Default Opt-Out for Giteaway feature

[fleischsalatinspace]

Hi, i need clarification if the Giveaway feature is enabled by default . Related code is https://github.com/recursivetree/seat-treelib/search?q=giveaway . I have concerns regarding this feature https://github.com/recursivetree/seat-treelib/blob/4ae8a886f25c876cfac0c8532db175dea82ceb29/src/resources/lang/en/giveaway.php#L6

Regards

[fleischsalatinspace]

CC @recursivetree

[recursivetree]

It is enabled by default, but you can opt out on a user level.

The character will only be sent if you press the enter giveaway button. Otherwise, nothing is sent, so you have control over whether you want to give me my your game name. The character id per se is completely harmless to share, it is basically just your character name, but as a number. There is no way around giving me your character name, otherwise I can't contract the eve partner giveaway skins.

You can also take a look at the code of the server that stores the character ids. It doesn't even keep track of IPs or anything. https://github.com/recursivetree/eve-partner-giveaway-backend

I hope that clarifies things, otherwise feel free to ask.

[recursivetree]

On another note, with upcoming changes to the eve partner program, I'll probably don't have to do giveaways anymore. In fact, the server behind it is currently not even running.

[fleischsalatinspace]

Thank you for your quick response. IMO it would be in line with today's industry privacy standards if your plugin would disable the feature by default, i.e. default opt-in at server level and if not already done at least hint at this feature in the plugins README. None of the people responsible for installing this plugin were aware that it communicates with a third-party server by default and possibly transmitting character related information to a unknown third party. I'am aware that it should be the responsibility of these people to first check the (FL)OSS code of the plugin, but tbh most don't.

The reason why i stumbled on this feature is because there were TLS-certificate errors for your giveaway domain logged on one of the seat instances i run and being the nature of today's software supply chains i immediately thought of a compromised software component in the seat plugin.

Thank you again for clarifying and i appreciate the work you have done with these plugins.
Feel free to close the issue.

[recursivetree]

The thing is, it doesn't communicate by default. It only communicates if a user presses a button. That is a difference to what you say: "None of the people responsible for installing this plugin were aware that it communicates with a third-party server by default ...". You can verify that by reading the code.

On another note, nobody reads the README of a dependency of the actual module, and the goal is that users actually use it.

Seat google analystics is enable by default too, and crypta eves plugins load a CSS file from his server for tracking, so I guess my plugins are far less invasive. Additionally, the text below the button tells the user exactly what will be transmitted when he presses the button.

The TLS-errors happen because the giveaway backend is currently shut down, but the plugin still checks the status every once in a while. I'll probably stop it with the next release.

[fleischsalatinspace]

Thank you for response :+1: . I'll close the issue for now