Re: jessie release goals

To: debian-devel@lists.debian.org
Subject: Re: jessie release goals
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Thu, 16 May 2013 12:18:29 +0200
Message-id: <[🔎] 20130516101829.GD2181@frosties>
In-reply-to: <[🔎] 1368645618@msgid.manchmal.in-ulm.de>
References: <[🔎] 5187A6F5.2080009@debian.org> <[🔎] 1367849287.8251.18.camel@heisenberg.scientia.net> <[🔎] 1368645618@msgid.manchmal.in-ulm.de>

On Wed, May 15, 2013 at 09:43:02PM +0200, Christoph Biedl wrote:
> Christoph Anton Mitterer wrote...
> 
> > 2) No more packages that bypass the package management system and secure
> > apt:
> > a) There are still several (typically non-free) packages which download
> > stuff from the web, install or at least un-tar it somwhere without
> > checking any integrity information that would be hardcoded in that
> > package.
> > 
> > b) Another problem are IMHO plugins like Firefox extensions, kinda
> > bypassing APT. I think at least those that are installed via a package,
> > shouldn't be upgradable/overwritable anymore with online versions.
> 
> I'd like to enhance that topic to the question under which
> circumstances a package is allowed to "phone home", i.e. to contact a
> service provided by upstream without the consent of the user. For the
> records, I wouldn't mind much if the rule is "never".
> 
> Still an answer might be not as easy as it seems, a few situations:
> 
> * Automatic update checks don't make sense, mostly they confuse users.
> 
> * As an example, nagios3 upstream embedded several requests to the
>   nagios homepage on the start page of any local installation. That
>   I consider both annoying and a privacy breach, so I patched that
>   away locally. But perhaps such behaviour should be banned entirely.
> 
> * On the other hand, there are packages that do need frequent updates,
>   virus scanners to start with, also ad blockers. Not sure whether
>   these should be granted an exception. If not, somebody would have to
>   take the task to provide these updates in an APT way.
> 
> Just sharing a few thoughts on that ...
> 
>     Christoph

I wouldn't mind "never".

An absolute requirement I think is a "don't do it again" option (for
the user). For example every time I start eric it tells me there is an
update. I know there is an update. It told me so the last 1000 times I
started it. And I still don't want to break my stable system.

I also wouldn't mind a debconf question in cases where the apt way is
not practicable but security can still be maintained. Which would be
for the *-installer packages that download the actual thing from the
internet. I would rather not have them but sometimes they are
unavoidable.

Phoning home at runtime without explicit admin/user permission is
never OK though.

MfG
	Goswin

Reply to:

References:
- jessie release goals
  - From: Andreas Beckmann <anbe@debian.org>
- Re: jessie release goals
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: jessie release goals
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>

Prev by Date: Re: jessie release goals
Next by Date: Re: /bin/sh (was Re: jessie release goals)
Previous by thread: Re: jessie release goals
Next by thread: Re: jessie release goals
Index(es):
- Date
- Thread