From aecfa681b95b2cc6ad879e58bf6774e2ea68579b Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Wed, 24 Jul 2024 11:17:38 -0400 Subject: [PATCH 1/6] docs: describe all data collection Fixes: #2894 --- docs/explanations.rst | 2 +- docs/explanations/data_collection.rst | 86 +++++++++++++++++++++++++++ 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 docs/explanations/data_collection.rst diff --git a/docs/explanations.rst b/docs/explanations.rst index 551bc7b41e..8fd269f463 100644 --- a/docs/explanations.rst +++ b/docs/explanations.rst @@ -73,4 +73,4 @@ Other Pro features explained explanations/what_is_the_daemon.md explanations/errors_explained.md explanations/deprecation_policy.rst - + explanations/data_collection.rst diff --git a/docs/explanations/data_collection.rst b/docs/explanations/data_collection.rst new file mode 100644 index 0000000000..6dc15efa5b --- /dev/null +++ b/docs/explanations/data_collection.rst @@ -0,0 +1,86 @@ +What data does Canonical collect from Ubuntu Pro machines? +********************************************************** + +For the purposes of delivering Ubuntu Pro services to customers in compliance +with the terms of the Ubuntu Pro subscription, some system data is sent to +Canonical servers. This data is sent via a couple different methods, depending +on the service and the purpose of that particular data element. + +This document categorizes data collection by method of collection. + +APT Package Downloads +===================== + +If you have any of the following services enabled, then the following data +collection method will be in use whenever downloading packages for one of +these services. + +- ``anbox-cloud`` +- ``cc-eal`` +- ``cis`` +- ``esm-apps`` +- ``esm-infra`` +- ``fips`` +- ``fips-preview`` +- ``fips-updates`` +- ``realtime-kernel`` +- ``ros`` +- ``ros-updates`` +- ``usg`` + +Whenever you ``apt install`` a package from a pro service (or ``apt upgrade`` +to a version of a package from a pro service), ``apt`` will make a GET request +to ``esm.ubuntu.com`` that includes the package name and version and HTTP +basic auth credentials that are tied to the Ubuntu Pro Subscription. + +For example, installing the ``hello`` package from ``esm-apps`` will result in +a request that looks something like this: + +.. code-block:: text + https://bearer:$resource_token@esm.ubuntu.com/apps/ubuntu/pool/main/h/hello/hello_2.10-2ubuntu4+esm1_amd64.deb + +This request is necessary to download the Pro update and it necessarily +includes the following data. + +- ubuntu codename (e.g. "jammy") +- package name (e.g. "hello") +- package version (e.g. "2.10-2ubuntu4+esm1") +- package architecture (e.g. "amd64") + +Because this request is necessarily authenticated and the authentication token +is tied to a particular Ubuntu Pro subscription, this data is inherently tied +to the Ubuntu Pro subscription that authenticated access to the package. + +Livepatch Downloads +=================== + +If you have ``livepatch`` enabled, then the following data is sent in order to +download the correct kernel patches: + +- kernel version (e.g. "6.8.0-38.38-generic") +- machine architecture (e.g. "amd64") + +Because this request is necessarily authenticated and the authentication token +is tied to a particular Ubuntu Pro subscription, this data is inherently tied +to the Ubuntu Pro subscription that authenticated access to the package. + + +Machine Activity Checks +======================= + +Regardless of which services you have enabled, if a machine is attached to an +Ubuntu Pro subscription, the following data is collected and updated regularly. + +- distribution (e.g. "Ubuntu") +- release codename (e.g. "noble") +- kernel version (e.g. "6.8.0-38.38-generic") +- machine architecture (e.g. "amd64") +- is the machine a desktop (e.g. "true") +- virtualization type (e.g. "docker") +- services enabled (e.g. "ros" and "realtime-kernel generic variant") +- time the machine was attached (e.g. "2024-07-24T13:54:07+00:00") +- version of ``ubuntu-pro-client`` (e.g. "33.2~24.04") + +These data elements are collected to ensure machines that are attached to a +particular Ubuntu Pro contract are compliant with the terms of that particular +contract. From a1b56aea97f1af6ea9dc2b32ad037d0c92488548 Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Wed, 24 Jul 2024 13:59:20 -0400 Subject: [PATCH 2/6] Apply suggestions from code review Co-authored-by: Sally --- docs/explanations/data_collection.rst | 49 ++++++++++++++------------- 1 file changed, 25 insertions(+), 24 deletions(-) diff --git a/docs/explanations/data_collection.rst b/docs/explanations/data_collection.rst index 6dc15efa5b..0c647a96f9 100644 --- a/docs/explanations/data_collection.rst +++ b/docs/explanations/data_collection.rst @@ -3,12 +3,12 @@ What data does Canonical collect from Ubuntu Pro machines? For the purposes of delivering Ubuntu Pro services to customers in compliance with the terms of the Ubuntu Pro subscription, some system data is sent to -Canonical servers. This data is sent via a couple different methods, depending +Canonical servers. This data is sent via a few different methods, depending on the service and the purpose of that particular data element. -This document categorizes data collection by method of collection. +This document categorises data collection by method of collection. -APT Package Downloads +APT package downloads ===================== If you have any of the following services enabled, then the following data @@ -28,58 +28,59 @@ these services. - ``ros-updates`` - ``usg`` -Whenever you ``apt install`` a package from a pro service (or ``apt upgrade`` -to a version of a package from a pro service), ``apt`` will make a GET request -to ``esm.ubuntu.com`` that includes the package name and version and HTTP -basic auth credentials that are tied to the Ubuntu Pro Subscription. +Whenever you ``apt install`` a package from a Pro service (or ``apt upgrade`` +to a version of a package from a Pro service), ``apt`` will make a GET request +to ``esm.ubuntu.com`` that includes the package name and version, and HTTP +basic auth credentials that are tied to the Ubuntu Pro subscription. For example, installing the ``hello`` package from ``esm-apps`` will result in a request that looks something like this: .. code-block:: text + https://bearer:$resource_token@esm.ubuntu.com/apps/ubuntu/pool/main/h/hello/hello_2.10-2ubuntu4+esm1_amd64.deb This request is necessary to download the Pro update and it necessarily includes the following data. -- ubuntu codename (e.g. "jammy") -- package name (e.g. "hello") -- package version (e.g. "2.10-2ubuntu4+esm1") -- package architecture (e.g. "amd64") +- Ubuntu codename (e.g. "Jammy") +- Package name (e.g. "hello") +- Package version (e.g. "2.10-2ubuntu4+esm1") +- Package architecture (e.g. "amd64") Because this request is necessarily authenticated and the authentication token is tied to a particular Ubuntu Pro subscription, this data is inherently tied to the Ubuntu Pro subscription that authenticated access to the package. -Livepatch Downloads +Livepatch downloads =================== If you have ``livepatch`` enabled, then the following data is sent in order to download the correct kernel patches: -- kernel version (e.g. "6.8.0-38.38-generic") -- machine architecture (e.g. "amd64") +- Kernel version (e.g. "6.8.0-38.38-generic") +- Machine architecture (e.g. "amd64") Because this request is necessarily authenticated and the authentication token is tied to a particular Ubuntu Pro subscription, this data is inherently tied to the Ubuntu Pro subscription that authenticated access to the package. -Machine Activity Checks +Machine activity checks ======================= Regardless of which services you have enabled, if a machine is attached to an Ubuntu Pro subscription, the following data is collected and updated regularly. -- distribution (e.g. "Ubuntu") -- release codename (e.g. "noble") -- kernel version (e.g. "6.8.0-38.38-generic") -- machine architecture (e.g. "amd64") -- is the machine a desktop (e.g. "true") -- virtualization type (e.g. "docker") -- services enabled (e.g. "ros" and "realtime-kernel generic variant") -- time the machine was attached (e.g. "2024-07-24T13:54:07+00:00") -- version of ``ubuntu-pro-client`` (e.g. "33.2~24.04") +- Distribution (e.g. "Ubuntu") +- Release codename (e.g. "Noble") +- Kernel version (e.g. "6.8.0-38.38-generic") +- Machine architecture (e.g. "amd64") +- Is the machine a desktop? (e.g. "true") +- Virtualisation type (e.g. "Docker") +- Services enabled (e.g. "ros" and "realtime-kernel generic variant") +- When the machine was attached (e.g. "2024-07-24T13:54:07+00:00") +- Version of ``ubuntu-pro-client`` (e.g. "33.2~24.04") These data elements are collected to ensure machines that are attached to a particular Ubuntu Pro contract are compliant with the terms of that particular From