Joomla 3.5, one pull request that I like changed.

359 views
Skip to first unread message

Josh Weiss

unread,
Nov 7, 2015, 12:36:24 PM11/7/15
to Joomla! CMS Development
We are sometimes a bit famous for being late to the party, but I did not realize this feature made it past and I think it should be appropriately discussed. Admittedly I did not realize this feature got past me as I been busy for the last few months, however I do feel it did not reach people as effectively for those that do not check Github. Yes I know there was a pre-beta announcement that had this pull request listed there, and yes there is today's beta announcement. Regardless it is an important issue that I feel others should be able to weigh in on in a different communicative matter if they so choose, especially as this mailing list does get some traction.

https://github.com/joomla/joomla-cms/pull/8291

Essentially this is a statistic feature for the Joomla project. This is very similar to the opt-in features Microsoft, Apple, Google, ect. ask you during their install process if you like to enable this feature so they can gather anonymized information that will help their product and services. This feature is actually enabled by Joomla during the install/upgrade process with no choice until AFTER the procedure. Although a post-message install gives a warning it is enabled. The whole premise of this being enabled by default is just wrong in my honest opinion, although I do feel it is an important feature to have still.

Simple truths of the issue
  1. These features (although anonymized) due pose a privacy and security relationship between Joomla and administrators.
    1. Yes I know there really is nothing meaningful in the data now. Others may not see it that way.
    2. Updates might slip by that may introduce something others do not want while this feature is turned on.
    3. Is there an official legal statement of the type of data collected by Joomla and how it is used.
  2. No other software vendor usually has these features enabled by default.
    1. Example given: Apple asks for this during install, Microsoft also asks for this during install.
    2. Software vendors usually have a posted legal statement about the information they are collecting.
  3. The use of a post install message will go "under the radar" for those that are not true administrators and are only managing their Joomla installs
    1. Many people may not understand the implications having this feature enabled.
    2. Contractors that upgrades sites may not pay attention to these type of features to warn a client effectively due to the opt-out nature.
    3. Client manager plugins for automated software that run CLI like actions to perform auto tasks like upgrades would allow preventative warning.
    4. Automated hosts that auto-upgrade software for you may not consider this an issue like Joomla users would.
  4. Opt-out features are generally invasive practice that do not consider choice.
    1. Yes there is a choice for after the matter, that is nether morally fair or considerate for those Joomla users.
    2. Opt-in features are a voluntary process that are considerate of the environment the software is used in.

Simple fixes (albeit not suggesting easy implementation)

  1. Allow during installation of a Joomla install to have a checkbox/flag to enable this plugin.
  2. During upgrade a post install message that gives you notice to this feature


-Josh Weiss (aka @coder4life)

George Wilson

unread,
Nov 7, 2015, 12:46:38 PM11/7/15
to Joomla! CMS Development
Sorry I'm in a pub with some friends so apologies if this is a bit abrupt or something

You mention some examples but Wordpress and Drupal the two closest competitors enable this by default with no option to disable in Wordpress (and I think Drupal too - although not 100% on that). Therefore having this as a disableable plugin seems actually like we are still in a better place than our competitors

We got a lot of slack from the community over our handling of Bcrypt and the subsequent minimum php version being raised to 5.3.10 - to make informed decisions like this we need data. Having a small subset of data available (because this is disabled by default) does not allow us to make informed decisions when this kind of stuff occurs.

I understand fully that privacy is an issue which is why we are allowing you to disable this - unlike Wordpress and are including a post install message to inform users of this fact.

I don't expect to alleviate your concerns (I watched this debate play out in Wordpress) but hopefully this explains why we have taken the steps we have.

Kind Regards,
George

Michael Babker

unread,
Nov 7, 2015, 12:47:17 PM11/7/15
to joomla-...@googlegroups.com
"No other software vendor usually has these features enabled by default."

For reference, WordPress does and does not have a way to opt-out of sending statistics (it is tied to their update check system).  From my research, a similar statement is true with Drupal if you're using the Update Status module.

While I can see the comparison you're making to other vendors, IMO that isn't a totally fair comparison to make given the different markets and distribution platforms/models of those vendors.

Lastly, options in our installer are not enough.  Unless third party platforms (Bitnami, Softaculous, etc.) also implement those options, then they are useless to us.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.
Visit this group at http://groups.google.com/group/joomla-dev-cms.
For more options, visit https://groups.google.com/d/optout.

Josh Weiss

unread,
Nov 7, 2015, 1:06:06 PM11/7/15
to Joomla! CMS Development
Hello George. Yeah I get why it was done. I am a developer myself and have to evaluate this type of feedback all the time. So I agree with the aspect of the data being needed. For me it comes down to aspect of choice and when that choice is presented.

Thanks for the correction Michael, I did miss some of our "competitors" and had a feeling a missed that aspect in consideration to what WordPress and Drupal does. I also agree with you that third-party platforms that have a hand of the install process would need to take this into consideration of their own install and management processes, which does make this an issue when Joomla is trying to get some feedback when making informed decisions. Still may statement still related to this thought quoted from a well known movie although modified for this purpose "We are so preoccupied with whether or not we could that we didn't stop to think if we should" Essentially this quotes some moral reasoning external to those involved internally to those discussions.

George Wilson

unread,
Nov 7, 2015, 1:11:47 PM11/7/15
to Joomla! CMS Development
I think the Bcrypt example I have explains why this is necessary. On top of that as we are currently building Joomla 4 knowing what PHP and MySQL versions our users are using will help us with deciding what minimum requirements should be for J4. So for all those reasons yes I think we should.

Kind Regards,
George

Bakual

unread,
Nov 7, 2015, 2:28:18 PM11/7/15
to Joomla! CMS Development
Additionally to what is already said, unlike some of the companies who collect data (much more detailed ones!), we actually give the data back for you to see: https://developer.joomla.org/about/stats.html
This is not only helpful for Joomla core, it will also help 3rd party extension developers to judge which platforms they should support.

kisswebdesign

unread,
Nov 8, 2015, 10:38:01 AM11/8/15
to Joomla! CMS Development
Enabled by default?
Does this mean that data is sent before I have the option to disable?
In which case it is not an opt-out at all.

This may be a good thing for the project - lots of data, yum, we can learn lots - and maybe for the user in the long term. But it is not, in my view, a good thing to be doing without explicit permission.

