Re: The Spirit of Free Software, or The Reality

To: debian-devel@lists.debian.org
Subject: Re: The Spirit of Free Software, or The Reality
From: Jakub Wilk <jwilk@debian.org>
Date: Wed, 15 Jul 2015 01:06:28 +0200
Message-id: <[🔎] 20150714230628.GA7938@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] CAKTje6H7qDBrXTeFQVreOWqEhjRrEbNnPbaimdbQd2YRB0cAQQ@mail.gmail.com>
References: <[🔎] 1436028958.14957.61.camel@gmail.com> <[🔎] CAKEv=VSg_QF-W=71iRiOSsdr3S8WTs1pb=wK8fKdjzybXG+=qQ@mail.gmail.com> <[🔎] 1436070597.4638.40.camel@gmail.com> <[🔎] CANTw=MM3XuNdR1e5ru7G-CJ7AjZeaoYiOdcNjie-m7CUNWb1PQ@mail.gmail.com> <[🔎] CAKTje6H7qDBrXTeFQVreOWqEhjRrEbNnPbaimdbQd2YRB0cAQQ@mail.gmail.com>

* Paul Wise <pabs@debian.org>, 2015-07-06, 14:10:

#786909 was absolutely not acceptable, and was treated as such. Socialcontract #1 remains in effect and will continue to do so in spite ofday to day bugs that violate its spirit.
It might be interesting to think about ways we can automaticallydiscover such problems in future.
lintian has privacy checks but this kind of problem doesn't seemstatically detectable to me.
Perhaps we could run everything in $PATH in virtual machines and logall network beyond localhost.

So I made this experiment with Iceweasel. These are the requests itmakes with a fresh profile, before you even type an URL:

POST https://location.services.mozilla.com/v1/country?key=no-mozilla-api-key
GET http://www.ebay.com/favicon.ico
GET http://en.wikipedia.org/favicon.ico
GET http://www.yahoo.com/favicon.ico
GET http://www.google.com/favicon.ico
GET http://www.amazon.com/favicon.ico
GET http://www.yahoo.com/favicon.ico
GET https://tiles.services.mozilla.com/v2/links/fetch/en-US
GET http://www.yahoo.com/favicon.ico
GET https://en.wikipedia.org/favicon.ico
GET https://en.wikipedia.org/favicon.ico
GET https://www.yahoo.com/favicon.ico
GET https://tiles.cdn.mozilla.net/desktop/PL/en-US.dd461b9cdf65d101f61b5dddac1ce4996e8d91ca.json
GET https://en.wikipedia.org/favicon.ico
POST https://safebrowsing.google.com/safebrowsing/downloads?client=Iceweasel&appver=38.1.0&pver=2.2&key=no-google-api-key
+ a few dozens of GET requests to https://safebrowsing.google.com/

So nothing serious here. It's just casually violating your privacy.

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: The Spirit of Free Software, or The Reality
  - From: Bas Wijnen <wijnen@debian.org>
- Re: The Spirit of Free Software, or The Reality
  - From: Nikolaus Rath <Nikolaus@rath.org>
- Re: The Spirit of Free Software, or The Reality
  - From: Mike Hommey <mh@glandium.org>

References:
- The Spirit of Free Software, or The Reality
  - From: lumin <cdluminate@gmail.com>
- Re: The Spirit of Free Software, or The Reality
  - From: Jan Gloser <jan.renra.gloser@gmail.com>
- Re: The Spirit of Free Software, or The Reality
  - From: lumin <cdluminate@gmail.com>
- Re: The Spirit of Free Software, or The Reality
  - From: Michael Gilbert <mgilbert@debian.org>
- Re: The Spirit of Free Software, or The Reality
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Bug#792455: ITP: golang-github-ugorji-go-codec -- encode/decode and rpc library for msgpack, binc, cbor and json
Next by Date: Re: The Spirit of Free Software, or The Reality
Previous by thread: Re: The Spirit of Free Software, or The Reality
Next by thread: Re: The Spirit of Free Software, or The Reality
Index(es):
- Date
- Thread