Don't mandate tracking of download history

[ChrisStrykesAgain]

As a consumer of packages provided by GCentral, I don't want my download history to be tracked by mandate. I do want a notification mechanism that I can subscribe to, but I would prefer it to be generic, in that it provides a list of all vulnerabilities found.

[ChrisStrykesAgain]

To add a little color, (and to make me sound /slightly/ less paranoid) here's my rational:

Let's say my company uses a specific package. If someone wants to compromise my company, they could create a malicious package that would appear to be an update to something I'm already using. If they could first hack GCentral to get the list of packages that I've downloaded in the past, and it would make it significantly easier to target my company.

[AristosQueue]

I believe this paranoia should be trumped by the much more likely scenario of needing to notify everyone using a given package of a security problem. Users who sign up for the giant list of all updates are probably going to check it the first week that it comes out, maybe the second, but won't do so every week for a couple years, constantly getting the answer "nothing for you to update", so they stop monitoring, and when a problem is found in year 3, they don't get the message. This is typical human pattern for anything low-probability-high-risk.

You don't have to give your normal e-mail address for download (if you think you might be a high-value target). You could even give a burner address for every individual download you do. But I would prefer that we require people to give an address and then track the downloads so that we can do the software equivalent of contact tracing if a security issue is found with that package. By making it a requirement, most people will default to the easiest option of just providing a real e-mail address. As long as no further personal information is collected, I think the risk is relatively low.