Because we want the data, and we believe it will be useful, is no reason to auto collect data from users.
Data collection should always be anonymous and with informed consent.
Look at windows 10 and it's data grabbing (and the tech community railing against that), is this really that different.
I would have preferred a post install message that has the data listed (with each piece optional, tick boxes, lots of tick boxes) and a "send to Joomla! to help us improve" button.
The same happens after each update - it is opt in, the user sees the data being sent, can opt out of any individual bit, and then can make a fully informed decision.
There could also be an option to auto-send after each update - but it should be opt-in.
Maybe a message
Don't want to see this again, support Joomla! by auto-sending this data after every update, or
Don't want to see this again, opt out of all data collection, or
Ask me every time [ticked by default]
Three tick boxes, or radio buttons.

I am totally against any auto-collection of data without consent. Saying you can opt-out after it is sent is a bit disingenous (dishonest even). Will that opt-out send a message to the data collection server and delete the data it sent earlier, before the chance to say no? I doubt it.

Opt in is always the best for consumers - if your proposal (offering/product/email) is adding value then people will understand and opt in. If people don't, then whatever you are doing isn't really wanted.

The argument that "others do it, and they collect more, and don't share it" is a straw man. Just because others do it does not make it right, there are many things that others do that I don't agree with and that is why I chose Joomla - but if Joomla starts doing those same things, well...


kisswebdesign

unread,
Nov 8, 2015, 11:13:02 AM11/8/15
to Joomla! CMS Development

Cross posting from the github PR https://github.com/joomla/joomla-cms/pull/8291


Once again, just because others do it is not a good enough reason to copy them.
Project_desire !> User_choice


As for the Microsoft reference - they collect shit loads more, but is the negativity directed against the quantity they collect or the fact that they are collecting it in the first place. Answer, because they are collecting it.


Wordpress collect data like this - which is one of the reasons I don't use it
Drupal collect data like this - which is one of the reasons I don't use it

I will be checking how Drupal8 does this, which is very modular, and see if this has changed.


Would it really be so hard to make the post install message the opt-in question?


A post install message is already generated, so why not use it to get consent?


Something like


To help the Joomla! project we would like to collect the following information about your install.
[x] CMS version: 1.5
[x] Database type: ICL ME29
[x] Database version: 0.0.1
[x] Server OS: VAX/VMS


This will help us improve Joomla! in many ways. The stats are always visible at https://developer.joomla.org/about/stats.html and you can find out more about how we use this information {here}


[ ] Don't want to see this again, support Joomla! by auto-sending this data after every update

[ ] Don't want to see this again, opt out of all data collection
[x] Ask me every time


{submit button}


kisswebdesign

unread,
Nov 8, 2015, 11:46:45 AM11/8/15
to Joomla! CMS Development
Another (partial) Cross posting from the github PR https://github.com/joomla/joomla-cms/pull/8291

Implementing it as part of the post install message will not be affected by 3rd party installers (like it would if the data collection was an option during install), and would give people the choice.


If people do not consent to sharing the data, then despite the desire of the project, the users are not comfortable with it. This is their data, their information, they own it and can choose to share or not.


Perhaps a compromise, whereby the consent form is displayed as a post install message but if it is not interacted with within (for example) 48hours of the install/update the data is sent. This can be made clear in the message.


This would then catch those who can't be bothered to read and review the messages, those who simply don't care about it (one way or the other), as well as those of us who prefer to have a choice.


Webdongle Elgnodbew

unread,
Nov 8, 2015, 12:07:41 PM11/8/15
to Joomla! CMS Development
One of the reasons I don't like WP is that they collect data without explicit consent ... now Joomla does it.  imho it should be selectable/de-selectable during Joomla install.

Michael Babker

unread,
Nov 8, 2015, 12:12:39 PM11/8/15
to joomla-...@googlegroups.com
Repeating what's been said numerous times.  An install option is not an option.  This assumes every Joomla user installs Joomla with its provided installation application.  This is not the case for users who use Bitnami, Softaculous, or other platforms.  Mandating an install option cannot be relied upon for any actions at the user level.

--

Webdongle Elgnodbew

unread,
Nov 8, 2015, 12:38:37 PM11/8/15
to Joomla! CMS Development
Hi Michael


"Repeating what's been said numerous times.  An install option is not an option"
If it is not possible to have it as an option during Joomla install then is it ethical to 'force' the choice of installing what some might consider spyware ?  Or at least notify them that it is being installed rather than telling them after the event ?


"Mandating an install option cannot be relied upon for any actions at the user level."
 No but it gives the user a choice of supplying their server setup without the decision being made for them.


The plugin can be disabled yes and there is a Post install message yes ... but information about it is not clearly displayed (only a link to Post install messages are displayed).  The point is that it is installed without explicit consent or prior knowledge.

Michael Babker

unread,
Nov 8, 2015, 12:53:17 PM11/8/15
to joomla-...@googlegroups.com
Honest question.  If it weren't mentioned in this thread or elsewhere in these discussions, how many folks would be aware of Drupal or WordPress' collection of similar data in a way that isn't optional (if you're allowing your site to phone home and fetch update data, they are scraping your server metrics)?

Given what Joomla has available today and the known limitations with working with third party platforms, every effort is being made up front to say the data is being sent.  Yes, it is an opt-out system as implemented.  From a data gathering and analysis standpoint, this is going to give the project the most data with regard to its userbase and the platforms they use for hosting.  As an opt-in platform, if decisions are based solely on the data that is received from say 10-15 thousand sites instead of the several hundred thousand that we assume are running 3.x given download numbers, that data is basically useless (does the data of less than 10% of the population represent everyone fairly?).

Point blank, Joomla does not have a mechanism to prompt users in any manner beyond the post-install message system with a static text message or a system that could track time from initial install (feeding off the 48 hour grace period idea).  The message system does not allow the injection of dynamic data (so no you can't see a message that says "we will report your site is running Joomla 3.5.0 on PHP 5.6.15 with MySQL 5.6.27").  The only action that can be taken with the post-install is to enable/disable the plugin.  If this is unacceptable, the only choices are to either stop trying to gather data (which just makes Joomla continue looking stupid because it can't make data driven decisions if it doesn't have the data) or to have users live with it.  There are extensions in the ecosystem today collecting this data in a non-optional manner, there are other CMS' in a similar market space doing the same.  Have you boycotted those the same way you are raising concerns with Joomla trying to do something similar?

Paul Orwig

unread,
Nov 8, 2015, 1:22:27 PM11/8/15
to joomla-...@googlegroups.com
I support this new feature.

