New & Improved Update OS Tool

[friendlylurker]

This is worrying me a lot for three reasons:

 

1. I want to be able to maintain my Unraid server without the need to couple it with some sort of Online Account System ... just like I was able to do in the past

2. I want LimeTech to stick to their words: Life time license + free upgrades for every new version (like you can read in the Licensing FAQ)

3. The lack of official communication about this whole topic is really disturbing

 

I really hope that we will have an official statement, soon. For the moment it's all just guessing and speculations.

[PoMpIs]

I hope I don't have to pay more... I have had a "PRO" license for many years, and I am very happy with unraid...

 

If now they also make me pay per year of use, I don't think I will do it. 😔

[PlayLoud]

59 minutes ago, JorgeB said:

 

That's easy to avoid, if everyone could just stop speculating and wait for an official response, I don't believe for a second that LT would stop honoring upgrades for current lifetime keys, as for new keys in the near future, I can understand that, even if I wouldn't be my preference, but current model may just not be sustainable long term, especially if we want more and more new features.

Yup, we would all welcome an official response. Like, TODAY... and BEFORE they make any changes. The worst thing they could do would be to not respond in a timely manner.

[JohnnyGrey]

3 hours ago, Rysz said:

I'm not getting involved with the guesswork about a possible future licensing model.

Should the financial need for a subscription model arise, I'll be happy to consider it for the system I've grown to love.

 

But it really hurts me to see that Unraid as a brand is taking what seems like a lot of unnecessary PR damage right now.

Unraid has always been very community reliant and driven and I'd say that was one the most liked points besides the OS.

 

All of the hate and doomsday scenarios being spun online right now could've been avoided by better communication.

I really hope a lesson is learnt from this and we'll see more up-front communication, rather than picking up the pieces later.

 

I agree with this. I really think this should have been communicated ahead of this update rather than leaving it for the community to find hidden in the update.
 

I think a subscription model is the way to go for maintaining revenue streams, as long as the pricing is reasonable, with length-based discounts for 1, 6, 12 month lengths as an example. And of course existing licenses are grandfathered in.

[samsausages]

Unraid hasn't let me down yet.  I'm not going to worry or get upset about something that hasn't even been officially announced yet, comes from Reddit speculation on a Sunday night into a Federal Holiday... 
Unraid and LT have build more credibility with me than that, over many years.

 

I have a feeling license changes are coming with the talk of increasing the array disk limit to exceed 30.  That would explain the extra tiers. i.e. unleashed.

But as of right now, I have no reason to believe that my multiple Pro licenses won't continue to be honored as advertised.

I do understand the need for model changes, as I paid for this once and I have been getting updates for many years.  Now I do expect them to honor our agreement (lifetime), but everyone should be able to make new and unique license terms as they see fit, going forward.

Edited February 19 by samsausages

[ChatNoir]

1 hour ago, daithi said:

All due respect but are you willingly just ignoring the actual issues people are talking about?
"I don't understand the rootcause", "The code excerpt seems quite unconclusive", "I don't see any proofs or even hints of that"

Didn't see those at the time in the Reddit post. I saw those here afterwards. I'm at work so I cannot update my previous posts each time there are new posts here.

[B1scu1T]

14 minutes ago, JohnnyGrey said:

And of course existing licenses are grandfathered in.

I think this is the main thing we all want to know.

Companies change direction, usually financial drivers behind it, I can respect that... and if they make the decision to go down the subscription route to grow the product then ok.... they might lose out on some referrals based on their (up-till-now) fair pricing model, but perhaps they will gain it back with investment into features, improved support level, and documentation. Perhaps they will also get more revenue from business customers.... I totally get and can respect all of that.... but...

I'm certainly concerned by the prospect of the thing I bought being indirectly dis-honored in the ways we have seen companies treat similar situations elsewhere. The fact that:
 

Quote

"Key ineligible for future releases": "Key ineligible for future releases",

Is one of the lines that's been dug up certainly raises my eyebrow.

 

It of course could mean nothing, Limetech could come out and say, "all existing licenses will be fully honored by the spirit they were sold", but there is enough in there, IMO, for us to speculate the worst case.

