acme.js icon indicating copy to clipboard operation
acme.js copied to clipboard

Published 20 hours ago verified publisher icon therootcompany

Feature request: Make maintainerEmail optional

Open tyrak opened this issue 4 years ago • 5 comments

I started using ACME.js a few weeks ago and it's really great. Thanks for your work! I was wondering if you would consider making the maintainerEmail parameter optional: if no maintainerEmail is provided, then ACME.js would not make any calls to api.rootprojects.org. While receiving security notices from ACME.js is a very useful feature, I am concerned that this might be violating the GDPR because it involves collecting email addresses, and email addresses are considered personal data according to that statute. Specifically, collecting personal data (such as emails and IP addresses) is permitted if the user has provided explicit consent, but there should be an opt-out for such collection, if the collection is not absolutely necessary for running the service. Note that the GDPR affects entities (persons/companies) even if they are outside the EU (which is kind of crazy but that's a different story), if they are collecting personal data of EU persons.

tyrak avatar May 01 '21 22:05 tyrak

Thank you for pointing this out.

Very underhanded. I find the code convoluted and hard to follow. I used the software about a year ago and I suspected it was collecting information. I was not bothered at the time to look into it. I don't t rust the software or the developer.

Considering its certificates what else is been collected. What code is been published to NPM?

https://github.com/therootcompany/acme.js/blob/master/acme.js#L70

FLYBYME avatar Jun 02 '21 01:06 FLYBYME

I would love for the #maintainers (@coolaj86) to chime in on this one, as we just found this thanks to Datadog. I haven't been able to find anywhere that discloses that this library will send details about the application or its configuration to anyone, making this not only undocumented, but unethical.

To me and those in my org who have been discussing this, the acceptable changes that need to be made are:

  • Explicitly document this behavior in the README and state what data is being sent to api.rootprojects.org
  • Make the data sharing optional
  • Allow users to specify a custom endpoint for the reports instead of api.rootprojects.org so people have the option to retain the functionality but are responsible for their own reporting

Failing that, we'll probably be forking this project and maintaining a "clean" version.

peterfraedrich avatar Jun 18 '21 15:06 peterfraedrich

Just found this library by a recommendation on Twitter, and am looking at using it for an internal project.

making this not only undocumented, but unethical.

To be fair, the project's readme pretty prominently links using big bold text to the walkthrough guide for users getting started, which says right near the beginning:

The maintainer contact is used by Root to notify you of security notices and bugfixes to ACME.js.

So it IS definitely documented, it's not something that is being hidden.

Having been on the receiving end of lots of FUD with my own projects before, I would caution against being too radical making accusations. You won't get help by accusing or intimidating the maintainers. Scaring away other potential users with false claims about the project hiding "unethical" behavior won't improve the situation for anyone, either -- like me, who wants to use just one specific function of this library, but I'm guessing because of the accusatory attitude going into this issue the maintainers haven't replied or addressed the concerns -- and understandably so -- and now it's leaving other users like me who are interested in this out in the cold.

if the collection is not absolutely necessary for running the service.

I'm no lawyer, but note that this JS library is not a "service" -- it is a library. If you run a service with it, that's your responsibility.

Anyway, I'm not even associated with this library but I'm a bit upset at people who choose, of their own free will and choice, to use an MPL-licensed library for free, assume the worst from a maintainer. Don't do this. You're only contributing to a more toxic industry. Instead, if you have concerns, what maintainers need you to do is to please keep remarks professional and not make personal accusations about them being "underhanded" or "unethical," especially when you're wrong about the premise (it is documented, even I was aware of this behavior before I came into this issue because I read the documentation!).

Using forks as a threat is laughable, anyway. This is open source, we expect you to fork. :roll_eyes:

That said, I would be interested in a way to make email address optional.

mholt avatar Jun 24 '21 22:06 mholt

Chiming in:

require('@root/acme/maintainers').init = function () {
  // ignore
};

Fork away.

coolaj86 avatar Jun 25 '21 03:06 coolaj86

As for the FUD, thus quoth the README:

Parameter Description
customerEmail Don't use this. Given as an example to differentiate between Maintainer, Subscriber, and End-User
maintainerEmail should be a contact for the author of the code to receive critical bug and security notices
  • Maintainer != Subscriber
  • Maintainer !== End-User

Don't subscribe your users to security updates. I think there's even a warning that goes out to the console about this under certain conditions.

Do subscribe yourself to security updates, or fork and rebrand for your own purposes. :)

coolaj86 avatar Jun 25 '21 03:06 coolaj86