Make it harder to upload by accident

[timmc-bcov]

I'd love to use asciinema, and popularize its use at work (especially for tracking production datacenter access), but it makes me really nervous how easy it is to accidentally upload a session to the website. I don't want to encourage people to use a tool that would lead them to unintentionally exfiltrate customer data or production secrets.

I don't have a particular implementation in mind. Here are a few I can think of:

• Don't ask to upload right after recording; instead, require people to run asciinema upload <path/to/file> separately
• Instead of pressing enter to upload, require them to type y or even yes
• Instead of uploading anonymously, require them to choose a username

[Jamesking56]

Or maybe even just a flag like --no-upload?

[timmc-bcov]

I'd be nervous about anything that requires users to take positive action to not upload sensitive information.

[ku1ik]

I see where you're coming from @timmc-bcov. These are valid points, and I agree current behaviour could lead to some information leak.

I run the instance at asciinema.org. Even though I find myself as a privacy and security concious person, and I'm doing my best to guard these, you probably should not trust me/asciinema.org too much. Just as a good principle (uploading something to the internet has many risks).

Many people love the simplicity of recording+sharing on asciinema.org, which, among others, comes from the fact that you get secret URL, with no upfront signup, and with very little ceremony to upload (mentioned "enter"). This could be seen as a double-edged sword by some (and they would be right). So I guess it's a matter of compromise.

I'm definitely open to discussing this further. The above "no-hassle experience" (or "too-easy" when looked from different angle) could be made an opt-in, not a default. The option of requiring yes instead of just enter also seems like a reasonable way.

[timmc-bcov]

Perhaps the right approach is to store an additional configuration field of whether the user is interested in doing uploads.

If they already have a user token, but that configuration option is not present, assume they're interested. This migrates existing users.

If neither is present, such as on a first run, display a message asking if the user would like to upload the video, noting that it's a public server, etc. Require them to type "yes" or "no" and save that preference, and if they chose "yes" then proceed as before.

I think this would allow a seamless transition for existing users and would only slow down the first-upload experience. It would potentially be a breaking change for any scripts that use asciinema's interactive interface with expect or similar, but they should already have a user token saved anyhow.

Does that sound about right?

[matthiasbeyer]

Automatic upload is an absolute no-go!

[bsima]

How about an environment variable at runtime or compile time that disables upload? In a corporate setting presumably we have control over these variables and can set something like ASCIINEMA_NO_UPLOAD=1 across all builds/machines. If the user overwrites this var, well that's on them.

In lieu of this feature, you could always use script and scriptreplay which is basically the same but slightly less convenient.

[matthiasbeyer]

How about the other way round? A flag that enables the upload, making it off by default! The whole issue is that uploading by accident is the problem, so make it hard to upload by accident would mean that someone has to explicitely say that they want upload.