[Michael_P]

Ah, the 'ol bait 'n' switch. FYI, the community makes this product worth using - and pissing them off is not good for business, whatever way you folks decide to go. Absolutely abhorrent that this is a find on reddit and not an official announcement.

 

I'm out.

[projectsunset]

Damn, this sucks.

 

After seeing the praise Unraid receives online, I've spent the last month researching and making a plan to move my home server to Unraid. Had I know they were moving to a subscription model, I wouldn't have even considered it.

 

The very first words on the purchase page are "Buy Once, Use for Life. No subscription. No hidden fees."

 

I guess I should be grateful to learn of this before actually pulling the trigger. Because if I had just purchased a license and they pulled this, I'd be pissed.

 

I'll wait for official word first, but if they move to a subscription model, I'll move on.

[psycho_asylum]

14 minutes ago, projectsunset said:

Had I know they were moving to a subscription model, I wouldn't have even considered it.

  

Well that's the thing, you don't know, I don't know, and nobody will know until an official statement is made.

[itimpi]

12 minutes ago, projectsunset said:

The very first words on the purchase page are "Buy Once, Use for Life. No subscription. No hidden fees."

 

12 minutes ago, projectsunset said:

I'll wait for official word first, but if they move to a subscription model, I'll move on.

 

They could combine moving to a subscription model with honouring their earlier statements by having a "lifetime" subscription that is equivalent to the current licences and grandfathering existing users to that subscription.  No idea if this is what is going to happen but I would personally be surprised if something like this does not happen.   That would allow users in the future to choose between one large upfront payment and smaller re-occurring payments.

[ChatNoir]

 

[Hoopster]

I don't think Limetech would spring something like a change to subscription licensing without a well-thought out plan for the future that addresses the situation with current "lifetime license" owners.  This community is too valuable to Limetech to just pull the rug out from under everyone.

 

I have recently experienced something similar with Acronis True Image (now called something else).  A couple of years ago, they abandoned perpetual licensing and went to subscription only and added a bunch of bloatware.  This was done with virtually no warning and really upset the ATI community to the extent that many threads were started in ATI support forums about the best alternatives to moving away from ATI.

 

I and many others expressed our displeasure directly to the company and now I get notices popping up in the last perpetual version of ATI which I bought and am still using that I can now purchase a perpetual license again because "they have listened to their customers." LOL

 

Same thing is going on with VueScan (excellent third-party scanning software).  It has been and still is a one-time purchase that entitles the user to lifetime upgrades which I have taken advantage of for 20 years.  However, they recently started contacting users about the possibility of paying for annual support/upgrades.

 

I got a similar email survey from Plex about my willingness to pay a subscription fee even though I own a lifetime license.  I use Plex only to manage my own media and for HDHomeRun integration. I have no interest in their streaming media services and I told them no way would I pay a subscription for something for which they advertised a one-time lifetime license.

 

It's way too early to get the pitchforks out on Limetech and I am sure they will explain everything when they are ready.  Again, I just don't envision them pulling the rug out from under us all and changing the rules of the game completely for long-time users.  Perhaps there will be some features or versions of Unraid that require a different licensing model in the future.

Edited February 19 by Hoopster

[ChatNoir]

Possibly some information here too :

 

(just started it, not sure)

[dopeytree]

Q & A about the situation here: 

 

[starbetrayer]

11 hours ago, EDACerton said:

I knew that something didn't smell right when I saw the encrypted data being sent as part of the update process. It felt like there was some motive beyond what the blog post stated. That makes more sense now.

 

This situation has (at least temporarily) damaged my faith in Unraid. Not because of the potential changes, but because of how it's being done. I hope to see more up-front communication soon.

 

I agree

[sreknob]

Back to the post thread topic here - Is there any way with the new upgrade workflow to complete a "double upgrade".

 

For example, I have one server that I hit the update button on but didn't reboot yet, and now there is a new version.

