> Le 26 sept. 2025 à 16:57, Karl Palsson <[email protected]> a écrit : > >> +1 >> >> I think that if OpenWrt devices started *by default* to « phone home » >> (whether directly or via an in-browser query), that would certainly be a >> concern. >> >> Such a feature - while appealing - should *absolutely* be an opt-in, and not >> an opt-out. >> Opt-out may also have legal implications (e.g. GDPR?). >> > FWIW, CRA implies that it _should_ be _opt out_ for updates, and they should > be enabled by default. Yes, I know some people don't like that, but people > don't opt in :) > > Annex I, 2c) > > "ensure that vulnerabilities can be addressed through security updates, > including, where applicable, through automatic security updates that > are installed within an appropriate timeframe enabled as a default > setting, with a clear and easy-to-use opt-out mechanism, through the > notification of available updates to users, and the option to temporarily > postpone them;" > > > I would believe Hauke is looking at this from a CRA compliance viewpoint, ... > yeah, it should be opt out, not in....
I see, thanks for the explanation. I indeed don’t like it but I see the rationale, I stand corrected :) Hopefully we can make this work in an « as private as possible » way. Daniel’s suggestion seems pretty good in that context. T. _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
