luci-app-attendedsysupgrade and owut by default?

Jonas Gorski jonas.gorski at gmail.com
Sat Sep 27 04:30:36 PDT 2025 

On Fri, Sep 26, 2025 at 5:06 PM Thibaut <hacks at slashdirt.org> wrote:
> > Le 26 sept. 2025 à 16:57, Karl Palsson <karlp at tweak.au> a écrit :
> >
> >> +1
> >>
> >> I think that if OpenWrt devices started *by default* to « phone home » (whether directly or via an in-browser query), that would certainly be a concern.
> >>
> >> Such a feature - while appealing - should *absolutely* be an opt-in, and not an opt-out.
> >> Opt-out may also have legal implications (e.g. GDPR?).
> >>
> > FWIW, CRA implies that it _should_ be _opt out_ for updates, and they should be enabled by default.  Yes, I know some people don't like that, but people don't opt in :)
> >
> > Annex I, 2c)
> >
> > "ensure that vulnerabilities can be addressed through security updates,
> > including, where applicable, through automatic security updates that
> > are installed within an appropriate timeframe enabled as a default
> > setting, with a clear and easy-to-use opt-out mechanism, through the
> > notification of available updates to users, and the option to temporarily
> > postpone them;"
> >
> >
> > I would believe Hauke is looking at this from a CRA compliance viewpoint, ... yeah, it should be opt out, not in....
>
> I see, thanks for the explanation. I indeed don’t like it but I see the rationale, I stand corrected :)
>
> Hopefully we can make this work in an « as private as possible » way.
> Daniel’s suggestion seems pretty good in that context.

Annex I(2) is "On the basis of the cybersecurity risk assessment
referred to in Article 13(2)", and Article 13 is "Obligations of
manufacturers". Since OpenWrt is not a "manufacturer" in the CRA
sense, this may not apply to us, so arguably we could get away with
disabled by default / opt-in.

It's up to those that monetize OpenWrt to have this enabled by
default. Though more likely they'll have or want their own system for
that anyway, so what we do wouldn't have any impact on them.

We could have an opt-in package that does nothing but enabling this by
default so you can easily create an image with it enabled by default.
Or remove from the package list it to have it disabled by default.

Best regards,
Jonas

More information about the openwrt-devel mailing list