[Paint.NET Setup Front-End is trying to access the Internet]

It sends an HTTP GET request for a file that doesn't even exist. I check the stats by looking at the 404's. There's no real payload being sent or received. It only does the ping if you're already connected to the Internet. It does the check on a background thread. I understand the concern about malware, and it's perfectly reasonable for you to raise the question. But in this specific case it's a trivial best-faith effort ping which can be easily verified by those who know how to do so. It's so benign that I honestly don't think it needs a callout in the EULA or a confirmation dialog/checkbox. You'd he surprised how many people opt-out of any kind of "statistics tracking".

Also, the installer ping only nets me information about the version of Paint.NET, and whether installation succeeded or failed. If you want, I can tell you where the code is in SetupFrontEnd.exe and how to inspect it with Reflector. (Maybe there's an extra check that should be added for some corner case or something, akin to the dial-up scenario you mentioned). The updated nets me stats on OS version, CPU architecture (x86/x64), and language.

There's no need to inspect the code, just would like to know beforehands if it needs to phone home, and it will even better to give us an option to opt out.

I am actually one of those guys that do read the EULAs and any other documents that comes with it, before installing a piece of software.

I have a machine dedicated to all the crapware that has access only to the Internet, not the internal network.

Paint.NET is installed in my internal network, and my first reaction after seeing the alarm popping up was, WTF?

In 2011 "free software" usually means two things:

#1 The developers are trying to get a wide enough user base to justify outside investors

#2 The application just want to get a hold and sell your data for the privilege of using their software

IMO Paint.NET falls into the first category. You're even signing the executable!

You want to ping or collect usage statistics without prompting? fine, just let us know so that we can decide accordingly and we don't get surprised when an access alarm pops up.

Even Microsoft in their Event Log Online Help prompts the user before sending the OS version number and other data.

Personally that's the kind of software I would want to run on my machine. I may not be the only one.

[Paint.NET Setup Front-End is trying to access the Internet]

EULA is End-User License Agreement, not Full Disclosure Of Everything An Application Might Ever Possibly Do (which is generally referred to as source code). There's no such thing as "grabbing your OS version number" because that isn't secret or personal data, and there aren't any weird tricks involved in getting the information (it's a simple Windows API call). Would you like a prompt every time any application queries the OS version number, accesses a file, reads or writes the registry, tries to create a new window, uses more than 1 processor core, etc.? No, of course not. You'd spend all day being spammed with Yes/No dialogs. If you want to block an application's access to a resource, then you can create a special user account just for that program and then deny it access to files or registry keys that you don't want it to have access to. Most firewalls also have the ability to block specific application's access to network access.

It's 2011. Applications use the Internet. It's not trying to hack or steal information. If it were sending over anything that could be PII (Personally Identifiable Information), then I'd have a responsibility to list something in the EULA in order to satisfy privacy concerns (and possibly laws). But it's completely anonymous. If you really want to verify it, then set up a sniffer or something and inspect the packets.

Every respectable software that has no natural business of connecting to the Internet (e.g. a web browser) ask the user first before doing so, or it makes it clear in the EULA.

As far as I know, Paint.NET (a paint program) doesn't fall into the above category.

I know, it's 2011 and legitimate applications do connect to the Internet, but guess what? it's 2011 and lots of malware do connect to the Internet.

What's the difference between the two? One thing for sure, they ask us first.

--"Is it OK to send anonymous usage statistics?" Yes/No--

Even those free screensavers programs mention in the EULA that they do connect to the Internet and collect non PII.

I hope Paint.NET can do better than that.

Also, do you assume that everyone on the planet is on broadband just like you?

I wouldn't want Paint.NET to start a dialup connection when I am in my hotel room overseas just because you need a ping back to the server.

Yeah I know, I can set firewalls, sniffers, sandboxes, etc, etc.

But if I have to do that I wouldn't want that software in the first place. Would you?

Ask us first, you may be surprised to see how people are willing to cooperate to make Paint.NET even better.

[Paint.NET Setup Front-End is trying to access the Internet]

The installer pings the website so Rick can keep track of numbers of installation on what OS in what language.

This information allows him to decide which OS's are worth continuing to support (like when XP's market share dropped low enough to nix), and which languages to include in the program.

No personal information is sent or collected.

OK, but why it doesn't say that in the EULA, so that I can decide wether to agree or disagree with the software installation?

The setup program tried to grab (according to what you're saying) my OS version number without asking me first.

And since what you say in the EULA is not true, how do we know that you're not sending also something else?

[Paint.NET Setup Front-End is trying to access the Internet]

Why Paint.NET Setup is trying to access the Internet?

What are you sending to 208.112.13.16?

In your EULA it doesn't say that it needs to.

[Versioning Number?]

What's the logic in deciding the version number of Paint.NET?

In the Roadmap, v3.5 comes after v.3.36 but isn't "36" bigger than "5"?

It would make much more sense to use 3.50 instead, unless the "0" is implicit thus omitted.

But if that's the case, what's the logic behind v3.10?

The reason why I am asking is because I file all the old versions of the software I download, and this is first time I came across something like this.

Windows put the folder in the wrong place, or, the number system is wrong????

[Spyware?]

The update checker has always been disabled (it was never enabled).

I understand you explanation "those other connections are not Paint.NET" , but from my point of view the situation is:

- Paint.NET EULA doesn't say it connects to the 'NET without my approval.

- I install Paint.NET

- Paint.NET tries to connect to the 'Net without my approval.

The EULA needs to be updated to explain this behaviour, or remove the unauthorized 'Net connection functionality from the signed DLL.

Otherwise you may get a lot of complains from users like me who actually reads the EULA before installing anything.

[Spyware?]

If that's the case, I don't understand why other digitally signed software doesn't have this behaviour.

The EULA should also include the fact that Paint.NET may indeed try connect to the Internet.

[Spyware?]

Paint.net v2.5 worked without a problem for quite some time.

The other day I've upgraded to Paint.net v2.6, during the installation I've opted out not to go online for anything (just like v2.5)

Paint.net v2.5 never tried to connect to the 'net,

however I just found out that when I start Paint.net v2.6 it tries 5 times (first PaintDotNet.exe, then WIAPROXY32.EXE) to connect to 202.232.140.20

Why?