Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1

To: John Scott <jscott@posteo.net>, 990679@bugs.debian.org
Subject: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
From: Sebastian Ramacher <sramacher@debian.org>
Date: Sun, 4 Jul 2021 21:57:57 +0200
Message-id: <[🔎] YOISxenHK2jfu8j9@ramacher.at>
Reply-to: Sebastian Ramacher <sramacher@debian.org>, 990679@bugs.debian.org
In-reply-to: <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net>
References: <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net> <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net>

Control: tags -1 moreinfo

On 2021-07-04 17:10:49 +0000, John Scott wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: 981702@bugs.debian.org
> Control: block 981702 by -1
> 
> Please unblock package privacybadger
> 
> [ Reason ]
> Privacy Badger is unique and different from other anti-tracking
> extensions in that instead of using artificial whitelists and
> blacklists, it learns based on one's browsing behavior. However, it was
> privately disclosed by Google's Security Team that Privacy Badger's
> learning, which is unique to each user, can itself enable
> fingerprinting:
> https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better
> 
> To address this, newer versions of Privacy Badger work by everyone
> using the same whitelists, yellowlists, and blacklists, which are
> aggregated from everyone's learning data.
> 
> [ Impact ]
> If this unblock isn't granted, or it's not possible for Privacy Badger
> to be shipped in bullseye-updates during the release cycle, then users
> would be left more vulnerable to fingerprinting, as they could be
> identified based on their older Privacy Badger versions. Upstream has
> indicated that this situation would be unacceptable (and I concur), so
> it would be better to remove the package altogether then.
> 
> This situation is not unlike the need to ship up-to-date ClamAV data in
> stable-updates.
> 
> [ Tests ]
> Since this is a browser extension it's difficult to automate testing. I
> have tested with Firefox ESR, Firefox non-ESR, and Chromium that it
> works.
> 
> [ Risks ]
> This package is a leaf package, and if this package were to be instead
> removed from Bullseye, users would need to install it manually by
> fetching the extension from another source. The debdiff is quite large,
> but consists mostly of changes to the website data and translations.
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing
> 
> This is a request for pre-approval since I need to seek a sponsor to
> update the package anyway. My debdiff was detected as malware so you'll
> have to fetch it from
> https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff

 119 files changed, 37556 insertions(+), 16534 deletions(-)

This is too much for us to sensibly review. If possible, please provide
a filtered debdiff (e.g., by filtering the website data and
translations).

Cheers

> 
> unblock privacybadger/2021.6.8-1
> 
> 



-- 
Sebastian Ramacher

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
  - From: John Scott <jscott@posteo.net>

Prev by Date: Bug#990559: Please unblock package mdevctl 0.81-1
Next by Date: Processed: Re: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
Previous by thread: Processed: unblock: [pre-approval] privacybadger/2021.6.8-1
Next by thread: Processed: Re: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
Index(es):
- Date
- Thread