GNOME Software is the default application in the GNOME desktop environment to manage software. It also allows you to receive firmware updates through an underlaying daemon called “fwupd“, which is based on an platform called “LVFS“.

In order to understand the relationship in a clearer way, you can think of LVFS as the online platform where hardware vendors come and upload new versions of their firmware which will be later available to download via fwupd. GNOME Software utilizes the fwupd daemon in order to download and install these updates. fwupd is a dependency for GNOME Software.

The whole ecosystem is developed mainly by Richard Hughes, who is working currently for Red Hat, and who’s also the original creator of PackageKit. But it’s worthy to mention that Red Hat doesn’t develop/manage the project directly, but rather, contributes to it with financial & logistic support.

The Privacy Concern


fwupd is an integrated part of GNOME Software. In order to be able to receive updates for firmware available in your computer, fwupd retrieves a metadata file from (which is named LVFS) and matches on client-side to see if there’s an update to that firmware or not. If there’s an update, the firmware file will be grabbed and installed from

Additionally, fwupd (upon each checking for updates in GNOME Software) sends your machine ID (hashed), IP address, current Linux distribution name and version and client user-agent to

According to, some parts of this data is being shared by 3rd-party hardware vendors, who may be interested in the number of people downloading these updates and what kind of Linux distros they are using. IP addresses are not shared, but client user-agent & hashed machine IDs are. This privacy policy is guaranteed by the developer himself, not a company or an organization:

As the Data Protection Officer, Richard Hughes has overall responsibility for the day-to-day implementation of this policy. The DPO is registered with the Information Commissioner’s Office (ICO) in the United Kingdom as a registered data controller.

The issue here is that in GNOME Software, users have no idea that such data is being sent or collected. An ordinary user does not expect his software center to be downloading updates from an online website without telling him so. Upon opening GNOME Software for the first time, no privacy policy is displayed and no message informs the user that such data is used and sent to in the first place.

There’s no indication when using GNOME Software that will be used to update the firmware packages.

Currently, the main developer behind GNOME Software announced that 100 million files are being downloaded from each month. Most of them are metadata files. This is due to the fact that both GNOME Software & fwupd are installed by default on all modern major Linux distributions, such as Ubuntu and Fedora. The developer was able to produce the following chart from the data he has:


This is a huge amount of data and accessibility available about Linux users under the hands of a single developer. The collection of such data should be opt-in, not opt-out by default in order to respect the privacy of users who don’t want to use the service to check for firmware updates. More importantly, at least, the privacy policy related to the collection of this data should be displayed on the first use of GNOME Software. Otherwise, users won’t know that such data is being sent.

The other issue is that up to few weeks ago, there was no way to disable fwupd integration in GNOME Software. It was just after version 3.26 (not included) that the developers added an option in the settings page to disable fwupd service. Before that, you were forced to use fwupd if you are using GNOME Software. You can’t even disable it (graphically).

According to the developer, is hosted on Amazon EC2. Amazon (beside many other companies as well) has donated $2000 per year to develop the project, and provides some hosting features for free as well. domain name is registered in the personal name of the project’s developer (if you check from

The privacy policy page mentions that the metadata users send to is stored up to a maximum of 5 years:

Anonymized user data (e.g. metadata requests) will be kept for a maximum of 5 years which allows us to project future service requirements and provide usage graphs to the vendor.

The developer says that the IP addresses are not stored on But sadly, since this is a server-side claim, there’s no way as users to confirm such claim. Also, the machine ID collected from users’ /etc/machine-id is said to be hashed (with salt) before sharing it with vendors.

A single bottleneck for manging the hardware data of the entire Linux desktop users wouldn’t be a good idea.

A Security Concern allows hardware vendors to create an account by emailing the project’s founder. Then, vendors can get information about the number of users of their hardware and what operating system & client they are using. Vendors can push .cab files to users to be downloaded later by GNOME Software. These .cab filed are claimed to be tested by a separated QA team before released to users.