The important points for me are (1) this data will help improve Joomla in the future, and (2) there don't seem to be many real world complaints from WordPress or Drupal integrators or end users about similar practice they take.

Best,

paul

Webdongle Elgnodbew

unread,
Nov 8, 2015, 1:27:53 PM11/8/15
to Joomla! CMS Development
I was aware that WP did but I doubt how many others did.  But that is not the point. 

If during the Joomla install there was a a clear message (that was part of the text on the page) that said "we will report your site is running Joomla 3.5.0 on PHP 5.6.15 with MySQL 5.6.27"



"Have you boycotted those the same way you are raising concerns with Joomla trying to do something similar?"
Already said that it's one of the reasons I don't use WP

Yes I understand the usefulness of the plugin
Yes I understand that 'hiding' the message in the Post Install Message and not as part of the install screen would put off a lot of potential Joomla users
No I don't understand why a If 'not selected' can't be placed in the install script ... however I can understand that if it was done the metrics would be next to useless
but
I am uncomfortable with no user choice or notification until after the event.

Perhaps a Poll of Joomla users would be a good idea before 3.0 stable is released ?

kisswebdesign

unread,
Nov 8, 2015, 1:43:09 PM11/8/15
to Joomla! CMS Development


On Sunday, 8 November 2015 17:53:17 UTC, Michael Babker wrote:
Honest question.  If it weren't mentioned in this thread or elsewhere in these discussions, how many folks would be aware of Drupal or WordPress' collection of similar data in a way that isn't optional (if you're allowing your site to phone home and fetch update data, they are scraping your server metrics)?

I did. It's one of the reasons I don't use them
 

Given what Joomla has available today and the known limitations with working with third party platforms, every effort is being made up front to say the data is being sent.  Yes, it is an opt-out system as implemented. 

The data is sent before you can opt-out, so that's not strictly true.
 
From a data gathering and analysis standpoint, this is going to give the project the most data with regard to its userbase and the platforms they use for hosting.  As an opt-in platform, if decisions are based solely on the data that is received from say 10-15 thousand sites instead of the several hundred thousand that we assume are running 3.x given download numbers, that data is basically useless (does the data of less than 10% of the population represent everyone fairly?).

The project does not have the right to this data. It wants the data, it can use the data to make decisions, it may help current and future users. BUT if users don't want to share that data with the project, why should the project just take it.
It's for your own good. You'll thanks us one day.
If people don't opt-in then the proposal is not valuable to them, and their choice should be respected.
 

Point blank, Joomla does not have a mechanism to prompt users in any manner beyond the post-install message system with a static text message or a system that could track time from initial install (feeding off the 48 hour grace period idea).  The message system does not allow the injection of dynamic data (so no you can't see a message that says "we will report your site is running Joomla 3.5.0 on PHP 5.6.15 with MySQL 5.6.27").  The only action that can be taken with the post-install is to enable/disable the plugin.  If this is unacceptable, the only choices are to either stop trying to gather data (which just makes Joomla continue looking stupid because it can't make data driven decisions if it doesn't have the data) or to have users live with it.  There are extensions in the ecosystem today collecting this data in a non-optional manner, there are other CMS' in a similar market space doing the same.  Have you boycotted those the same way you are raising concerns with Joomla trying to do something similar?

Stop trying to gather data until it can be done with fully informed consent. Or as a compromise, allow a delay (eg 48 hours) between the install and the sending of the data to allow people who care the opportunity to really opt-out. And if they opt-out don't send the install data.
I don't like this option, but it is better than what is currently proposed.

Yes, I have (and continue to) boycotted those - and raised concerns with them, argued these same points (my win rate is poor, but not zero). If you don't give me the opportunity to make an informed choice about the data collection then I don't use your software.
I use VPN's, I use tor, I obfuscate meta-data, I lie on sign-up forms, I have separate email accounts for different services (unless I choose to use a common one), I use ad and tracking blockers, I take part in Anonymous marches. I know I am towards the more extreme end of the curve, and that for most people I am a bit strange, a bit paranoid, but I am also the one who will stick their head above the parapet and say something if I'm not happy.

This whole thing for me is about consent, the freedom to choose, make an informed decision.

Would I share the data that is currently being taken?
Yes, I would, if I were asked and told what the data is and how it would be used.
Would I install something that takes data without asking, without explaining what and why?
No, I would not (and do not).

If data gathering without informed consent takes place, what is to stop a little be more being taken next time?
It would be really useful to know the average number of articles, and the distribution curve, on these sites. We can work out all sorts of things from that.
It would be good to see how many extensions people install.
It would be good to see how many people disable/enable which features.
It would be good to see...
and so on.

Yes, people can read the source code - if they understand it. They can read the PR details. They can read the release notes (if the changes are listed there). That way they will know that by installing it they consent. Make the choice that way.
But people don't know what they don't know, so how would they know to look to see if there is a data collection practice?

Saying to people, we've taken this data but you can stop us doing it again next time, is not the right way to do it.


Michael Babker

unread,
Nov 8, 2015, 1:44:46 PM11/8/15
to joomla-...@googlegroups.com
It's not hiding the message in post-install.  That is legitimately the ONLY place you can consistently place such a message because of the third party systems.  Or are you saying that Joomla should instruct Bitnami and others to stop producing installation packages for Joomla without providing all installation options and messages that the installation application uses, because there are a fair number of users using those platforms to install Joomla and not using your native installer.  The Softaculous installer doesn't even give users the option of setting the site offline, sample data, or setting up a multi-lingual installation; all configurable items in the Joomla installer.

My argument here right now is that anything you add to the install application isn't reliable for making system wide decisions.  So you MUST take these actions within the administrator application.  If the code is configured in a way that does not prompt users via a post-install message (I am talking new installs and upgrades now) and just assumes that the choice will be made during the initial install, you are ignoring all existing sites which will upgrade to 3.5 or users who install Joomla by way of a third party platform.

Sergio Manzi

unread,
Nov 8, 2015, 1:51:04 PM11/8/15
to joomla-...@googlegroups.com
Can't we make that the choice (modal or whatever...) is made at first administrator's back-end login after install/upgrade?

Although I understand the value of collecting such metrics I'm too not happy of it being made without informed consent (and it probably breaks some EU law).

On 2015-11-08 19:44, Michael Babker wrote:
...  If the code is configured in a way that does not prompt users via a post-install message (I am talking new installs and upgrades now) and just assumes that the choice will be made during the initial install, you are ignoring all existing sites which will upgrade to 3.5 or users who install Joomla by way of a third party platform.


