Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
From: John Scott <jscott@posteo.net>
Date: Sun, 04 Jul 2021 17:10:49 +0000
Message-id: <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net>
Reply-to: John Scott <jscott@posteo.net>, 990679@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: 981702@bugs.debian.org
Control: block 981702 by -1

Please unblock package privacybadger

[ Reason ]
Privacy Badger is unique and different from other anti-tracking
extensions in that instead of using artificial whitelists and
blacklists, it learns based on one's browsing behavior. However, it was
privately disclosed by Google's Security Team that Privacy Badger's
learning, which is unique to each user, can itself enable
fingerprinting:
https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better

To address this, newer versions of Privacy Badger work by everyone
using the same whitelists, yellowlists, and blacklists, which are
aggregated from everyone's learning data.

[ Impact ]
If this unblock isn't granted, or it's not possible for Privacy Badger
to be shipped in bullseye-updates during the release cycle, then users
would be left more vulnerable to fingerprinting, as they could be
identified based on their older Privacy Badger versions. Upstream has
indicated that this situation would be unacceptable (and I concur), so
it would be better to remove the package altogether then.

This situation is not unlike the need to ship up-to-date ClamAV data in
stable-updates.

[ Tests ]
Since this is a browser extension it's difficult to automate testing. I
have tested with Firefox ESR, Firefox non-ESR, and Chromium that it
works.

[ Risks ]
This package is a leaf package, and if this package were to be instead
removed from Bullseye, users would need to install it manually by
fetching the extension from another source. The debdiff is quite large,
but consists mostly of changes to the website data and translations.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

This is a request for pre-approval since I need to seek a sponsor to
update the package anyway. My debdiff was detected as malware so you'll
have to fetch it from
https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff

unblock privacybadger/2021.6.8-1

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Processed: unblock: [pre-approval] privacybadger/2021.6.8-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
  - From: Sebastian Ramacher <sramacher@debian.org>
- Processed: Re: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#990679: marked as done (unblock: [pre-approval] privacybadger/2021.6.8-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#990630: unblock: fuse3/3.10.3-2
Next by Date: Processed: unblock: [pre-approval] privacybadger/2021.6.8-1
Previous by thread: Bug#990670: marked as done ([pre-approval] unblock: python-apt/2.2.1)
Next by thread: Processed: unblock: [pre-approval] privacybadger/2021.6.8-1
Index(es):
- Date
- Thread