They used to recommend using the MAC address. This was ok 30 years ago when a computer sat in an office on a desk but it makes it very easy to fingerprint a moving computer as it moves across different networks.
Using a random address (Privacy Extensions) solves this problem though, but do we expect everyone to know what that is and check it's enabled? Mine wasn't enabled by default (on Linux) and I only noticed when a bittorrent site warned me.
As mentioned by GP, Apple enables privacy extensions on all their OSes:
* https://support.apple.com/en-ca/guide/security/seccb625dcd9/...
As does Windows (since Vista), and Android (8+).
So why are we still talking about this?
Could you publicly shame the distro that had that issue? Pretty sure it should be the default (on NixOS at least it is).
Fedora doesn’t enable privacy extensions by default, if I recall correctly.
Debian does.