Ultimately, the problem is much bigger than /etc/machine-id since there are dozens of hardware IDs on any PC that can be used by malicious telemetry to silently to uniquely identify and track you, and the only solution to this problem currently is to make sure you really trust any software you use.
Systemd, in particular, acts a lot like malware for Linux because if you try to reset your machine-id a long list of stuff that breaks in in it. You could make a cron script to reset /etc/machine-id every day, but machine-id is so deep in the stack that you’d also have to reboot to ensure it’s updated.


I’m saying that if flatpak tried to implemenet machine-id obfuscation before releasing, they might not have ever released. By constraining their scope, they were able to focus on their other goals and release, and a lot of Linux users including me, are glad they did so. You can think of systemd’s machine-id situation in the same way
I’m saying flatpack didn’t even have to use machine-id at all for anything it does. I don’t know why you’re so invested in the idea that this was somehow necessary and nothing better is possible.
Perhaps ask in the github issue I linked earlier why machine-id is necessary at all. They may have their reasons. My guess is that it makes it easier for devs to port their applications to flatpak, namely legacy apps that depended on machine-id.
It probably does, but I suspect they just didn’t consider the problem in the first place rather than the issue being that not having a persistent id is somehow extraordinarily difficult.
You could say the same about Linux itself and machine-id. Fingerprint resistance just wasn’t in the project scope.
You could, but there was no machine-id on Linux originally and it was something that got added and arguably shouldn’t have been. Again, I’m really struggling to understand why you’re so invested in defending this decision. Like it’s obviously a bad decision, it’s not necessary, why is it so hard for you to just say that.
I feel like my argument is not that hard to follow. I’m saying that just because machine-id makes fingerprinting easier, doesn’t make it a bad decision because it could still lead to a net positive. In the Linux kernel’s case, it might have been a simple solution to other problems, at a time when fingerprinting was not a concern. In systemd’s case, it might have made it easier to accomodate legacy systems that depended on machine-id. Same with flatpak.
Linux, systemd, and flatpak are all fairly successful within their target markets. Clearly, you’re going to need more evidence if you want to claim it’s a bad decision.
In fact even if your goal is privacy and fingerprint resistance, just switching to another init system is not a panacea. First off, as mentioned in the flatpak github issue linked earlier, there are tons of other markers aside from machine-id that can be used for fingerprinting. And if you’re using a mainstream distro, your new init system is likely less supported, meaning more bugs, worse security, and potentially a net loss in privacy.
Win the battle, lose the war. This is why I brought up compromise and strategy earlier.
In the end, it’s hard to say how individual decisions like machine-id, contribute to the net result. There are pros and cons to each decision. Maybe if there was a competitor that didn’t use machine-id and pulled ahead due to that decision, but I’m not seeing one.
You have yet to explain what the net positive that machine-id brings to the table is. I’m eagerly waiting for you thesis.