The security issue is in maintaining the infrastructure for If hacked, thousands of daily requests to the server and the data available could be leaked. The team behind claims that there are many professional teams working on securing the platform according to the industry’s best practices. However, a user can not guarantee.

We couldn’t find reports or sources on how many people in total are behind the whole project, or how many people are reviewing the pushed .cab files by vendors. The metadata stored in are said to be stored under a locked LUKS filesystem hosted on Amazon.

The other concerning issue is that the developers are not 100% financially covered. There has been multiple calls for donations by the developers:

At the moment the secure part of the LVFS is hosted in a dedicated Scaleway instance, so any additional donations would be spent on paying this small bill and perhaps more importantly buying some (2nd hand?) hardware to include as part of our release-time QA checks.

And another one:

The current CDN (~$100/month) is kindly sponsored by Amazon, but that won’t last forever and the donations I get for the LVFS service don’t cover the cost of using S3. Long term we are switching to a ‘dumb’ provider (currently BunnyCDN) which works out 1/10th of the cost.

Which could rise questions about the future of the ecosystem managing 100 million requests per month.

A Suggested Solution

We believe the following should be taken into consideration to solve the issues above:

  1. GNOME Software should detach fwupd as a dependency. Because if fwupd package is installed, it will auto-check for updates in the background (fwupd daemon will autostart after boot) and it will send the data to automatically.
  2. GNOME Software should disable the service of using for firmware updates by default. Users wishing to subscribe to such service should opt-in their selves.
  3. Upon activation of fwupd service, a privacy policy dialog should be displayed telling users about what’s going to be collected and why.
  4. The project’s domain name and infrastructure should be managed and ran by an organization/company. More detailed information on who’s accessing the infrastructure and working on it should be available.

The Bottom Line

Here, we do not try to question the sincerity or the authenticity of the project’s developers, but we seek to let users know what’s happening under the hood of their software center. We also believe that such infrastructure should be more transparent in the way it’s secured and managed, and how the data is stored and accessed.

In result, this ecosystem will have access to millions of Linux machines worldwide, and putting all the eggs in one basket is a concerning thing. We believe that such model was implemented with good intentions in the sole reason of serving users, for free. But privacy is becoming a very important issue. especially these days with the so-called hijacks of data around the world.

At the end, we would like to thank Richard and all others for their work on free/libre software.

Update @ 14 Apr, 03:49: The developer clarified that the hardware information of a user doesn’t get sent to As such, this article was updated.

Update @ 18 Apr, 19:12: To clarify this even more, firmware matching for updates is done on client-side, not server side, meaning that GNOME Software (or fwupd) does not send hardware information to as this article said initially. This claim was online for around 10 hours after publishing the post before it was taken down. We would like publicly to apologize for Richard and anyone who read the article in that period for making such claim without making sure of it first.

However, it’s extremely important to also say publicly that this article (in its current form) is valid and true. GNOME Software (fwupd) was confirmed to send client user-agent, IP address, timestamp, OS distribution name and OS version to upon each firmware downloading process (or checking for firmware updates manually by the user). Sending 5 forms of data instead of 6 doesn’t mean that the whole thing is false. The connection to to provide the firmware updating service is a place of concern because it doesn’t belong to the user nor the Linux distribution’s makers (Ubuntu, Debian, Fedora, openSUSE..) and happens without users even knowing. Users knowing of this service is important, and is the main point of this article.

Just 2 days ago, and after 48 hours of publishing this post, the developers have pushed a commit to the GNOME Software code titled: “Add a warning when enabling the LVFS remote”. Here’s the commit message:

 Distributions like RHEL do not enable the LVFS by default and the legal team here say we need to add some agreement text which is shown before we enable downloading content from an external source.

These concerns has no relationship to the quality or work of the LVFS project itself. Being able to update the BIOS on a Linux system without needing Windows is a huge achievement. This article doesn’t say that fwupd (or GNOME Software) is bad, or poorly written or should not be used, but discusses “concerns” related to privacy & security, nothing more and nothing less.

