Make it harder to upload by accident #31
Replies: 12 comments 1 reply
-
Or maybe even just a flag like |
Beta Was this translation helpful? Give feedback.
-
I'd be nervous about anything that requires users to take positive action to not upload sensitive information. |
Beta Was this translation helpful? Give feedback.
-
I see where you're coming from @timmc-bcov. These are valid points, and I agree current behaviour could lead to some information leak. I run the instance at asciinema.org. Even though I find myself as a privacy and security concious person, and I'm doing my best to guard these, you probably should not trust me/asciinema.org too much. Just as a good principle (uploading something to the internet has many risks). Many people love the simplicity of recording+sharing on asciinema.org, which, among others, comes from the fact that you get secret URL, with no upfront signup, and with very little ceremony to upload (mentioned "enter"). This could be seen as a double-edged sword by some (and they would be right). So I guess it's a matter of compromise. I'm definitely open to discussing this further. The above "no-hassle experience" (or "too-easy" when looked from different angle) could be made an opt-in, not a default. The option of requiring |
Beta Was this translation helpful? Give feedback.
-
Perhaps the right approach is to store an additional configuration field of whether the user is interested in doing uploads. If they already have a user token, but that configuration option is not present, assume they're interested. This migrates existing users. If neither is present, such as on a first run, display a message asking if the user would like to upload the video, noting that it's a public server, etc. Require them to type "yes" or "no" and save that preference, and if they chose "yes" then proceed as before. I think this would allow a seamless transition for existing users and would only slow down the first-upload experience. It would potentially be a breaking change for any scripts that use asciinema's interactive interface with Does that sound about right? |
Beta Was this translation helpful? Give feedback.
-
Automatic upload is an absolute no-go! |
Beta Was this translation helpful? Give feedback.
-
How about an environment variable at runtime or compile time that disables upload? In a corporate setting presumably we have control over these variables and can set something like In lieu of this feature, you could always use |
Beta Was this translation helpful? Give feedback.
-
How about the other way round? A flag that enables the upload, making it off by default! The whole issue is that uploading by accident is the problem, so make it hard to upload by accident would mean that someone has to explicitely say that they want upload. |
Beta Was this translation helpful? Give feedback.
-
I am shocked why anyone would think auto upload is even partly okay. It's just insane. Its so weird that it's suspicious the intent behind this. The default options should align with what users expect. Also, the following is an interesting read that aligns with why such nonsense should be avoided. I am sorry for being so agitated! But, I couldn't control my anger seeing how the program behaved! Uploading the test video plus naming the account with my username! It's simply insane. https://blog.codinghorror.com/falling-into-the-pit-of-success/ |
Beta Was this translation helpful? Give feedback.
-
If you'd like to completely prevent uploads today you can set [api]
url = http://nope This is a temporary workaround for those who know though, so not a real solution for new users. |
Beta Was this translation helpful? Give feedback.
-
Proper fix, asciinema/asciinema#576, is coming in v2.4.0, which is around the corner. |
Beta Was this translation helpful? Give feedback.
-
Just released 2.4.0 with improved prompt which requires explicit choice: https://github.com/asciinema/asciinema/releases/tag/v2.4.0 |
Beta Was this translation helpful? Give feedback.
-
I have reworked the upload related behavior for the upcoming asciinema 3.0:
I hope this addresses most of the concerns. You won't be able to accidentally upload anything anywhere, because it will require intent ( When presented with a prompt you would confirm the use of asciinema.org or you would enter the URL of your self-hosted asciinema server instance. You will still be able to pre-configure the server URL in the config file via 3.0 hasn't been released yet, but it's close. If you'd like to test it then here's a release candidate (also providing binary downloads for Linux and macOS): https://github.com/asciinema/asciinema/releases/tag/v3.0.0-rc.1 Let me know if this looks like a good solution. Thanks! |
Beta Was this translation helpful? Give feedback.
-
I'd love to use asciinema, and popularize its use at work (especially for tracking production datacenter access), but it makes me really nervous how easy it is to accidentally upload a session to the website. I don't want to encourage people to use a tool that would lead them to unintentionally exfiltrate customer data or production secrets.
I don't have a particular implementation in mind. Here are a few I can think of:
asciinema upload <path/to/file>
separatelyy
or evenyes
Beta Was this translation helpful? Give feedback.
All reactions