make it clearer that crash files may contain private data and make it easier to opt out

Extracting information from the corefile on the local machine would involve downloading and installing all the corresponding -dbg packages for all packages and libraries associated with the crashed process. Many users do not have the bandwidth nor storage space to install gigabytes of -dbg packages to just run a quick stack trace.

Thus, this compromise of sending the corefile to our retracers, which do have the bandwidth and storage, and automatically strip the coredump from launchpad once the stack trace has been generated.

I personally feel that the safeguards are strong enough that I do choose to submit my own corefiles through this service, but that is because I have good visibility on how the corefiles are handled. I can easily understand how someone else may come to a different conclusion, though, without this visibility.

Thanks

Status changed to 'Confirmed' because the bug affects multiple users.

This is a good reason to make sending corefiles a non-default feature. Is it even possible to send a crash report without an attached core dump? I only noticed the feature to disable crash reporting entirely.

Another problem is that core dump files can be enormous, and perhaps a computer with a slow network connection may not be switched on long enough to allow the upload to ever complete. I logged that separately at https://bugs.launchpad.net/whoopsie/+bug/1179364, but it seems that bugs there aren't monitored.

From my point of view, daisy.ubuntu.com is a black box. And I would like to be warned before sending private data to such a black box instead of being encouraged. The only way (I am aware of) to avoid the exposure of private data is to not create/collect it.

What Gary says is also important. Especially upload bandwidth seems to be "limited resource". Whoopsie could be patched to ignore "CORE" requests from daisy, which should be the default. If one wants to send the core dumps so badly, a solution might be to have an opt-in selection (with an appropriate warning).

I think this is really a request for apport, which shows the error dialog, instead of Whoopsie, which if I understand it correctly just uploads anything dumped in /var/crash to daisy.ubuntu.com. It's quite a neat system, and I may find these crash reports in /var/crash useful now that I know how to unpack them.

I have some other suggestions (I'm assuming that the crash reports are still useful without the core dump included):

* Add a second checkbox in the crash dialog for "include core dump".
* Add a warning beside this checkbox like "The core dump contains the program and the data it was working with. It's size is 4032MB which may take some time to upload."
* If the core dump is larger than a given size (configurable somewhere, maybe a couple of MB by default) then untick the option in the dialog so that it's not included by default. Or maybe untick the box by default in every case.

Interesting quote from http://www.washingtonpost.com/business/technology/report-nsa-intercepts-computer-deliveries/2013/12/29/dc14c3da-70a2-11e3-bc6b-712d770c3715_story.html?clsrd

One of the most striking reported revelations concerned the NSA’s alleged ability to spy on Microsoft Corp.’s crash reports, familiar to many users of the Windows operating system as the dialogue box which pops up when a game freezes or a Word document dies. The reporting system is intended to help Microsoft engineers improve their products and fix bugs, but Der Spiegel said the NSA was also sifting through the reports to help spies break into machines running Windows. One NSA document cited by the magazine appeared to poke fun at Microsoft’s expense, replacing the software giant’s standard error report message with the words: “This information may be intercepted by a foreign sigint (signals intelligence) system to gather detailed information and better exploit your machine.”