(Suspicious) dependency on cli-tracker: Is this really needed?

[kastl-ars]

Hi all,

I found Gefyra today and found it an interesting concept. I tried to package it for openSUSE to try it out.

One thing I found was that the CLI dependency on cli-tracker is fishy. Or rather, I cannot find a source for this other than PyPI, which is unusual and made me suspicious. PyPI has seen a lot of malware lately, so better safe than sorry.

So I wanted to ask, if this dependency is necessary? Do you have more information on it?

Thanks in advance, Johannes

[SteinRobert]

Hey @kastl-ars - we added the tracker - it's written by the Gefyra maintainers. The Github repository is here: https://github.com/unikubehq/cli_tracker

The Gefyra project was born out of Unikube, a couple of years ago, that's why it is in another organization. On that note I might just move it over in the next couple of days.

The tracker collects generally usage information about the Gefyra CLI so we can make better decisions which errors to look into, which things to push further. If one does opt-out nothing is sent. The information are collected and stored on sentry.io.

I'm sorry for the confusion, hoping this resolves your worries and answers your questions.

[kastl-ars]

Thanks for the reply and the information. That helps (and eases my mind).

Would it be possible to add more information to the PyPI entry for the tracker? Link to the repository, license, etc.?

Kind Regards Johannes

[SteinRobert]

Sure thing. I'll look into this and will keep you posted. The repo has already been moved to the Gefyra organization.