Re: requirements and regulations concerning upgrade checks/statistics callback on program start

To: debian-devel@lists.debian.org
Subject: Re: requirements and regulations concerning upgrade checks/statistics callback on program start
From: Russ Allbery <rra@debian.org>
Date: Thu, 26 Dec 2019 10:51:56 -0800
Message-id: <[🔎] 87tv5m6htf.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20191226124817.GA2428@belkar.wrar.name> (Andrey Rahmatullin's message of "Thu, 26 Dec 2019 17:48:17 +0500")
References: <[🔎] 20191226054258.uety2p3crpiil6bp@bulldog.preining.info> <[🔎] 488fb55c-52f9-50cc-2ffa-2db4b334f940@sourcepole.ch> <[🔎] 20191226114122.GX17415@mapreri.org> <[🔎] 20191226114844.ynbiwhixqsf4ykvz@burischnitzel.preining.info> <[🔎] 20191226124817.GA2428@belkar.wrar.name>

Andrey Rahmatullin <wrar@debian.org> writes:

> Maybe it's time to document it in the Policy.

I think it would be a good idea, but it's some work because of the edge
cases.  Some of the things found by the Lintian check are tedious to fix
(unless maybe we can write a tool?) and make it more annoying to package
some software for Debian, so we should be clear on the project consensus
on how much work we want people to do.  For example, documentation HTML
pages that load styles or JavaScript (for mobile support for instance)
from a CDN are a privacy leak, as are web applications whose web pages
similarly include CDN links.

To be clear, I think we probably do care about those things and do want to
ask people to change them and use JavaScript packaged in Debian, but it's
also important to not underestimate how much work that is, since the norm
in the web page world is to pin to specific versions of these JavaScript
libraries and common style files.

There are some other edge cases that are closer to Norbert's question.
For example, gnubg (which I package) uses www.random.org as a random
number source by default (the upstream default, for various reasons that
involve fewer arguments with people who are absolutely convinced gnubg
wins against human players because it cheats on dice).  I've not changed
that, but one could make an argument that's a privacy leak as well (and
feel free to convince me that I should change it).

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- requirements and regulations concerning upgrade checks/statistics callback on program start
  - From: Norbert Preining <preining@logic.at>
- Re: requirements and regulations concerning upgrade checks/statistics callback on program start
  - From: Tomas Pospisek <tpo2@sourcepole.ch>
- Re: requirements and regulations concerning upgrade checks/statistics callback on program start
  - From: Mattia Rizzolo <mattia@debian.org>
- Re: requirements and regulations concerning upgrade checks/statistics callback on program start
  - From: Norbert Preining <preining@logic.at>
- Re: requirements and regulations concerning upgrade checks/statistics callback on program start
  - From: Andrey Rahmatullin <wrar@debian.org>

Prev by Date: Bug#947415: ITP: libtest-nicedump-perl -- module for nice and human readable dumps of objects in tests
Next by Date: Help needed: conflicting interests between Salsa admins and Salsa users (Re: Git Packaging Round 2: When to Salsa)
Previous by thread: Re: requirements and regulations concerning upgrade checks/statistics callback on program start
Next by thread: Re: requirements and regulations concerning upgrade checks/statistics callback on program start
Index(es):
- Date
- Thread