Skip Navigation

Phone home tracking image in DocuSeal, and how to remove it

www.reddit.com /r/selfhosted/comments/1dr2nby/phone_home_tracking_image_in_docuseal_and_how_to/

Kinda proud of this, so forgive me while I brag. I found a likely "phone home" tracking image in DocuSeal. I searched around: there was an extant issue about the image. I asked the devs: would they accept a PR to remove the image? A maintainer responded quickly that they were not interested in a PR to remove it, so I forked it in minutes with my tiny hack, built a new Docker image and re-deployed to my server after making a one-line change in a Docker Compose file.

Here's the hack: https://github.com/meonkeys/docuseal/commit/e710678d

Happy to share my compose config as well if folks are interested.

I do want to put in a plug for DocuSeal: they made an excellent thing. It's a fast and beautiful app for adding signatures to PDFs, similar to DocuSign or HelloSign, but awesomely AGPL licensed and easy to self-host. I got it running in minutes and it worked very well. I support what they're doing and I want to see them succeed. OpenSign looks cool too but I haven't tried that one yet.

So yeah. Self-hosting and FOSS FTW!


cross-posted to: reddit r/selfhosted (there's no additional content in the post at that link. Sorry, I should have posted on Lemmy first! Anyway, above is the copy/pasted post so you can get it without having to use reddit)

9

You're viewing a single thread.

9 comments
  • Okay, well they were very clear about it, and they have a pro version, so aren't removing the customizations that exist.

    Secondly, that isn't a "phone home" bit that you hacked around, it's literally a header that loads a GitHub badge, and that's it. It's part of a lot of open source projects.

    Blocking the DNS of the GitHub host it's calling back to is sufficient enough for everyone if this is a concern (it's of no security concern, freal), and you don't need a fork for this to be fixed. Maintaining a fork is an insane amount of work, and trusting someone who is maintaining a forked repo is WAYYYYYY more risky than just using the official repo, which has thousands of stars, and multitudes of users poking through it's code.

    I for one would never touch your forked repo without doing a full diff, and I'm not going to worry about doing that every time a release is missed by you, or a fix isn't upstreamed...yada yada. I would just use the official repo, and block the offending GitHub domain if I found it offensive, which I don't.

    Know what I mean?

    • this isn't a "phone home"

      are you sure? I'm not. In truth, only they know. Here's the code I worked around in my fork. Why does it fetch an external image? They could just include it in the repo. Why is it fetched from docuseal.co? I would guess GitHub renders badges like this too.

      Blocking the DNS of the GitHub host

      Sure, but why not default to privacy in the upstream source? Why make users and self-hosters do extra work? Feels more like a penalty for non-Enterprise users than a benefit for paying up: you'll either pay with money or your data.

      Also note: it is actually docuseal.co that would be blocked (I incorrectly guessed it pulled the image directly from GitHub), so that's probably not as big of a deal than blocking, say, GitHub for a LAN with multiple tech-savvy users.

      they were very clear about it

      I disagree. I'll grant you they made a clear decision (and quickly), but didn't explain further. Frankly I found their replies a bit confusing; they implied the issue as entirely about OEM/white-labeling and avoided the tracking/phone home question. They should just clarify why the badge actually exists when the question came up the second time.

      Maintaining a fork is an insane amount of work

      Agreed that maintaining a fork is work. But, I mean, check mine out, please. It's 3 lines, and could probably be reduced to a few characters. I'd still love to avoid the fork because your other reasons are quite valid, especially about trust. That's what this is really about, to be honest. I don't trust this isn't a phone home, and I don't want to have to trust them on this.

      I’m not going to worry about doing that every time a release is missed by you

      100% agreed.

      they have a pro version, so aren’t removing the customizations that exist

      I don't understand. Will you explain what you mean here?

      It’s part of a lot of open source projects.

      If you mean badges on GitHub repo home pages then yes, I agree.

      If you mean mandatory phoning home or, really, reaching out for any images/static assets from a self-hosted service, I disagree.

      Here's the right way to do it (again, assuming this is a phone home): be 100% transparent that/if it is a phone home, have a privacy policy around data collected, and make it disabled by default. Traefik does this, for example. They have a phone home toggle called TRAEFIK_GLOBAL_SENDANONYMOUSUSAGE that defaults to false. Note the especially privacy-concerned (and perhaps less upgradae-concerned?) may wish to disable TRAEFIK_GLOBAL_CHECKNEWVERSION as well.

      it’s of no security concern, freal

      I never claimed it was. Maybe my fork will have security improvements as well someday, but right now it just has this one tiny patch. And again, I agree with your other points about forks: best case is this fork becomes unnecessary (as transparency around the badge increases).

      • Friend, please listen to reason.

        The "code" you linked to is not functional code of any sort. Not to be nitpicky, it's just an HTML image tag, so its Markup at best. All you did was stop the loading of an SVG image. The fact that they source it from their own domain tells you everything: they have a script that runs to check the current number of stars, then generates this image that reflects that. SVG is an image format. It's really standard.

        All your other points you're making because you do not have much experience in the software realm, which I'm not saying to be dismissive or anything at all, I'm simply illustrating that all the points you're questioning or mentioning are 100% standard.

        • you don't make a fork for three lines of code and ask others to "check it out". If anything, just point out the issue and post a diff or a script to fix it. Simple.
        • They have a pro version, and are using images they generate in a template viewed by users to promote its popularity and try to sell pro. They're running a business out of this. Not every FOSS project is non-profit, and these people are simply trying to sell a product AS WELL as keep it open source for others to enjoy, like yourself. Feel lucky to have the privilege they are letting you use it for free.
        • The term "phoning home" as you're trying to use it, is wrong. You're implying that it is functionally doing something unexpected. It is not. It is sourcing an image in HTML. The suspicious type of phoning home is code that executes locally and pulls down other functional bits of code that alter the way the software APPEARS to be used. It's a way of obfuscating something shady, like a virus, or malware. This is not that kind of code.
        • If your concern is simply that the code you've run is sourcing an image from somewhere, I can only imagine how upset you'll be to learn that software repos of this size are pulling things from dozens, if not hundreds of places. This project pulls from rubygems, yarnpkgs, and the dreaded example.com.
        • Lastly, the reason that team responded to you in that manner was more that they were taken aback. Like "WTF is this person talking about? I don't get it." Realize that they were nice enough to respond, where most project maintainers would just ignore or close the issue.

        Also, you might want to freak out about the social badges being sourced in this as well. This isn't a "privacy first" project or anything. They aren't doing anytweird, you're just misunderstanding some things.

You've viewed 9 comments.