Your message dated Sat, 24 Jul 2021 00:29:14 +0200 with message-id <YPtCugdcd86HX86q@ramacher.at> and subject line Re: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1 has caused the Debian Bug report #990679, regarding unblock: [pre-approval] privacybadger/2021.6.8-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 990679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990679 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: [pre-approval] privacybadger/2021.6.8-1
- From: John Scott <jscott@posteo.net>
- Date: Sun, 04 Jul 2021 17:10:49 +0000
- Message-id: <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: 981702@bugs.debian.org Control: block 981702 by -1 Please unblock package privacybadger [ Reason ] Privacy Badger is unique and different from other anti-tracking extensions in that instead of using artificial whitelists and blacklists, it learns based on one's browsing behavior. However, it was privately disclosed by Google's Security Team that Privacy Badger's learning, which is unique to each user, can itself enable fingerprinting: https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better To address this, newer versions of Privacy Badger work by everyone using the same whitelists, yellowlists, and blacklists, which are aggregated from everyone's learning data. [ Impact ] If this unblock isn't granted, or it's not possible for Privacy Badger to be shipped in bullseye-updates during the release cycle, then users would be left more vulnerable to fingerprinting, as they could be identified based on their older Privacy Badger versions. Upstream has indicated that this situation would be unacceptable (and I concur), so it would be better to remove the package altogether then. This situation is not unlike the need to ship up-to-date ClamAV data in stable-updates. [ Tests ] Since this is a browser extension it's difficult to automate testing. I have tested with Firefox ESR, Firefox non-ESR, and Chromium that it works. [ Risks ] This package is a leaf package, and if this package were to be instead removed from Bullseye, users would need to install it manually by fetching the extension from another source. The debdiff is quite large, but consists mostly of changes to the website data and translations. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing This is a request for pre-approval since I need to seek a sponsor to update the package anyway. My debdiff was detected as malware so you'll have to fetch it from https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff unblock privacybadger/2021.6.8-1Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
- To: 990679-done@bugs.debian.org, John Scott <jscott@posteo.net>
- Subject: Re: Bug#990679: unblock: [pre-approval] privacybadger/2021.6.8-1
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Sat, 24 Jul 2021 00:29:14 +0200
- Message-id: <YPtCugdcd86HX86q@ramacher.at>
- In-reply-to: <[🔎] YOISxenHK2jfu8j9@ramacher.at>
- References: <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net> <[🔎] 9aadeb313c0471470252203ded13da760f180b64.camel@posteo.net> <[🔎] YOISxenHK2jfu8j9@ramacher.at>
On 2021-07-04 21:57:57 +0200, Sebastian Ramacher wrote: > Control: tags -1 moreinfo > > On 2021-07-04 17:10:49 +0000, John Scott wrote: > > Package: release.debian.org > > Severity: normal > > User: release.debian.org@packages.debian.org > > Usertags: unblock > > X-Debbugs-Cc: 981702@bugs.debian.org > > Control: block 981702 by -1 > > > > Please unblock package privacybadger > > > > [ Reason ] > > Privacy Badger is unique and different from other anti-tracking > > extensions in that instead of using artificial whitelists and > > blacklists, it learns based on one's browsing behavior. However, it was > > privately disclosed by Google's Security Team that Privacy Badger's > > learning, which is unique to each user, can itself enable > > fingerprinting: > > https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better > > > > To address this, newer versions of Privacy Badger work by everyone > > using the same whitelists, yellowlists, and blacklists, which are > > aggregated from everyone's learning data. > > > > [ Impact ] > > If this unblock isn't granted, or it's not possible for Privacy Badger > > to be shipped in bullseye-updates during the release cycle, then users > > would be left more vulnerable to fingerprinting, as they could be > > identified based on their older Privacy Badger versions. Upstream has > > indicated that this situation would be unacceptable (and I concur), so > > it would be better to remove the package altogether then. > > > > This situation is not unlike the need to ship up-to-date ClamAV data in > > stable-updates. > > > > [ Tests ] > > Since this is a browser extension it's difficult to automate testing. I > > have tested with Firefox ESR, Firefox non-ESR, and Chromium that it > > works. > > > > [ Risks ] > > This package is a leaf package, and if this package were to be instead > > removed from Bullseye, users would need to install it manually by > > fetching the extension from another source. The debdiff is quite large, > > but consists mostly of changes to the website data and translations. > > > > [ Checklist ] > > [X] all changes are documented in the d/changelog > > [X] I reviewed all changes and I approve them > > [X] attach debdiff against the package in testing > > > > This is a request for pre-approval since I need to seek a sponsor to > > update the package anyway. My debdiff was detected as malware so you'll > > have to fetch it from > > https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff > > 119 files changed, 37556 insertions(+), 16534 deletions(-) > > This is too much for us to sensibly review. If possible, please provide > a filtered debdiff (e.g., by filtering the website data and > translations). Since the window for uploads targetting bullseye is closing and there is no filtered debdiff yet, let's close this request for now. Cheers > > Cheers > > > > > unblock privacybadger/2021.6.8-1 > > > > > > > > -- > Sebastian Ramacher -- Sebastian RamacherAttachment: signature.asc
Description: PGP signature
--- End Message ---