Bakual

unread,
Nov 8, 2015, 1:55:42 PM11/8/15
to Joomla! CMS Development
Currently, there is no way around without at least sending it once.
That's why there is a PR to change that so it only is sent from the cPanel. This way you could go directly to the plugin manager and disable the plugin without it sending any data.
That's a compromise I could see us implementing.

For new installations, you can change the SQL if you are that concerned about sending that data.

kisswebdesign

unread,
Nov 8, 2015, 1:58:15 PM11/8/15
to Joomla! CMS Development


On Sunday, 8 November 2015 18:22:27 UTC, Paul Orwig wrote:
I support this new feature.

The important points for me are (1) this data will help improve Joomla in the future, and (2) there don't seem to be many real world complaints from WordPress or Drupal integrators or end users about similar practice they take.


1. Only if the data is used; used in the right way; is understood from a statistical standpoint and put into context.
For example, say only 5% of installs use a certain OS and DB, you could say they are statistically less important than the combination that 80% of installs use. However, what if that 5% is actually the power users, the really big high profile installs, big names that can be used in marketing Joomla!?

2. I seem to remember a similar discussion taking place in WordPress when they introduced it. WP is different from Joomla, they have a benevolent dictator that can make unilateral decsions and I think that is what basically happened. A "Thanks for all your input, but we are doing it anyway." top down enforced decision.
How many WP or Drupal integrators or end users know about it?
How many would consent if they knew?
How many people chose not to use WP or Drupal because of it (and are now using Joomla!)?

Just because there are no currently active discussions does not mean people know about it and are happy (or vice versa, or any combination thereof).
Maybe they are unhappy about it and hack the core functionality.

 
Best,

paul

Finally, and once again, just because others do it does not make it right, or mean that Joomla! should follow them.

kisswebdesign

unread,
Nov 8, 2015, 2:09:37 PM11/8/15
to Joomla! CMS Development


On Sunday, 8 November 2015 18:55:42 UTC, Bakual wrote:
Currently, there is no way around without at least sending it once.

Then I'd say don't send it at all. Back to the drawing board, rethink how to do it that allows for consent before collection.
 
That's why there is a PR to change that so it only is sent from the cPanel. This way you could go directly to the plugin manager and disable the plugin without it sending any data.
That's a compromise I could see us implementing.

That is a good thing, I look forward to seeing it happen. Not the right way round in my view (I am very much from the opt-in crowd), but a compromise I could live with.
 

For new installations, you can change the SQL if you are that concerned about sending that data.

This is not possible for non-technical people, and not something many would want to attempt. There must be a better solution for new installs that preserves the freedom to consent.
 

brian teeman

unread,
Nov 8, 2015, 2:25:00 PM11/8/15
to Joomla! CMS Development
And were you aware that several extremely popular extensions do this as well - no of course you weren't and you didn't care but it did mean that they were able to ensure that they could take advantage of advances in php and mysql.

Webdongle Elgnodbew

unread,
Nov 8, 2015, 2:30:48 PM11/8/15
to Joomla! CMS Development
"It's not hiding the message in post-install.  That is legitimately the ONLY place you can consistently place such a message because of the third party systems.  Or are you saying that Joomla should instruct Bitnami and others to stop producing installation packages for Joomla without providing all installation options and messages that the installation application uses, because there are a fair number of users using those platforms to install Joomla and not using your native installer.  The Softaculous installer doesn't even give users the option of setting the site offline, sample data, or setting up a multi-lingual installation; all configurable items in the Joomla installer."


What 3rd parties do to the original Joomla install is their responsibility ... it is not the responsibility of Joomla.  When a Joomla update fails because of the way the 3rd party alters the install ... do you say "OK we will fix the update" ?  No you don't ... you say "Not Joomla core, not our problem".

Therefore putting a message on one of the screens during the Joomla install is a legitimate place to put it.  Because if a 3rd party alters it then their alteration is not 'Joomla core' !!!

kisswebdesign

unread,
Nov 8, 2015, 2:36:55 PM11/8/15
to Joomla! CMS Development


On Sunday, 8 November 2015 19:25:00 UTC, brian teeman wrote:
And were you aware that several extremely popular extensions do this as well - no of course you weren't and you didn't care but it did mean that they were able to ensure that they could take advantage of advances in php and mysql.

As I said in an earlier post, yes I was aware and I don't use them because of that. My choice. Because I do care about this.

Ask me to share the data, tell me the data you want, let me choose.

Informed consent.

Or as a compromise, allow me the opportunity to opt-out before the data is sent. Ideally it would be show the data being sent, allowing for a more informed decision being made about opting-out.

Webdongle Elgnodbew

unread,
Nov 8, 2015, 2:37:58 PM11/8/15
to Joomla! CMS Development
Hi Brian


"And were you aware that several extremely popular extensions do this as well - no of course you weren't and you didn't care but it did mean that they were able to ensure that they could take advantage of advances in php and mysql."
Were you aware that user trust JED to check for that sort of thing ?



On Sunday, 8 November 2015 19:25:00 UTC, brian teeman wrote:

Bakual

unread,
Nov 8, 2015, 2:42:21 PM11/8/15
to Joomla! CMS Development
You can of course also bypass the cPanel right after the installation by using an URL which goes to the plugin manager (administrator/index.php?option=com_plugins) directly after login. The cPanel is just the default landing page when you don't specify anything different.

Bakual

unread,
Nov 8, 2015, 2:44:36 PM11/8/15
to Joomla! CMS Development
Afaik "Calling Home" is allowed in the backend. Many extensions use this to show you for example update notifications.

Paulo Faustino

unread,
Nov 8, 2015, 2:48:07 PM11/8/15
to joomla-...@googlegroups.com

I’m amazed how lightly some people here are talking about fetching users website/server data without their clear consent.

Some of the comments give me the sense of  “we’re entitled to it because we know best”.

 

This on a day and age when action is being taken to limit the data giants like FB and Google take from users. Even if, these giants have lately become real transparent/forthcoming about their activities.

Please note that I am well aware that Joomla is  doing this  in a much smaller scale, but the principle is the same.

 

 

 

 

Best Regards,

Paulo Faustino

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2016.0.7227 / Virus Database: 4457/10964 - Release Date: 11/07/15

Michael Babker

unread,
Nov 8, 2015, 2:48:51 PM11/8/15
to joomla-...@googlegroups.com
This misses the point entirely.  It also fails to address the other scenarios I've raised.  By only raising the message during the initial installation, you fail to address concerns with users who are updating from previous releases to 3.5.

