Skip to content

Privacy concern with icon downloads from default webapps list

I installed OpenSnitch to manage outbound network traffic from my computer. Within a few minutes, I saw GNOME Software attempting network connections to web.telegram.org, excalidraw.com, and devdocs.io.

Representative screenshot from OpenSnitch:

image

I did not have the GNOME Software app open at the time. I had never installed Telegram, Excalidraw, or DevDocs, or even searched for them in GNOME Software. (I have not configured custom repositories for these apps, either.)

Screenshots of my very vanilla GNOME Software configuration:

image

image

Looking at GNOME Software log output, I see the request that I intercepted:

00:05:38:372 Gs  failed to cache icon for org.gnome.Software.WebApp_78977f7aec98d1c072a768b6a366b8d99cde8df4.desktop: Error resolving “web.telegram.org”: Name or service not known

So, it's trying to download icons, in the background, while the app is closed.

This raises a privacy concern. web.telegram.org, excalidraw.com, and devdocs.io are not repositories that I can see configured in the app. They are third-party servers outside the control of GNOME and Debian. Whoever owns those servers gets to see (at least) metadata about my computer (when and where it is connecting from, and possibly fingerprint it), seemingly because GNOME Software is trying to download icons while the app is closed.

The outcome that I'd hope for is that GNOME Software only connects to third-party servers (outside of configured repositories) with my consent, and only while the app is open.

This could be related to #1848 (closed), but @abraithwaite closed his own issue and I cannot re-open it.

If you tell me to raise this issue with the Debian project instead of GNOME, I'm happy to do so.

What Linux distribution are you using, and what kind of package (RPM, deb, flatpak, etc.) are you experiencing the problem with?

Debian 12 (stable). GNOME Software 43.5 as installed with the default system.

Please attach a log of the issue, by running the following commands, reproducing the issue, and then attaching gnome-software.log here:

pkill gnome-software
gnome-software --verbose &> gnome-software.log

Done. gnome-software.log

If the problem is with the user interface, please attach a screenshot or video of it. Please attach the file directly rather than linking to an external hosting service, as external files are likely to be deleted after a while.

Thank you for considering this (and for your hard work maintaining GNOME)!

Edited by Chris Martin