 

In the past, I could just use the update tool again to get to the current version prior to rebooting, but it appears that there is no easy way to do this "double upgrade" anymore. I now need to reboot to get to the intermediate version, then reboot again to get to latest (save manually doing the upgrade on the flash).

 

Any insights here or am I missing something?

 

Thanks!

 

Edit - for reference, I was able to get this done by using the old method, triggered by using the Update Assistant Tool, more discussion here. Perhaps this could incorporated into the new update workflow somehow by comparing the version in the previous folder to the running version and allowing a new update without overwriting the previous folder again during the upgrade.

Edited February 25 by sreknob
details from other thread

[SpencerJ]

We understand all of your privacy concerns as it's not clear what the external page does with this data, and it's not clear if the user is aware of this data being sent.

We did include a statement in the blog post that accompanied the release: 

Quote

When checking for an update the server's license information, flash information (vendor, model, GUID), and basic server details (like name, description, IP, version) are used to validate your license and help us provide a better customer experience.

We're very similar to our users in that we value our privacy, and we're not interested in collecting data that we don't need. We're also very aware of the trust our users place in us, and we take that very seriously. With this in mind, please see our updated blog where we have done our best to address some of the FAQs asked here:

 

https://unraid.net/blog/new-update-os-tool

[EDACerton]

4 hours ago, SpencerJ said:

We understand all of your privacy concerns as it's not clear what the external page does with this data, and it's not clear if the user is aware of this data being sent.

We did include a statement in the blog post that accompanied the release: 

We're very similar to our users in that we value our privacy, and we're not interested in collecting data that we don't need. We're also very aware of the trust our users place in us, and we take that very seriously. With this in mind, please see our updated blog where we have done our best to address some of the FAQs asked here:

 

https://unraid.net/blog/new-update-os-tool

Thanks for the update/FAQ.

 

I do have a question though about the data that is being sent. In the FAQ, I noticed this section:

 

Quote

Update OS checking for updates uses the following

• The server’s encoded license keyfile, OS version and branch, registration expiration date (if applicable) and Auth token is sent.

Is this a description of how this is supposed to work today, or how it will work in a future release? I ask because I tested this on one of my instances and it does not appear to behave this way... it's sending more than the described data to account.unraid.net:

1. User clicks Update OS button.
2. Local server generates long, URL-encoded blob containing the data described in this post.
3. The browser is redirected to https://account.unraid.net/c?data=blob-of-urlencoded-data
4. As a result, all of the data is sent to account.unraid.net, where it is presumably logged (since it's in the URL, and not POST) and could also be accessed programmatically. It's not just staying within the browser session.

[marvel01]

On 1/11/2024 at 7:45 PM, ChatNoir said:

From what I read on the OP (and no insider knowledge) it is until the next stable release (so 6.12.7 from what I read on the forums).

Maybe don't read too much from comments from people not from Limetech ?

Again, I have NO inside knowledge, but I see a lot of posts considering the worst option and based from nothing in the official information.

Maybe chill a bit before crying Wolf ?

Same problem I'm facing. A lot of different perspectives but no solution at all. 

[zspearmint]

15 hours ago, EDACerton said:

Thanks for the update/FAQ.

 

I do have a question though about the data that is being sent. In the FAQ, I noticed this section:

 

Is this a description of how this is supposed to work today, or how it will work in a future release? I ask because I tested this on one of my instances and it does not appear to behave this way... it's sending more than the described data to account.unraid.net:

1. User clicks Update OS button.
2. Local server generates long, URL-encoded blob containing the data described in this post.
3. The browser is redirected to https://account.unraid.net/c?data=blob-of-urlencoded-data
4. As a result, all of the data is sent to account.unraid.net, where it is presumably logged (since it's in the URL, and not POST) and could also be accessed programmatically. It's not just staying within the browser session.

 

The Unraid.net account app is a completely client-side serverless application. Reiterating that the extra key value pairs are only used to display back to the end user on the app.

 

In terms of the query param blob, this is not logged anywhere on our side.

 

For additional insight – we use Cloudflare for DNS, Cloudflare Pages for the app hosting, and Cloudflare Web Analytics.