Would you be OK with the option being defaulted to on and installing Joomla via Softaculous and having your data sent without your being aware the plugin is even there?  Because that is essentially what you are authorizing by placing it in the install app versus a post-install message.

brian teeman

unread,
Nov 8, 2015, 2:51:58 PM11/8/15
to Joomla! CMS Development
You are comparing apples to watermelons.

There is a whole fruit basket of differences between sending your php version and your search history or friend list.

I agree there is a concern about opting out after data has already been sent but please get things into perspective.

Paulo Faustino

unread,
Nov 8, 2015, 2:57:35 PM11/8/15
to joomla-...@googlegroups.com
Exactly the same principle.
You're fetching private data without the consent of the user. There aren’t any layers of complexity to this one, it's really a simple concept.


Placing a post install message after you've already collected a first batch of data is not giving the user the ability to grant consent, and stop saying there's no way around sending the first batch.
Joomla could pretty well wait for the user answer to that post install message to then send or delete the data it gathered during the install process. This way you don't need to worry about Bitname, Softaculous or any other auto install.




Best Regards,
Paulo Faustino

www.newjamp.com
--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send an email to joomla-...@googlegroups.com.

Bakual

unread,
Nov 8, 2015, 3:09:50 PM11/8/15
to Joomla! CMS Development
The OS and PHP version is sent on each request to any browser visiting your site. It's not exactly a secret ;)
The Joomla version is simple enough to find out as well.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

Paulo Faustino

unread,
Nov 8, 2015, 3:23:18 PM11/8/15
to joomla-...@googlegroups.com

The Joomla version is simple enough to find out as well.”

 

That’s not a justification nor an excuse.

What you’re really saying is, “Let’s hope the users miss this, but if they find out and complain,  we can always tell them that they are able to disable the feature”

 

It really doesn’t shine well upon Joomla!.

 

A spammer could say “You can always ask me to get out of my list”

Any other software publisher could say “Hey, you can stop me from gathering data from your computer, so I’ll catch the data until you tell me not to”

 

You see, your “point of view” can be used by anyone. But the bottom line is your fetching data without the user consent. I’m not sure, but I believe it’s even illegal in EU.

 

 

Best Regards,

Paulo Faustino

 

From: joomla-...@googlegroups.com [mailto:joomla-...@googlegroups.com] On Behalf Of Bakual


Sent: Sunday, November 8, 2015 8:10 PM
To: Joomla! CMS Development <joomla-...@googlegroups.com>

Subject: Re: [jcms] Re: Joomla 3.5, one pull request that I like changed.

 

The OS and PHP version is sent on each request to any browser visiting your site. It's not exactly a secret ;)

No virus found in this message.


Checked by AVG - www.avg.com
Version: 2016.0.7227 / Virus Database: 4457/10964 - Release Date: 11/07/15

--

kisswebdesign

unread,
Nov 8, 2015, 3:26:56 PM11/8/15
to Joomla! CMS Development


On Sunday, 8 November 2015 20:09:50 UTC, Bakual wrote:
The OS and PHP version is sent on each request to any browser visiting your site. It's not exactly a secret ;)
The Joomla version is simple enough to find out as well.

Both OS and PHP version info can be manipulated, obfuscated and the true values hidden. I think this info should not be shared, it makes it easy for a bad actor to direct specific attacks against the server - but I'm paranoid!

Joomla version, not so much, to an interested party you pretty much can't hide it.

So that leaves the database type and version. This is another piece of information that can communicate an attack vector to a bad actor, and not suitable to share publically.

Even publishing the summary data, showing the % of sites on each PHP version, DB, etc. has the possibility to create an attack pattern that is based on probability of server configuration of Joomla! sites. But I'm paranoid!

Webdongle Elgnodbew

unread,
Nov 8, 2015, 3:34:18 PM11/8/15
to Joomla! CMS Development
The OS and PHP version is sent on each request to any browser visiting your site. It's not exactly a secret ;)"
That is your strongest 'argument' yet.  It is the only defense of using the plugin (without consent) that has been put so far.


On Sunday, 8 November 2015 20:09:50 UTC, Bakual wrote:

Sergio Manzi

unread,
Nov 8, 2015, 4:47:23 PM11/8/15
to joomla-...@googlegroups.com
Really?

Can you tell me which OS and PHP version are sent in HTPP headers by the http://nuovaicona.org Joomla site?

Niels Braczek

unread,
Nov 8, 2015, 6:12:59 PM11/8/15
to joomla-...@googlegroups.com
Am 08.11.2015 um 21:23 schrieb Paulo Faustino:

> But the bottom line is your fetching data without the user consent. I’m not sure, but I believe it’s even illegal in EU.

Right, it is. At least in Germany. Opt-in is the only legal option.

Regards,
Niels

--
| New Stars on the Horizon: GreenCape · nibralab · laJoom |
| http://www.bsds.de · BSDS Braczek Software- und DatenSysteme |
| Webdesign · Webhosting · e-Commerce · Joomla! Content Management |
------------------------------------------------------------------

George Wilson

unread,
Nov 8, 2015, 6:20:19 PM11/8/15
to Joomla! CMS Development, nbra...@bsds.de
So are you telling me that wordpress is illegal in Germany?

Paulo Faustino

unread,
Nov 8, 2015, 6:30:18 PM11/8/15
to joomla-...@googlegroups.com, nbra...@bsds.de

 

 

 

 

Best Regards,

Paulo Faustino

 

www.newjamp.com

 

From: joomla-...@googlegroups.com [mailto:joomla-...@googlegroups.com] On Behalf Of George Wilson
Sent: Sunday, November 8, 2015 11:20 PM
To: Joomla! CMS Development <joomla-...@googlegroups.com>
Cc: nbra...@bsds.de
Subject: Re: [jcms] Re: Joomla 3.5, one pull request that I like changed.

 

So are you telling me that wordpress is illegal in Germany?

--

Michael Babker

unread,
Nov 8, 2015, 6:55:57 PM11/8/15
to joomla-...@googlegroups.com
Point blank, the way that article reads, as one of the sys admins with the keys to the server I want nothing to do with this.

There is more identifying information in the Apache logs than what is stored to the server.  The only identifier is a SHA1 hash composed of a 28 character cryptographically generated random string plus a time stamp.  Even if the server is compromised and someone decrypts the hash, the most valuable data they'll get out of that is the timestamp of when it was generated.  This ID can be regenerated at any time in the plugin configuration.

I'm not putting my neck on the line to have someone's PHP version and database driver info.  And frankly I don't see OSM doing much to assist me in case someone does take this to court.


--
- Michael

Please pardon any errors, this message was sent from my iPhone.

Takis Tamouz

unread,
Nov 8, 2015, 7:28:45 PM11/8/15
to Joomla! CMS Development
On Saturday, 7 November 2015 19:36:24 UTC+2, Josh Weiss wrote:
> We are sometimes a bit famous for being late to the party, but I did not realize this feature made it past and I think it should be appropriately discussed. Admittedly I did not realize this feature got past me as I been busy for the last few months, however I do feel it did not reach people as effectively for those that do not check Github. Yes I know there was a pre-beta announcement that had this pull request listed there, and yes there is today's beta announcement. Regardless it is an important issue that I feel others should be able to weigh in on in a different communicative matter if they so choose, especially as this mailing list does get some traction.
>
> https://github.com/joomla/joomla-cms/pull/8291
>
> Essentially this is a statistic feature for the Joomla project. This is very similar to the opt-in features Microsoft, Apple, Google, ect. ask you during their install process if you like to enable this feature so they can gather anonymized information that will help their product and services. This feature is actually enabled by Joomla during the install/upgrade process with no choice until AFTER the procedure. Although a post-message install gives a warning it is enabled. The whole premise of this being enabled by default is just wrong in my honest opinion, although I do feel it is an important feature to have still.
>
> Simple truths of the issue
> These features (although anonymized) due pose a privacy and security relationship between Joomla and administrators.
> Yes I know there really is nothing meaningful in the data now. Others may not see it that way.Updates might slip by that may introduce something others do not want while this feature is turned on.Is there an official legal statement of the type of data collected by Joomla and how it is used.
> No other software vendor usually has these features enabled by default.Example given: Apple asks for this during install, Microsoft also asks for this during install.Software vendors usually have a posted legal statement about the information they are collecting.
> The use of a post install message will go "under the radar" for those that are not true administrators and are only managing their Joomla installsMany people may not understand the implications having this feature enabled.Contractors that upgrades sites may not pay attention to these type of features to warn a client effectively due to the opt-out nature.Client manager plugins for automated software that run CLI like actions to perform auto tasks like upgrades would allow preventative warning.
> Automated hosts that auto-upgrade software for you may not consider this an issue like Joomla users would.
> Opt-out features are generally invasive practice that do not consider choice.Yes there is a choice for after the matter, that is nether morally fair or considerate for those Joomla users.Opt-in features are a voluntary process that are considerate of the environment the software is used in.
>
> Simple fixes (albeit not suggesting easy implementation)Allow during installation of a Joomla install to have a checkbox/flag to enable this plugin.During upgrade a post install message that gives you notice to this feature
>
>
> -Josh Weiss (aka @coder4life)

Hello, Someone can hide apache version, php version in http headers. My ask is that like we see here https://github.com/joomla/joomla-cms/pull/8291#issuecomment-154355617 why a joomla user must send data like for example PHP Built On which in there it will not write his pc but his server. So i can say that @kisswebdesign is not paranoid.

George Wilson

unread,
Nov 8, 2015, 7:51:41 PM11/8/15
to Joomla! CMS Development, nbra...@bsds.de
I'd need to take legal advice before being 100% on this as obviously this law is under planning (and is still kinda under change) but at least at present anonymous (non-identifiable) data is not covered by that data protection act (http://www.computing.co.uk/ctg/news/2337679/ico-says-anonymous-data-not-covered-by-data-protection-act-until-its-de-anonymised - and as far as I can tell e.g. from here http://www.computerworlduk.com/it-management/uk-organisations-eu-general-data-protection-regulation-3624909/ this will not change in this new data protection law). From the data we are taking there is no way that we can identify your host let alone your website - so I would be strongly surprised if the contents of the article applied to us.

Kind Regards,
George

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cms+unsubscribe@googlegroups.com.
To post to this group, send email to joomla-dev-cms@googlegroups.com.

Paulo Faustino

unread,
Nov 8, 2015, 8:05:15 PM11/8/15
to joomla-...@googlegroups.com, nbra...@bsds.de

In your shoes, and defending what you-re defending that should be done, I would make sure to get legal advice from someone familiar with the subject and what EU is currently doing, not only what it plans to enforce across the EU in 2017.

 

But what strikes me as odd, is that instead of taking the small measure that is changing the current “process” from opt-out to opt-in, you prefer to spend Joomla! funds (that in the past days have been heavily discussed as being an all-time low) in legal advice, let alone to let the door open to have legal issues in the future.

 

Last but not least, this shows a lack of respect for the users ownership over their own data.

 

 

 

 

Best Regards,

Paulo Faustino

 

www.newjamp.com

 

From: joomla-...@googlegroups.com [mailto:joomla-...@googlegroups.com] On Behalf Of George Wilson


Sent: Monday, November 9, 2015 12:52 AM
To: Joomla! CMS Development <joomla-...@googlegroups.com>

Cc: nbra...@bsds.de
Subject: Re: [jcms] Re: Joomla 3.5, one pull request that I like changed.

 

I'd need to take legal advice before being 100% on this as obviously this law is under planning (and is still kinda under change) but at least at present anonymous (non-identifiable) data is not covered by that data protection act (http://www.computing.co.uk/ctg/news/2337679/ico-says-anonymous-data-not-covered-by-data-protection-act-until-its-de-anonymised - and as far as I can tell e.g. from here http://www.computerworlduk.com/it-management/uk-organisations-eu-general-data-protection-regulation-3624909/ this will not change in this new data protection law). From the data we are taking there is no way that we can identify your host let alone your website - so I would be strongly surprised if the contents of the article applied to us.

 

Kind Regards,

George

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.

--

You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-cm...@googlegroups.com.
To post to this group, send email to joomla-...@googlegroups.com.

Webdongle Elgnodbew

unread,
Nov 8, 2015, 8:27:39 PM11/8/15
to Joomla! CMS Development
Nice example Sergio ... a site that uses expose_php = Off to hide the php version ... places a 2 year GA tracking cookie on all computers that visit the site. A bit like 'One rule for you but a different rule for everyone else'.

@ Michael Babker
Can the plugin still detect the php version when 'expose_php = Off' is in the php.ini file ?