Useful Services & Offers

Check the following list of services and tools we use in our day-to-day work, perhaps they can be beneficial to you:


Inline Feedbacks
View all comments
Richard Hughes

If you have a specific concern can you please email me (Richard Hughes) and we can discuss? The biggest claim here seems to be that we’re sending details of the hardware to the LVFS, but that’s simply not true; we just download a common metadata file and do all the matching client side for privacy. The service is carefully designed with privacy in mind; do you see any other web services with public GDPR statements yet? If it helps, the LVFS is in the process of moving to be hosted by the Linux Foundation, but you’ll understand this can’t happen… Read more »

Richard Hughes

Sure, we get the IP address and the user-agent when downloading the firmware file. The metadata is downloaded from the CDN so we see very little as there are basically no logs there. You only upload the firmware report when you’ve actually done a firmware update and you want to *opt-in* to sharing metadata with us. We show you in the console exactly what data is sent; the *exact* json string. I have four main problems with your article: * You’ve included my home address, personal telephone and personal email as part of your article. This is not necessary in… Read more »

Richard Hughes

You’re still not getting it. The metadata is coming from the CDN which erases the logs after 3 days, we don’t use any of the data from the CDN in any analysis or store it any database. We only store the user agent and hashed IP address on when you download firmware. > I hope you recognize that FOSS Post is an Internet website, right I do, but I also know how to create a website without all those tracking cookies. I think you need to be aware that if you’re lecturing other people on a *tiny* privacy issue… Read more »

Matthew Garrett

> – I am not sure about where did I mention in the article that BIOS firmware can infect the users if website is hacked. Please read the article again. We said the requests to the firmware can be leaked and the data reserved (for a maximum of 5 years) can be leaked. Not a firmware injection or something. The article originally included this: “If hacked, millions of Linux machines can be vulnerable to firmware malwares which can cause permanent hardware losses” You deleted that, but Richard was clearly responding to the original version. It’s amazingly dishonest to pretend that… Read more »

Matthew Garrett

The fact that you made that claim was repeated elsewhere, and Richard was responding to that. But I guess you’re admitting to having said the thing that you denied saying?

Mark Braught

Richard Thank you for all of your Work!!! After reading this full article and all of the comments this guy is seemingly attacking your work for no apparent real reason.. if he worried about privacy there is a whole lot of other places to look before attacking you


This article is clearly not well researched and only serves to damage the reputation of fwupd; a great tool that easily enables firmware updates. Richard Hughes has done a lot for the community and just recently I used his work to update a controller I bought for my SNES classic:

If you’re really an open source software enthusiast I hope you’ll retract this article and discuss any issues you have with Richard directly instead of needlessly damaging the reputation of an open source project like you have.

Richard Hughes

> Just 2 days ago, and after 48 hours of publishing this post, the developers have pushed a commit to the GNOME Software Dude, you’re making the same mistake *again*. We started working on this feature about a month ago, well before you posted this article. See for the discussion. There are even older PRs for lvfs-website before that one too. It was being driven by a requirement inside Red Hat, which disables the LVFS by default in RHEL by default. The requirement was to make it easier to actually enable and also explain to the user that it… Read more »


Thank you for this article – it is truly enlightening. I am just a “normal” linux user I suppose and very much care about my personal data — even my IP address and client user agent data and other things being sent from my machine without my authorization and knowledge. I am so shocked by how aggressive ” Richard Hughes” has been in these comments. I am sure his work is great – but his thinking and actions seems to be unethical with respect to privacy, security and respecting other people’s views. I expect this level of arrogance from Facebook,… Read more »


Ahahaha, this dude in the comments was attacking the article and how bad it is and bla bla, and here is what happened just few months ago:

Thank you FOSS Post for telling us about this crapware put inside our machines without knowing. You were absolutely right in your concerns.


Useful Services



Become a Supporter

For the price of one cup of coffee per month:

  • Support the FOSS Post to produce more content.
  • Get a special account on our website.
  • Remove all the ads you are seeing (including this one!).
  • Help us get to our goal of 100 supporters, to start many initiatives.

Opinions Column

Recent Comments