

When packaging we are required to disable privacy harming "features".

~~~
whalesalad
I’ve returned to vanilla Debian as of late and it’s refreshing. My gripes are
the guided installer always insisting I need a swap partition and no sudo out
of the box, but those are easy enough to overcome.

It’s nice to see only a handful of processes running on a new setup.

~~~
rollcat
You almost certainly do want swap (in the 99.9% case).

I had a better / more elaborate explanation bookmarked somewhere but can't
find it now, the tldr is a "modern" OS (past ~2-3 decades) wants the freedom
to manage anonymous (malloc) and named (mmio) memory between physical RAM and
disk devices. Disabling swap means the OS must always keep the anonymous pages
in physical RAM, which negatively impacts any IO-bound workload (can't cache)
and, ironically, puts more pressure on the disk.

So unless you have an extremely specific and finely tuned use-case with lots
of benchmark data, the OS will almost always make a better call.

~~~
jpwgarrison
You do probably want swap, but the comment you are replying to is talking
about a swap _partition_ and that is not the only way to do swap. Using a file
instead makes it easier to change the size of your swap, some people prefer
that.

~~~
rollcat
Again, what about sticking to a sensible default that covers the 99.9% case?
The installer is hinting you to do the right thing (to create _some_ swap),
even if it doesn't provide all the possible myriad options. Swap files vs
dedicated partitions have different trade-offs, if you start going that route
it's easy to start blaming the installer for having less power/flexibility
than invoking debootstrap directly.

~~~
int_19h
Swap file _is_ a more sensible default in this day and age, at least for the
desktop.

------
jandeboevrie
I once wrote on how to disable parts of the ubuntu motd:
[https://raymii.org/s/tutorials/Disable_dynamic_motd_and_motd...](https://raymii.org/s/tutorials/Disable_dynamic_motd_and_motd_news_spam_on_Ubuntu_18.04.html)
\- it's way more complicated then it should be IMHO.

~~~
bboozzoo
The fuss seems to be about motd phoning home. Disabling it is trivial, as you
noted in your blog post.

The remaining bits likely come from Debian. If you believe it's a bug, have
you tried reporting one?

------
sigio
These are the kinds of packages that get uninstalled immediately, and then
configured in my config-management to remove on sight. Debian luckily doesn't
do crap like this.

~~~
jlgaddis
I mentioned it in another comment but this functionality is included with the
"base-files" package:

    
    
      $ sudo apt remove base-files
      ...
      WARNING: The following essential packages will be removed.
      This should NOT be done unless you know exactly what you are doing!
        base-files bash
      ...
      You are about to do something potentially harmful.
      To continue type in the phrase 'Yes, do as I say!'
       ?]
    

Have fun with your broken system after removing that!

The best you can do is disable it (and hope it isn't silently re-enabled
later):

    
    
      $ sudo systemctl disable motd-news.timer

~~~
panpanna
Please open a bug with canonical asking for motd to be moved to oss own
package.

~~~
JdeBP
Like this unfixed one from 2018, asking that removing execute permission from
the script disable the attempts to run it, do you mean?

* [https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/18...](https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1803601)

------
idclip
Sometimes, Im not sure where the internet and linux are headed anymore.

~~~
ailideex
Ubuntu != Linux && Ubuntu != TheInternet

------
3xblah
HN commenters sometimes ask why bother with DNS-based ad blocking when one can
just install a browser extension.

This is why.

There seems to be one assumption that all online advertisers and telemetry
implementers make. They assume the user is not in full control of name
resolution. ("Full control" as used here means relying on whitelists not third
party blocklists.) In this case, they assume motd.ubuntu.com will be resolved
without any user input. "Without any user input" here means the user never
looked at the domain "motd.ubuntu.com" and made a decision whether it was
needed or not.

~~~
tedunangst
How many people have motd in their ad block lists?

------
rs23296008n1
I'm assuming Canonical wont remove it due to it "increasing customer
synergies" or similar.

Perhaps we make a package that patches this out? I'm thinking of something
that detects this file and replaces it rather than a manual process. That way
it gets fixed whenever "base-files" or whatever gets its updates. Make it a
depend on base or similar.

Somebody with a sharper set of teeth and specialised dorsal fin might want to
do an audit for similar shenanigans. Canonical have "prior art" for this kind
of thing. I doubt this is the only addition.

------
indigodaddy
When did Ubuntu start doing that with their motd?

~~~
tomcooks
Since version 17.04

"In Ubuntu 17.04, we added /etc/update-motd.d/50-motd-news"[0]

[0]([https://www.reddit.com/r/linux/comments/6k7a86/comment/djkd8...](https://www.reddit.com/r/linux/comments/6k7a86/comment/djkd8oy))

~~~
indigodaddy
Nice find, thanks. So, a fair while.

------
tkuraku
This is perhaps an unpopular opinion, but I wish Canonical would just charge a
small amount to download Ubuntu. I don't pay money for Ubuntu, everyone I know
doesn't pay for Ubuntu. Nothing is free. Individuals and corporations need to
make money. I just hate that adds are the default instead of charging me a few
dollars for useful software.

~~~
userbinator
I'm not sure if this data they're collecting (if they even are storing it
long-term) is even being sold.

Like the other commercial Linux distros, Canonical profits from support.