Michael Babker

unread,
Nov 8, 2015, 8:30:48 PM11/8/15
to joomla-...@googlegroups.com
Yes.  expose_php is a directive regarding the HTTP headers.  The plugin reads the PHP version data via the PHP_VERSION constant which is defined at PHP runtime.

Niels Braczek

unread,
Nov 8, 2015, 9:09:39 PM11/8/15
to joomla-...@googlegroups.com
Am 09.11.2015 um 00:20 schrieb George Wilson:

> So are you telling me that wordpress is illegal in Germany?

If it sends data without the user actively having allowed that - yes.

Webdongle Elgnodbew

unread,
Nov 8, 2015, 9:10:14 PM11/8/15
to Joomla! CMS Development
Thanks Michael

So the plugin does not access 'Publicly available data' ... it accesses data by virtue of the fact it is allowed privileged access to the server.  And it passes (some of that data) out of the server before the user is notified or prevent it happening.

Michael Babker

unread,
Nov 8, 2015, 9:26:03 PM11/8/15
to joomla-...@googlegroups.com
This was really more me blowing steam off than anything, but all of the code removed in this branch (https://github.com/joomla/joomla-cms/compare/staging...mbabker:no-remote-ever) are vectors in Joomla where it "passes (some of that data) out of the server before the user is notified or prevent it happening" and explicit dependencies on that base code.  If you have an extension that has any type of update fetching mechanism, you've got data being passed off without being aware of what your server is sending.  There is traceable data from your servers in the Apache logs of *.joomla.org or GitHub or Amazon S3 (all places where CMS infrastructure is hosted right now), mostly dependent on the HTTP request headers being sent and what data is being logged.

Sergio Manzi

unread,
Nov 8, 2015, 9:56:40 PM11/8/15
to joomla-...@googlegroups.com
@Webdongle Elgnodbew:

You're right. I got rid of it and it will never be reinstated.

Thanks for the heads up!

ssnobben

unread,
Nov 9, 2015, 5:02:00 AM11/9/15
to Joomla! CMS Development
EU Data Protection Directive and also laws like EU antitrust rules are important for companies like Google to not get huge fines http://ec.europa.eu/competition/elojade/isef/case_details.cfm?proc_code=1_39740 so I think its a good advice to see how this can be done for Joomla website owners/users in the right way by the EU Data Protection Directive first by a second opinion before implemented.



brian teeman

unread,
Nov 9, 2015, 5:08:21 AM11/9/15
to Joomla! CMS Development
The inability to read that article linked to above reminds me why this is a development community and not a legal community of lawyers. 

I am actively involved in a UK government project that is covered by the UK Data Protection ACT (DPA) and therefore also effected by the EU changes referred to in that article. My role is to implement the way we gather and store information.

The proposed EU regulation would replace each EU Member states individual DPA so the regulations would be the same across all EU Member states. The DPA and the proposed EU changes ONLY effect information “by which an individual can be identified” 

Keywords in that quote are "individual" and "identified".

If you are still concerned I suggest you read http://www.out-law.com/en/topics/tmt--sourcing/data-protection/data-protection/ (From leading law firm specialising in this stuff and not from a journalist or a hobby blogger).

The key points are

"The Act applies when personal data is processed or is to be processed by a computer, or is recorded or to be recorded in a structured manual filing system."

"Personal data means data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller."

As you can see from the above the regulation does not apply in this case as the data gathered is NOT about an individual and not identifiable. 

Finally the requirement of the DPA for the "the data subject has given his consent to the processing;" does not apply as the data subject is not an individual and the data gathered is not identifiable with an individual.

Brad Gies

unread,
Nov 9, 2015, 5:41:57 AM11/9/15
to joomla-...@googlegroups.com
It's more than a strong argument.... I'm also an advocate of not taking private data without consent... but the OS and PHP version are absolutely already public... and Joomla! knowing what people are using will absolutely help make Joomla! better.... Joomla! is not trying to get personal private info, so please just take that data and improve Joomla! with it..

Brad.

Brad Gies

unread,
Nov 9, 2015, 5:50:11 AM11/9/15
to joomla-...@googlegroups.com

Brian... Thanks for bringing some sanity to the argument.

Takis Tamouz

unread,
Nov 9, 2015, 11:33:11 AM11/9/15
to Joomla! CMS Development
On Monday, 9 November 2015 12:41:57 UTC+2, Brad wrote:
> but the OS and PHP version
> are absolutely already public... and Joomla!

>
>
> Can you tell us from where you see them public and if you see the url of a server?

brian teeman

unread,
Nov 9, 2015, 12:36:45 PM11/9/15
to Joomla! CMS Development


On Monday, 9 November 2015 16:33:11 UTC, Takis Tamouz wrote:
On Monday, 9 November 2015 12:41:57 UTC+2, Brad  wrote:
>  but the OS and PHP version
>     are absolutely already public... and Joomla!

>
>    
> Can you tell us from where you see them public and if you see the url of a server?
>    



As already stated their is no data stored that can identify the site

Webdongle Elgnodbew

unread,
Nov 9, 2015, 12:38:45 PM11/9/15
to Joomla! CMS Development








On Monday, 9 November 2015 16:33:11 UTC, Takis Tamouz wrote:

Michael Babker

unread,
Nov 9, 2015, 12:53:12 PM11/9/15
to joomla-...@googlegroups.com
That's the API application (https://github.com/joomla-extensions/jstats-server) which is receiving the data.  Same server as the dev site.

George Wilson

unread,
Nov 9, 2015, 12:58:21 PM11/9/15
to joomla-...@googlegroups.com
The link Brian provided (https://developer.joomla.org/about/stats) gives a visual representation of the PHP version, Database type and Joomla versions. The module that is showing that data is on GitHub at https://github.com/joomla-extensions/joomladata. Obviously those graphs don't show Database Version and Server type - but these percentages are publicly available through the API that Webdongle linked to (https://developer.joomla.org/stats), which is also linked to from the graphical stats page. The code handling the Joomla server (which receives the data and handles the API) is also available on GitHub if you want to go through it: https://github.com/joomla-extensions/jstats-server

Kind Regards,
George

--
You received this message because you are subscribed to a topic in the Google Groups "Joomla! CMS Development" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/joomla-dev-cms/FkdJH74rCqQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to joomla-dev-cm...@googlegroups.com.

