Bug#735321: lintian: privacy-breach-logo exception for SourceForge etc

To: Tony Houghton <h@realh.co.uk>
Cc: 735321@bugs.debian.org, Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#735321: lintian: privacy-breach-logo exception for SourceForge etc
From: Russ Allbery <rra@debian.org>
Date: Tue, 14 Jan 2014 12:03:24 -0800
Message-id: <[🔎] 87zjmytjoz.fsf@windlord.stanford.edu>
Reply-to: Russ Allbery <rra@debian.org>, 735321@bugs.debian.org
In-reply-to: <[🔎] 20140114185626.16447.9397.reportbug@janet.centauri> (Tony Houghton's message of "Tue, 14 Jan 2014 18:56:26 +0000")
References: <[🔎] 20140114185626.16447.9397.reportbug@janet.centauri>

Tony Houghton <h@realh.co.uk> writes:

> I'm getting privacy-breach-logo warnings for roxterm's HTML
> documentation. I'm fairly sure it can only be my use of the Sourceforge
> logo; there are no other img tags with external src:

>     <a id="SourceforgeLink" href="http://sourceforge.net/projects/roxterm";
>             title="RoxTerm Sourceforge">
>     <img
>     src="http://sflogo.sourceforge.net/sflogo.php?group_id=124080&amp;type=8";
>             width="80" height="15" 
>             alt="Get RoxTerm at SourceForge.net. Fast, secure and Free Open
>             Source software downloads" />
>     </a>

> I don't think there should be any objection to using a SF logo this way
> in a Debian package's documentation, so please could this tag have a
> whitelist for SourceForge and other trusted hosting sites.

The problem with this HTML code is that, every time a user visits this
HTML page in a browser, the browser contacts sourceforge.net to retrieve
the image and hands lots of information about the browser to Sourceforge.
This includes referrer information, so it provides Sourceforge with
tracking data about who is using roxterm.  Generally, browsers provide
enough information to be uniquely identified even without cookies.

If the logo is free, you could include a copy directly in the source
package, which would avoid that problem.  But I'm guessing it's not.

This is something that, by and large, the free software community hasn't
been thinking about much, but these sorts of apparently innocuous
remotely-sourced images are a key component of the pervasive commercial
surveillance architecture that underlies most of the ad-supported
companies.  Individual pieces of data like this are, in isolation,
arguably not a big deal, but they're heavily aggregated and analyzed, and
the results can become rather disturbing.

Lintian is trying to get out in front of the problem, which is going to be
kind of painful, at least at first, since this is something that upstreams
have mostly not been paying close attention to.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Bug#735321: lintian: privacy-breach-logo exception for SourceForge etc
  - From: Tony Houghton <h@realh.co.uk>

Prev by Date: Bug#735321: lintian: privacy-breach-logo exception for SourceForge etc
Next by Date: [lintian] 01/01: data: Refresh architecture data files against dpkg 1.17.5
Previous by thread: Bug#735321: lintian: privacy-breach-logo exception for SourceForge etc
Next by thread: Bug#735321: marked as done (lintian: privacy-breach-logo exception for SourceForge etc)
Index(es):
- Date
- Thread