Also, now it seems that even when you pay for the product you're not
guaranteed to have something that doesn't include spyware. Windows 10 is a
great example of this.

~~~
tkuraku
I completely agree. It is even worse when you pay for a product and still get
adds.

------
deft
Everytime I update ubuntu the MOTD gets readded. No matter what options I pick
it readds a file in the motd folder. Stupid.

~~~
saghm
Obviously this isn't something you should have to do, but maybe making
removing the write permissions from the directory will do the trick?

------
phaemon
A simple straightforward snippet of shell. Is that supposed to be bad?

~~~
idclip
It depends, what do you define a shell’s role to be.

To us purists, it shouldnt phone home for a motd.

~~~
folkhack
This isn't even an idealist "purists" thing - this is a "I don't want my
distro leaking telemetry" thing.

------
a-dub
my motd shouldn't tell canonical every time i log in...

looks like it never hits the cache unless the curl fails.

~~~
justinsaccount
it doesn't.

Right above that code is this block

    
    
      # If we're not forcing an update, and we have a cached motd-news file,
      # then just print it and exit as quickly as possible, for login performance.
      # Note that systemd should keep this cache file up to date, 
      asynchronously
      if [ "$FORCED" != "1" ]; then
              if [ -r $CACHE ]; then
                      echo
                      safe_print $CACHE
              else
                      : > $CACHE
              fi
              exit 0
      fi
    

None of that code in the tweet actually runs at login.

~~~
jlgaddis
> _None of that code in the tweet actually runs at login._

Except when there was a bug that caused it to do just that (and also caused a
five second delay when logging in).

~~~
justinsaccount
... 2 and a half years ago.

Can you provide links to all software you have ever written so I can complain
about bugs that existed in 2017?

~~~
jlgaddis
I suppose I can, if you really want me to, but:

1.) no software I've ever written is installed and enabled, by default, on
pretty much every Ubuntu instance created in the last ~2.5 years (whether the
"owners" of those instances want it or not),

2.) I certainly never claimed to write 100% bug-free code (in fact, I will
freely admit that I absolutely _DO NOT_ write bug-free code!), and

3.) this discussion really isn't about me or any code that I have written.

(If you're the one that wrote whatever caused the bug and my comment caused
your feelings to get hurt, sorry, but software bugs are a fact of life.)

------
sw3d
Does it man it's no longer safe to update Ubuntu, for the risk of getting some
spyware tools?

~~~
ziftface
Ubuntu always had spyware though

------
egdod
Ew, you got some Windows 10 in your Linux.

------
reanimus
You know you can configure your motd however you like, right?

~~~
idclip
Its an operating system, not a nuclear plant.

*sane defaults used to be thing.

I dont want to worry about stuff i dont know about making connections i didny
say it should.

Confugure one thing, sure is easy. You think they’ll stop at one?

~~~
reanimus
Comparing some annoying adverts to a nuclear power plant operation system
failing is... Something.

If it was just about the ads, I'd agree. But comparing it to BSD is silly. BSD
doesn't have scriptable motd and I'm supposed to act like that's obviously
better? Eh.

~~~
idclip
I am partially responsible for at least 200 individuals, let alone those who
depend on them. Now if you think the digital safety off 200 isnt comparable to
the digital safety of say, 200,000, well. “It is with the first link that a
chain is forged”.

Look, Nothing against you, you dont seem to have a systems exposure i do. Im
not a fullstack dev, maybe you are and its fair to just see your own machine
and expect everything else to work.

Car builders and bridge builders see different problems to solve, and see
risks differently too.

~~~
reanimus
Thanks for the condescension.

I'm saying the modes of failure and effects are different. Digital safety and
protecting people's lives are two different things. Both important, but
different. But even besides that, you ought to be using a different tool for
that.

Is it fine to have the server I use for my personal site and projects use a
dynamic motd, perhaps even reach out to the network? Yeah. It can be useful.
Should a CA signing machine do that? Obviously not.

I'm saying that acting like one is unambiguously better for being less
featureful is wrong. That's all.

~~~
idclip
I reread what i wrote and it can comeoff as condescending, though it wasnt
meant that way. I meant to actually say is that my attitude is specifically
forged by my experience.

What you think is fine, i don't think is fine, because we see the use case
from two different perspectives.

You also see benevolent usage, i see abuse potential. System security and
usability are always at each other’s neck in a never ending act of balancing.

------
dmurray
I read this as BBC vs Ubuntu motd

[https://en.m.wikipedia.org/wiki/Match_of_the_Day](https://en.m.wikipedia.org/wiki/Match_of_the_Day)

------
throwGuardian
The number of people switching to BSD because of this is exactly 0.

Further, as an avid user of Ubuntu, who reaps the benefits of millions of work
hours of Debian &/or Ubuntu employees, I'm ok with advertising whose source
code I can audit, and modify even.

And to think that the majority of dissenters are commenting from their closed
source Macs & iPhones, or their equivalent commerical competitors, on Google
funded browsers tracking their every click, is all a little ironic

~~~
johnklos
And you know this number is zero why?

This is just yet another quite literal example of how many GNU/Linux distros
are becoming more like Windows - they do all sorts of things now that they
were never asked to do, and it's up to us to fix things after a clean install.

~~~
big_chungus
> many GNU/Linux distros are becoming more like Windows

And others aren't. Though I disagreed with the SystemD move, I've quite
enjoyed arch for years. There are also some excellent other options, for
instance, Alpine is a Musl/Busybox/Linux distro that works great on old
machines. I think most Linux users will move to a different Linux before
moving to BSD for comfort reasons.

