Make it harder to upload by accident

[timmc-bcov]

I'd love to use asciinema, and popularize its use at work (especially for tracking production datacenter access), but it makes me really nervous how easy it is to accidentally upload a session to the website. I don't want to encourage people to use a tool that would lead them to unintentionally exfiltrate customer data or production secrets.

I don't have a particular implementation in mind. Here are a few I can think of:

• Don't ask to upload right after recording; instead, require people to run asciinema upload <path/to/file> separately
• Instead of pressing enter to upload, require them to type y or even yes
• Instead of uploading anonymously, require them to choose a username

[Jamesking56]

Or maybe even just a flag like --no-upload?

[timmc-bcov]

I'd be nervous about anything that requires users to take positive action to not upload sensitive information.

[ku1ik]

I see where you're coming from @timmc-bcov. These are valid points, and I agree current behaviour could lead to some information leak.

I run the instance at asciinema.org. Even though I find myself as a privacy and security concious person, and I'm doing my best to guard these, you probably should not trust me/asciinema.org too much. Just as a good principle (uploading something to the internet has many risks).

Many people love the simplicity of recording+sharing on asciinema.org, which, among others, comes from the fact that you get secret URL, with no upfront signup, and with very little ceremony to upload (mentioned "enter"). This could be seen as a double-edged sword by some (and they would be right). So I guess it's a matter of compromise.

I'm definitely open to discussing this further. The above "no-hassle experience" (or "too-easy" when looked from different angle) could be made an opt-in, not a default. The option of requiring yes instead of just enter also seems like a reasonable way.

[timmc-bcov]

Perhaps the right approach is to store an additional configuration field of whether the user is interested in doing uploads.

If they already have a user token, but that configuration option is not present, assume they're interested. This migrates existing users.

If neither is present, such as on a first run, display a message asking if the user would like to upload the video, noting that it's a public server, etc. Require them to type "yes" or "no" and save that preference, and if they chose "yes" then proceed as before.

I think this would allow a seamless transition for existing users and would only slow down the first-upload experience. It would potentially be a breaking change for any scripts that use asciinema's interactive interface with expect or similar, but they should already have a user token saved anyhow.

Does that sound about right?

[matthiasbeyer]

Automatic upload is an absolute no-go!

[bsima]

How about an environment variable at runtime or compile time that disables upload? In a corporate setting presumably we have control over these variables and can set something like ASCIINEMA_NO_UPLOAD=1 across all builds/machines. If the user overwrites this var, well that's on them.

In lieu of this feature, you could always use script and scriptreplay which is basically the same but slightly less convenient.

[matthiasbeyer]

How about the other way round? A flag that enables the upload, making it off by default! The whole issue is that uploading by accident is the problem, so make it hard to upload by accident would mean that someone has to explicitely say that they want upload.

[jikkujose]

I am shocked why anyone would think auto upload is even partly okay. It's just insane.

Its so weird that it's suspicious the intent behind this.

The default options should align with what users expect. Also, the following is an interesting read that aligns with why such nonsense should be avoided.

I am sorry for being so agitated! But, I couldn't control my anger seeing how the program behaved! Uploading the test video plus naming the account with my username! It's simply insane.

https://blog.codinghorror.com/falling-into-the-pit-of-success/

[ku1ik]

If you'd like to completely prevent uploads today you can set ASCIINEMA_API_URL=http://nope variable (e.g. in your shell config), or put this in the config file:

[api]
url = http://nope

This is a temporary workaround for those who know though, so not a real solution for new users.

[ku1ik]

Proper fix, asciinema/asciinema#576, is coming in v2.4.0, which is around the corner.

[ku1ik]

Just released 2.4.0 with improved prompt which requires explicit choice: https://github.com/asciinema/asciinema/releases/tag/v2.4.0

[ku1ik]

I have reworked the upload related behavior for the upcoming asciinema 3.0:

1. asciinema rec now always requires a filename and never does any uploading - to upload you will use explicit asciinema upload <filename>
2. There's no implicit asciinema server URL configured - on first use (first upload or auth command) you will see a prompt asking for a server URL, with asciinema.org being suggested. Once confirmed the server URL will be saved and reused for future uploads.

I hope this addresses most of the concerns. You won't be able to accidentally upload anything anywhere, because it will require intent (asciinema upload), and a configuration step (server URL prompt).

When presented with a prompt you would confirm the use of asciinema.org or you would enter the URL of your self-hosted asciinema server instance. You will still be able to pre-configure the server URL in the config file via server.url = "..." to avoid the prompt.

3.0 hasn't been released yet, but it's close. If you'd like to test it then here's a release candidate (also providing binary downloads for Linux and macOS): https://github.com/asciinema/asciinema/releases/tag/v3.0.0-rc.1

Let me know if this looks like a good solution. Thanks!

[timmc]

That sounds great, thank you so much! (I'm timmc-bcov, writing under my personal account.)