--- Begin Message ---
Hi mYnDstrEAm,
mYnDstrEAm wrote on Wed, 10 Apr 2024 22:54:04 +0000:
Package: general
I wondered why Debian comes with geoclue-2.0 and gpsd running by default
(which could be used for location tracking). Please do not install them
by default or if you really must, please do not make them autostart.
At most it could be useful for a few users if it was installed but not
enabled and not running by default (so just an option one could enable
in the configs or which could be enabled by the user through a prompt).
If it's running by default this also means that after upgrades it could
be running again. This is a privacy issue, an undesired bloat service
that requires to spend time to remove it, and a larger attack surface
even if there was a proper and vulnerability-free permissions-management
for GPS-location-access.
I'm closing this bugreport for the following reasons:
1. You write: "geoclue-2.0 and gpsd running by default". On my system:
$ ps faux|grep gpsd|grep -v grep
$
-> that means that gpsd is not running by default and we do not have
fix that.
2. You write: "geoclue-2.0 and gpsd running by default". On my system:
$ ps faux|grep geoclue|grep -v grep
me 3089 0.0 0.0 234036 3100 ? Sl Apr20 0:00 \_ /usr/libexec/geoclue-2.0/demos/agent
$ apt-cache rdepends geoclue-2.0 --installed
geoclue-2.0
Reverse Depends:
redshift
libqt5positioning5
-> please check on your system, who depends on geoclue-2.0 and if
you think it is necessary, create a wishlist bug report on those
packages that you have installed that depend on geoclue-2.0.
I might note, that the geoclue-2.0 dependency is not hard for the
packages I have installed, but a recommendation, so that I can still
deinstall geoclue-2.0 if I think I do not want it:
$ ( dpkg -s redshift ; dpkg -s libqt5positioning5 ) | grep geoclue-2.0
Recommends: geoclue-2.0
Recommends: geoclue-2.0
3. I assume that packages depending on geoclue-2.0 will possibly be able
to get some info on where you are. In the case of redshift that'll
probably be used to adjust your display brightness/color. That isn't
privacy invasive as far as I can see. So again no problem -> no bug.
In the same vein you could argue "packages should not use the network,
because that can invade your privacy, since they *can* send some info
about you and your device to somewhere". So yes, of course they can,
but the question is *do they*? If they don't then there's no breach of
privacy.
4. When you assigning bug reports against "general" then it's very likely
your bug report will be ignored, because nobody maintains a "general"
package and thus nobody feels very much responsible for bugreports
against the "general" pseudo package.
Thanks,
*t
--- End Message ---