Arun Raghavan wrote:
>> We could use such an identifier to identify repeated submissions
>> (users should send in more up to date again later) and handle
>> some kind of "database pollution" attacks.  We wouldn't catch
>> attackers that change their MAC before submission.
> 
> Not sure how you can deal with this. How does Smolt or Debian's thing
> deal with it?

A few words about how smolt is handling this:

On first run or at installation time of smolt a machine ID is
generated by reading from

  /proc/sys/kernel/random/uuid

This ID is written to

  /etc/sysconfig/hw-uuid

and used for any later profile submission.  A profile is the
collection of data to be submitted.  To enable data gathering
I had to start two deamons: dbus and hald.  The data seems
to be gathered from specific nodes in the file system
from Python code directly.  On successful submission
the server hands out an "admin password" which enables you to
fine tune details online like "device foo worked (a) out of the
box (b) required additional config (c) ..." and so on for each
device from the list you submitted.  It seems that all communication
is done over HTTP in an unencrypted manner.

There are three programs any user can run:

 - smoltSendProfile
 - smoltDeleteProfile
 - smoltGui

So you can also revoke your data from the official stats.
The GUI frontend did not tell the admin password after submission,
I guess upstream forgot showing it.



Sebastian