Takis Tamouz

unread,
Nov 9, 2015, 1:08:44 PM11/9/15
to Joomla! CMS Development
as i saw in code ( "server_os":{"Windows":66.67,"Linux":16.67,"Darwin":16.67} ) @alikon shows php built on and in his case is Windows NT PC ALIKON 6.0 .... which in a live server PC ALIKON could be myserver.mydomain.com . Do you say that this url will not be send with this plugin?

kisswebdesign

unread,
Nov 9, 2015, 1:18:51 PM11/9/15
to Joomla! CMS Development
Looks like there is a PR that addresses concerns about the sending of data before there is an opportunity to opt out.

https://github.com/joomla/joomla-cms/pull/8346

It gives a 6 hour delay before sending the data - which is probably long enough for anyone who cares about the issue to do some research and make a decision.

Although not my preferred explicit opt-in to data collection, it is a compromise I can accept.

Thanks to Robert for submitting the PR, and doing the work.

Michael Babker

unread,
Nov 9, 2015, 1:19:08 PM11/9/15
to joomla-...@googlegroups.com
The exact composition of the data array being sent to the server can be seen at https://github.com/joomla/joomla-cms/blob/737234cfe0a079aad374fb0375124b811aeaf867/plugins/system/stats/stats.php#L129-L136.

In the case of the server data, for the system info screen in the admin the entire server data string is displayed (see https://github.com/joomla/joomla-cms/blob/737234cfe0a079aad374fb0375124b811aeaf867/administrator/components/com_admin/models/sysinfo.php#L296).  Using the filters from the php_uname() function (http://php.net/manual/en/function.php-uname.php) we are limiting to only the server operating system and the version number.  Attached here is a screenshot of what that translates to for the stats being received.  Unless a server has manipulated the strings that PHP is grabbing to establish the server's operating system and version number, something like that "PC ALIKON" should not be received ever.

--
Screen Shot 2015-11-09 at 1.16.58 PM.png

alikon

unread,
Nov 9, 2015, 1:42:10 PM11/9/15
to Joomla! CMS Development
 Unless a server has manipulated the strings that PHP is grabbing to establish the server's operating system and version number, something like that "PC ALIKON" should not be received ever.
as i saw in code ( "server_os":{"Windows":66.67,"Linux":16.67,"Darwin":16.67} ) @alikon shows php built on and in his case is Windows NT PC ALIKON 6.0 .... which in a live server PC ALIKON could be myserver.mydomain.com . Do you say that this url will not be send with this plugin?

--

sorry guys for this missunderstandnig i was   playing /manipulating  for my dirty testing

Michael Babker

unread,
Nov 9, 2015, 1:55:58 PM11/9/15
to joomla-...@googlegroups.com
Well if you're manipulating data then yes whatever you're manipulating will be what's sent ;-)

In general though, there's nothing to hide, otherwise the API server code wouldn't be open sourced, the stats plugin would be obfuscated, and there wouldn't be an effort to publish this data.  I personally have no issue walking folks through the whole flow to show what data the server is receiving and storing and that's generally what my last post aimed to do.  The only thing the data API is doing is limiting how much detail is given back to requesting users; each of the key values are grouped generally (the PHP version groups on the minor branch, the server OS groups on the first word (which should be the result of php_uname('s') anyway), and right now there isn't any grouping on the CMS version number).  There is some filtering on version number strings so that only versions are stored in <major>.<minor>.<patch> format (so 3.5.0-beta is filtered to 3.5.0 and similar is done with the database and PHP versions).

Like I hinted at earlier in this thread, the reality is that there is more identifying information about who is sending stats in the Apache and application logs (for the app logs Monolog is being used with the WebProcessor class enabled which logs some of the request data with messages such as the HTTP method and the IP address of the requestor (same as you'd find in Apache); this log is there to catch database and application errors only).  I know this does little to reassure people about what data is being stored, but again there is nothing for the project to hide around this effort.

Takis Tamouz

unread,
Nov 9, 2015, 2:09:20 PM11/9/15
to Joomla! CMS Development
Thank you for clarify that

Roberto Segura

unread,
Nov 9, 2015, 9:41:41 PM11/9/15
to joomla-...@googlegroups.com

I have sent a PR to Robert's PR that allow  to customise almost everything in the plugin and that ensures that user decides before anything is sent.

It also shows the data that will be sent so users can review what is sent.

Check it in:
https://github.com/joomla/joomla-cms/pull/8346#issuecomment-155260754

kisswebdesign

unread,
Nov 10, 2015, 10:22:38 AM11/10/15
to Joomla! CMS Development


On Tuesday, 10 November 2015 02:41:41 UTC, Roberto Segura wrote:

I have sent a PR to Robert's PR that allow  to customise almost everything in the plugin and that ensures that user decides before anything is sent.

It also shows the data that will be sent so users can review what is sent.

Check it in:
https://github.com/joomla/joomla-cms/pull/8346#issuecomment-155260754



Great work Roberto, thankyou.

I have tested it, and from a virgin install it works as expected.

Updating from 3.4.5 to 3.5.0-beta and applying the patch (PR) does not - but this method of install/update is not a 'normal' use case, so I don't think it would be an issue if this PR is included in the 3.5 release.

I also posted the results to the PR on Github:
https://github.com/joomla/joomla-cms/pull/8346#issuecomment-155447903 

Sven

unread,
Nov 15, 2015, 5:57:55 PM11/15/15
to Joomla! CMS Development
Well if you're manipulating data then yes whatever you're manipulating will be what's sent ;-)
And exactly about this you should worry more, because kiddis always like to mess around... and they can do this in short time...
Don't be to angry with me I just did send some data to the submit url to see if nonsense data are also collected...

Bakual

unread,
Nov 15, 2015, 6:09:42 PM11/15/15
to Joomla! CMS Development
We're aware of that, but there isn't much you can do to prevent that.
We will be able to figure out that those 3.5.6 installations likely aren't valid cases :-p

Sven

unread,
Nov 15, 2015, 7:33:15 PM11/15/15
to Joomla! CMS Development
I used 3.4.5 in my 2 request :) and sure you can figure out that this is not a valid case, but if sending correct cases with fake data for example push PHP 5.4 on top of the list even it's not, than those data are not very useful

Bakual

unread,
Nov 16, 2015, 4:08:09 AM11/16/15
to Joomla! CMS Development
3.4.5 is a perfectly valid case, as you can install that plugin manuall in that Joomla version ;)

I hope that having the plugin opt-in now does still give us enough data to make those manually submitted data statistically irrelevant. It was one of the reasons why we wanted it to be opt-out so we have a good set to work with.
Reply all
Reply to author
Forward
0 new messages