cb529d46e23a87c4ba1e9d3747d25bfc4c0f480d Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Wed, 24 Jul 2024 14:37:09 -0400 Subject: [PATCH 3/6] more review feedback --- docs/explanations/data_collection.rst | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/explanations/data_collection.rst b/docs/explanations/data_collection.rst index 0c647a96f9..7d288a5e1a 100644 --- a/docs/explanations/data_collection.rst +++ b/docs/explanations/data_collection.rst @@ -11,8 +11,8 @@ This document categorises data collection by method of collection. APT package downloads ===================== -If you have any of the following services enabled, then the following data -collection method will be in use whenever downloading packages for one of +If you have any of the following services enabled, then the data collection +method described below will be in use whenever downloading packages for one of these services. - ``anbox-cloud`` @@ -40,17 +40,17 @@ a request that looks something like this: https://bearer:$resource_token@esm.ubuntu.com/apps/ubuntu/pool/main/h/hello/hello_2.10-2ubuntu4+esm1_amd64.deb -This request is necessary to download the Pro update and it necessarily -includes the following data. +This request is necessary to download the Pro update and includes the +following data. - Ubuntu codename (e.g. "Jammy") - Package name (e.g. "hello") - Package version (e.g. "2.10-2ubuntu4+esm1") - Package architecture (e.g. "amd64") -Because this request is necessarily authenticated and the authentication token -is tied to a particular Ubuntu Pro subscription, this data is inherently tied -to the Ubuntu Pro subscription that authenticated access to the package. +Because this request needs to be authenticated and the authentication token is +tied to a particular Ubuntu Pro subscription, this data is inherently tied to +the Ubuntu Pro subscription that authenticated access to the package. Livepatch downloads =================== @@ -61,16 +61,18 @@ download the correct kernel patches: - Kernel version (e.g. "6.8.0-38.38-generic") - Machine architecture (e.g. "amd64") -Because this request is necessarily authenticated and the authentication token -is tied to a particular Ubuntu Pro subscription, this data is inherently tied -to the Ubuntu Pro subscription that authenticated access to the package. +Similarly to APT package downloads, because this request needs to be +authenticated and the authentication token is tied to a particular Ubuntu Pro +subscription, this data is inherently tied to the Ubuntu Pro subscription that +authenticated access to the package. Machine activity checks ======================= Regardless of which services you have enabled, if a machine is attached to an -Ubuntu Pro subscription, the following data is collected and updated regularly. +Ubuntu Pro subscription, the following data is collected and updated regularly +(default: every 6 hours). - Distribution (e.g. "Ubuntu") - Release codename (e.g. "Noble") From 5f51ad958c0d18f195f173762543bb5eaa341325 Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Wed, 24 Jul 2024 14:39:01 -0400 Subject: [PATCH 4/6] more review feedback --- docs/explanations/data_collection.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/explanations/data_collection.rst b/docs/explanations/data_collection.rst index 7d288a5e1a..f88507097b 100644 --- a/docs/explanations/data_collection.rst +++ b/docs/explanations/data_collection.rst @@ -1,10 +1,10 @@ What data does Canonical collect from Ubuntu Pro machines? ********************************************************** -For the purposes of delivering Ubuntu Pro services to customers in compliance -with the terms of the Ubuntu Pro subscription, some system data is sent to -Canonical servers. This data is sent via a few different methods, depending -on the service and the purpose of that particular data element. +Some system data is sent to Canonical servers for the purpose of delivering +Ubuntu Pro services in compliance with the terms of the Ubuntu Pro subscriptio +. This data is sent via a few different methods, depending on the service and +the purpose of that particular data element. This document categorises data collection by method of collection. From 740dc8ce142cedcef0ae9aebb05c4345df937449 Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Thu, 25 Jul 2024 09:24:18 -0400 Subject: [PATCH 5/6] data collection: reorder to make clear what is expressly collected --- docs/explanations/data_collection.rst | 56 ++++++++++++--------------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/docs/explanations/data_collection.rst b/docs/explanations/data_collection.rst index f88507097b..a91dd83141 100644 --- a/docs/explanations/data_collection.rst +++ b/docs/explanations/data_collection.rst @@ -1,15 +1,31 @@ -What data does Canonical collect from Ubuntu Pro machines? -********************************************************** +What data is collected from active Ubuntu Pro machines? +******************************************************* -Some system data is sent to Canonical servers for the purpose of delivering -Ubuntu Pro services in compliance with the terms of the Ubuntu Pro subscriptio -. This data is sent via a few different methods, depending on the service and -the purpose of that particular data element. +If a machine is attached to an Ubuntu Pro subscription, the following data is +collected and updated regularly (default: every 6 hours). -This document categorises data collection by method of collection. +- Distribution (e.g. "Ubuntu") +- Release codename (e.g. "Noble") +- Kernel version (e.g. "6.8.0-38.38-generic") +- Machine architecture (e.g. "amd64") +- Is the machine a desktop? (e.g. "true") +- Virtualisation type (e.g. "Docker") +- Services enabled (e.g. "ros" and "realtime-kernel generic variant") +- When the machine was attached (e.g. "2024-07-24T13:54:07+00:00") +- Version of ``ubuntu-pro-client`` (e.g. "33.2~24.04") + +These data elements are collected to ensure machines that are attached to a +particular Ubuntu Pro contract are compliant with the terms of that particular +contract. + +Data sent in order to provide service +===================================== + +The following data is not purposefully collected, but is sent to Canonical +servers in order to provide Ubuntu Pro services. APT package downloads -===================== +--------------------- If you have any of the following services enabled, then the data collection method described below will be in use whenever downloading packages for one of @@ -53,7 +69,7 @@ tied to a particular Ubuntu Pro subscription, this data is inherently tied to the Ubuntu Pro subscription that authenticated access to the package. Livepatch downloads -=================== +------------------- If you have ``livepatch`` enabled, then the following data is sent in order to download the correct kernel patches: @@ -65,25 +81,3 @@ Similarly to APT package downloads, because this request needs to be authenticated and the authentication token is tied to a particular Ubuntu Pro subscription, this data is inherently tied to the Ubuntu Pro subscription that authenticated access to the package. - - -Machine activity checks -======================= - -Regardless of which services you have enabled, if a machine is attached to an -Ubuntu Pro subscription, the following data is collected and updated regularly -(default: every 6 hours). - -- Distribution (e.g. "Ubuntu") -- Release codename (e.g. "Noble") -- Kernel version (e.g. "6.8.0-38.38-generic") -- Machine architecture (e.g. "amd64") -- Is the machine a desktop? (e.g. "true") -- Virtualisation type (e.g. "Docker") -- Services enabled (e.g. "ros" and "realtime-kernel generic variant") -- When the machine was attached (e.g. "2024-07-24T13:54:07+00:00") -- Version of ``ubuntu-pro-client`` (e.g. "33.2~24.04") - -These data elements are collected to ensure machines that are attached to a -particular Ubuntu Pro contract are compliant with the terms of that particular -contract. From c6abb3cc54d37d9498eac3cb5f87e81764c114ab Mon Sep 17 00:00:00 2001 From: Grant Orndorff Date: Thu, 25 Jul 2024 09:28:20 -0400 Subject: [PATCH 6/6] avoid unnecessarily long/awkward 'in order to' --- docs/explanations/data_collection.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/explanations/data_collection.rst b/docs/explanations/data_collection.rst index a91dd83141..b556b5e84f 100644 --- a/docs/explanations/data_collection.rst +++ b/docs/explanations/data_collection.rst @@ -18,8 +18,8 @@ These data elements are collected to ensure machines that are attached to a particular Ubuntu Pro contract are compliant with the terms of that particular contract. -Data sent in order to provide service -===================================== +Data sent to provide service +============================ The following data is not purposefully collected, but is sent to Canonical servers in order to provide Ubuntu Pro services.