Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
- To: 743694@bugs.debian.org
- Cc: Sylvestre Ledru <sylvestre@debian.org>, Daniel Leidert <dleidert@debian.org>, Jakub Wilk <jwilk@debian.org>, bastien ROUCARIES <roucaries.bastien@gmail.com>, Bill Allombert <ballombe@debian.org>, Paul Wise <pabs@debian.org>, Alexandre Viau <aviau@debian.org>, Julien Cristau <jcristau@debian.org>, 765503@bugs.debian.org
- Subject: Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
- From: Felix Lechner <felix.lechner@lease-up.com>
- Date: Fri, 10 Sep 2021 04:05:32 -0700
- Message-id: <[🔎] CAFHYt55mdpfhyM75CLRoo4b-2wPeKNpCK4Zwa3rrSu03EcZ2Ww@mail.gmail.com>
- Reply-to: Felix Lechner <felix.lechner@lease-up.com>, 743694@bugs.debian.org
- References: <20140405110139.24807.60404.reportbug@haktar.debian.wgdd.de>
Hi,
> The severity chosen for these tags/checks is not justified by any of our
> policies, neither the Debian policy, not the best packaging practises nor
> any legal reason!
>
> There is no technical nor social justification for this severity.
>
> making our package compliant to this new privacy-policy doesn't add
> any value to our users.
I believe Debian users have a reasonable expectation to read static
files on their own storage media without being monitored. That
objection is based on my own everyday experience in working to improve
Debian, the Golden rule [2] and item #4 of Debian's social contract
("Our priorities are our users"). [2]
The legal landscape is also changing. At least Europe and California
have seen shifts toward greater privacy protections for consumers
since the bug was filed.
[1] https://en.wikipedia.org/wiki/Golden_Rule
[2] https://www.debian.org/social_contract
> I simply morally disagree with removing donation requests from authors
It is not the solicitation but the unexpected loading of network
resources that violates privacy expectations. Many micro-donation
services offer resources like images or active HTML components to
evoke feelings of familiarity or goodwill. That allows them to see who
is using which software, and who chooses not to donate. While such
gamesmanship may be common while browsing online (there are tools to
fight it [3][4]) it is unexpected when browsing static files located
on one's own storage media.
Another, more generalized solution could be to modify all browsers
shipped in Debian so they do not load online resources without
confirmation. Unfortunately, that separates the solution from the
problems. It is more reliable to address the privacy breaches where
they occur, i.e. in the affected files.
There is no issue with authors requesting donations (or even with
Debian promoting such requests, for example in package metadata). The
moral charge that Lintian's privacy expectations starve authors is not
reasonable. The request just has to be made without unexpectedly
loading online resources.
[3] https://privacybadger.org/
[4] https://noscript.net/
> I find it unacceptable that the burden to make packages "privacy"-
> compliant to some users is put on the shoulders of myself and fellow DDs.
Lintian already reduces the workload by locating the issues for
maintainers. (We hope that most of our tags do that.) As for the
actual burden, the task of creating patches that drop lines from
upstream files is well within the capabilities of any DD with upload
privileges. The burden is not unreasonable.
I will likely close this bug without action.
Please reply to Bug#743694 if your response concerns Lintian's
treatment of privacy breaches. Thanks!
Kind regards
Felix Lechner
Reply to: