On 15326 March 1977, npdflr@zoho.com wrote:
> I am posting an excerpt from the 'Data privacy' page
> (https://www.debian.org/legal/privacy):
> Service related logging
> In addition to the explicitly listed services above the Debian
> infrastructure logs details about system accesses for the purposes of
> ensuring service availability and reliability, and to enable debugging
> and diagnosis of issues when they arise. This logging includes details
> of mails sent/received through Debian infrastructure, web page access
> requests sent to Debian infrastructure, and login information for
> Debian systems (such as SSH logins to project machines). None of this
> information is used for any purposes other than operational
> requirements and it is only stored for 15 days in the case of web
> server logs, 10 days in the case of mail log and 4 weeks in the case
> of authentication/ssh logs.
> a) Does 'system' and 'Debian systems' in the above excerpt mean an
> installation of Debian OS?
No. It means a system installed and run by Debian admins providing a
service. Like the machine handling this list, or a machine handling a
webserver for www.debian.org.
> b) I am assuming that 'Debian infrastructure' means the 'Debian
> Security Infrastructure'
> (https://www.debian.org/doc/manuals/securing-debian-howto/ch7) which
> is used to handle security in the stable distribution. Please correct
> me, if wrong.
No, it means the whole infrastructure. We have many machines.
> c) Details regarding non-personally identifiable data: Does Debian
> (Debian.org) collect any kind of 'telemetry' or 'monitoring data'
> other than required for operational requirements? I am asking this as
> from a company's or business point of view: one is concerned about
> intellectual property, company data etc.
As written, no we do not.
> d) (This is related to the above point) Does the statement in the
> above excerpt "This logging includes details..... login information
> for Debian systems" mean that Debian stores username and passwords of
> users? In my case: A local login not a network based login.
Not in the sense you read into it, no. We do not, in any way, collect
users data of systems installed with Debian[1]. The above is for machines
running "inside" the debian.org domain and affects Debian Developers,
not any user who just happens to install Debian.
[1] There is one tool named popcon. That does actually send data our
way. That is opt-in and you can find more information at
https://popcon.debian.org/
--
bye, Joerg