 

According to Cloudflare themselves they do not log query parameter values. To quote – “Currently, Cloudflare Web Analytics do not log query strings to avoid collecting potentially sensitive data”.

[EDACerton]

On 2/29/2024 at 3:26 PM, zspearmint said:

 

The Unraid.net account app is a completely client-side serverless application. Reiterating that the extra key value pairs are only used to display back to the end user on the app.

 

In terms of the query param blob, this is not logged anywhere on our side.

 

For additional insight – we use Cloudflare for DNS, Cloudflare Pages for the app hosting, and Cloudflare Web Analytics.

 

According to Cloudflare themselves they do not log query parameter values. To quote – “Currently, Cloudflare Web Analytics do not log query strings to avoid collecting potentially sensitive data”.

Thanks for the additional clarity on this.

 

Perhaps I'm splitting hairs here, but I do think this is important:

Quote

This means that server details on the Account app have not been sent to any external cloud-based server. The data is referenced via the callback initialization from your server but stays within your local browser.

 

Cloudflare Pages might be a "serverless" technology, but it's still a "cloud-based server". Cloudflare Pages run Cloudflare Workers, which can be used to store data via numerous means (in fact, Cloudflare Workers is the system that I use for tracking the number of installs of the Tailscale plugin, although with the plugin I specifically avoid transmitting identifiable information).

 

In practice, the server details on the Account app are being sent to a "cloud-based server". It might be that the server-side infrastructure doesn't do anything with those details... but the privacy issue here is that it could. I can see that the data is being transmitted from watching the network traffic generated by my browser, and once that information is sent to the remote server I lose control of it -- and notably here, it's being transmitted when the privacy policy explicitly says that is not happening.

 

(Also: why transmit data to a remote server that isn't intended to be used by that server? There are other ways to get information between web applications, like CORS.)

[Badboy]

On 2/7/2024 at 12:28 AM, earnhardt said:

 

I'm the same way and still on 6.9.2 which has been running without issues 🤞and I can't afford the downtime to troubleshoot unforeseen issues. 

I think I need to build another UNRAID server just for pre-production upgrade testing....😒

docker container ps -a --format "{{.State}}"|wc -l
162
docker container ps -a --format "{{.State}}"|grep running|wc -l
41

 I gave in and upgraded, it broke Plex LOL...This might have been in the release notes, that I didn't read. I guess I had to go to the app store and download a docker patch. which fixed the issue. This patch should have been incorporated into the update, or put a big note under the update button. Maybe it's just me. Other then that no issues.

[SpencerJ]

On 3/2/2024 at 11:16 AM, EDACerton said:

In practice, the server details on the Account app are being sent to a "cloud-based server". It might be that the server-side infrastructure doesn't do anything with those details... but the privacy issue here is that it could.

Hello again-

Just to circle back here, our privacy policy and the blog FAQ "What are the events where server data is sent to Lime Technology’s servers?" outlines what exactly is sent/stored in each scenario.

 

On 3/2/2024 at 11:16 AM, EDACerton said:

it's being transmitted when the privacy policy explicitly says that is not happening.

I'm not sure when you first looked at the privacy policy, so it's possible it was not up to date with the current one posted. If so, apologies on the delay.

 

[EDACerton]

27 minutes ago, SpencerJ said:

Hello again-

Just to circle back here, our privacy policy and the blog FAQ "What are the events where server data is sent to Lime Technology’s servers?" outlines what exactly is sent/stored in each scenario.

 

I'm not sure when you first looked at the privacy policy, so it's possible it was not up to date with the current one posted. If so, apologies on the delay.

 

My comment is valid with the latest copy of the privacy policy... the "callback" data is transmitted to the remote server as part of the query string.

 

From the privacy policy (I just copied this section seconds ago):

Quote

This means that server details on the Account app have not been sent to any external cloud-based server. The data is referenced via the callback initialization from your server but stays within your local browser.

 

A devtools network capture in a browser shows that the server details are leaving the local browser by being transmitted to account.unraid.net when the "Update OS" button is clicked in the WebGUI. This behavior contradicts the statement above.