Bug#765503: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
- To: Felix Lechner <felix.lechner@lease-up.com>
- Cc: 743694@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, Daniel Leidert <dleidert@debian.org>, Jakub Wilk <jwilk@debian.org>, Bill Allombert <ballombe@debian.org>, Paul Wise <pabs@debian.org>, Alexandre Viau <aviau@debian.org>, Julien Cristau <jcristau@debian.org>, 765503@bugs.debian.org
- Subject: Bug#765503: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
- From: Bastien ROUCARIES <roucaries.bastien@gmail.com>
- Date: Fri, 10 Sep 2021 11:59:06 +0000
- Message-id: <[🔎] CAE2SPAZO8NPJxiFZQNsJzmWp0k4xXTAmjQvjunYH7gixXSDx3Q@mail.gmail.com>
- Reply-to: Bastien ROUCARIES <roucaries.bastien@gmail.com>, 765503@bugs.debian.org
- In-reply-to: <[🔎] CAFHYt55mdpfhyM75CLRoo4b-2wPeKNpCK4Zwa3rrSu03EcZ2Ww@mail.gmail.com>
- References: <[🔎] CAFHYt55mdpfhyM75CLRoo4b-2wPeKNpCK4Zwa3rrSu03EcZ2Ww@mail.gmail.com> <20141015162953.5344.13171.reportbug@leyte.mozilla.com>
Le ven. 10 sept. 2021 à 11:06, Felix Lechner
<felix.lechner@lease-up.com> a écrit :
>
> Hi,
>
> > The severity chosen for these tags/checks is not justified by any of our
> > policies, neither the Debian policy, not the best packaging practises nor
> > any legal reason!
> >
> > There is no technical nor social justification for this severity.
> >
> > making our package compliant to this new privacy-policy doesn't add
> > any value to our users.
>
> I believe Debian users have a reasonable expectation to read static
> files on their own storage media without being monitored. That
> objection is based on my own everyday experience in working to improve
> Debian, the Golden rule [2] and item #4 of Debian's social contract
> ("Our priorities are our users"). [2]
>
> The legal landscape is also changing. At least Europe and California
> have seen shifts toward greater privacy protections for consumers
> since the bug was filed.
>
> [1] https://en.wikipedia.org/wiki/Golden_Rule
> [2] https://www.debian.org/social_contract
>
> > I simply morally disagree with removing donation requests from authors
>
> It is not the solicitation but the unexpected loading of network
> resources that violates privacy expectations. Many micro-donation
> services offer resources like images or active HTML components to
> evoke feelings of familiarity or goodwill. That allows them to see who
> is using which software, and who chooses not to donate. While such
> gamesmanship may be common while browsing online (there are tools to
> fight it [3][4]) it is unexpected when browsing static files located
> on one's own storage media.
>
> Another, more generalized solution could be to modify all browsers
> shipped in Debian so they do not load online resources without
> confirmation. Unfortunately, that separates the solution from the
> problems. It is more reliable to address the privacy breaches where
> they occur, i.e. in the affected files.
>
> There is no issue with authors requesting donations (or even with
> Debian promoting such requests, for example in package metadata). The
> moral charge that Lintian's privacy expectations starve authors is not
> reasonable. The request just has to be made without unexpectedly
> loading online resources.
>
> [3] https://privacybadger.org/
> [4] https://noscript.net/
>
> > I find it unacceptable that the burden to make packages "privacy"-
> > compliant to some users is put on the shoulders of myself and fellow DDs.
>
> Lintian already reduces the workload by locating the issues for
> maintainers. (We hope that most of our tags do that.) As for the
> actual burden, the task of creating patches that drop lines from
> upstream files is well within the capabilities of any DD with upload
> privileges. The burden is not unreasonable.
>
> I will likely close this bug without action.
>
> Please reply to Bug#743694 if your response concerns Lintian's
> treatment of privacy breaches. Thanks!
>
> Kind regards
> Felix Lechner
Note that I am working on a dh_fixhtml helper to automate the cleaning
of privacy breach.
Bastien
Reply to: