Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
- To: Felix Lechner <felix.lechner@lease-up.com>
- Cc: 743694@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, Daniel Leidert <dleidert@debian.org>, Jakub Wilk <jwilk@debian.org>, bastien ROUCARIES <roucaries.bastien@gmail.com>, Bill Allombert <ballombe@debian.org>, Paul Wise <pabs@debian.org>, Alexandre Viau <aviau@debian.org>, Julien Cristau <jcristau@debian.org>, 765503@bugs.debian.org
- Subject: Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
- From: Bill Allombert <ballombe@debian.org>
- Date: Fri, 10 Sep 2021 13:56:46 +0200
- Message-id: <[🔎] 20210910115646.GA6604@yellowpig>
- Reply-to: Bill Allombert <ballombe@debian.org>, 743694@bugs.debian.org
- In-reply-to: <[🔎] CAFHYt55mdpfhyM75CLRoo4b-2wPeKNpCK4Zwa3rrSu03EcZ2Ww@mail.gmail.com>
- References: <[🔎] CAFHYt55mdpfhyM75CLRoo4b-2wPeKNpCK4Zwa3rrSu03EcZ2Ww@mail.gmail.com> <20140405110139.24807.60404.reportbug@haktar.debian.wgdd.de>
On Fri, Sep 10, 2021 at 04:05:32AM -0700, Felix Lechner wrote:
> Hi,
>
> > The severity chosen for these tags/checks is not justified by any of our
> > policies, neither the Debian policy, not the best packaging practises nor
> > any legal reason!
> >
> > There is no technical nor social justification for this severity.
> >
> > making our package compliant to this new privacy-policy doesn't add
> > any value to our users.
>
> I believe Debian users have a reasonable expectation to read static
> files on their own storage media without being monitored. That
> objection is based on my own everyday experience in working to improve
> Debian, the Golden rule [2] and item #4 of Debian's social contract
> ("Our priorities are our users"). [2]
>
> The legal landscape is also changing. At least Europe and California
> have seen shifts toward greater privacy protections for consumers
> since the bug was filed.
>
> [1] https://en.wikipedia.org/wiki/Golden_Rule
> [2] https://www.debian.org/social_contract
>
> > I simply morally disagree with removing donation requests from authors
>
> It is not the solicitation but the unexpected loading of network
> resources that violates privacy expectations. Many micro-donation
> services offer resources like images or active HTML components to
> evoke feelings of familiarity or goodwill. That allows them to see who
> is using which software, and who chooses not to donate. While such
> gamesmanship may be common while browsing online (there are tools to
> fight it [3][4]) it is unexpected when browsing static files located
> on one's own storage media.
>
> Another, more generalized solution could be to modify all browsers
> shipped in Debian so they do not load online resources without
> confirmation. Unfortunately, that separates the solution from the
> problems. It is more reliable to address the privacy breaches where
> they occur, i.e. in the affected files.
>
> There is no issue with authors requesting donations (or even with
> Debian promoting such requests, for example in package metadata). The
> moral charge that Lintian's privacy expectations starve authors is not
> reasonable. The request just has to be made without unexpectedly
> loading online resources.
>
> [3] https://privacybadger.org/
> [4] https://noscript.net/
>
> > I find it unacceptable that the burden to make packages "privacy"-
> > compliant to some users is put on the shoulders of myself and fellow DDs.
>
> Lintian already reduces the workload by locating the issues for
> maintainers. (We hope that most of our tags do that.) As for the
> actual burden, the task of creating patches that drop lines from
> upstream files is well within the capabilities of any DD with upload
> privileges. The burden is not unreasonable.
Thanks for taking this stance. Phoning home without the user consent has
always been treated as a RC bug.
Lintian errors do not by themselves create more work to package
maintainers since they can be ignored, instead they present an
advance warning of a potential bug report about privacy violation,
which can save time unless the maintainers plan was to hide the issue
under the carpet which contradict SC #3 "we will not hide problems".
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply to: