Re: Which Debian packages leak information to the network?

To: debian-security@lists.debian.org
Subject: Re: Which Debian packages leak information to the network?
From: donoban <donoban@riseup.net>
Date: Fri, 20 May 2016 10:34:39 +0200
Message-id: <[🔎] 573ECC1F.3070704@riseup.net>
In-reply-to: <[🔎] 20160518165427.GA2003@layer-acht.org>
References: <[🔎] 573C8F40.60106@riseup.net> <[🔎] 20160518163352.GA7986@jwilk.net> <[🔎] 20160518165427.GA2003@layer-acht.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 18/05/16 18:54, Holger Levsen wrote:
> On Wed, May 18, 2016 at 06:33:52PM +0200, Jakub Wilk wrote:
>> Could you explain how any of these tools leak any information
>> "without a user's consent/expectation"?
> 
> gnome-calculator contacts a web page/service with currency
> exchange information *on every start*, I think that's a good
> example of the kind of programs Patrick is looking for.
> 
> 

I am running Debian on Qubes OS, I use gnome-calculator on a vault
domain (a VM without any network device) because I though it does not
need Internet or data/files from another domain. So without any
knowledge I was protecting myself from this privacy leak...

Maybe Debian should adopt a strong policy about what packages should
have Internet access and what does not... All packages not supposed to
have Internet access will be blocked by firewall or a similar approach
(probably some kind of whitelist).

Then, the privacy leak surface will be very small and easy to audit.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXPsweAAoJEBQTENjj7Qil9oUQALTcpe+hrqSccXeqTGSieIEs
Lf6pHoVSNU6grzvIs4YTxKPhTbzq/ZBohmBhps1FLJbeeDHNtZisxVOwj0lcTKpZ
835QmWZ0+fOXgwbh6V6UqwCjraKj9g7236RhfXmob//ejKhrZHfKoYfYl1KzO6nx
/Q9sMj7XoKL1tFItyWX6Edq9BqIvPZwmsrGLmOaTkPtWRI1GWFFgOjYwLv9vjUBY
z+AwX8eEGG7DUvfYMqez1HkEvDhcxnxw0wS+Yn0aQL33jhS1beoh4lI1GXcLbm8F
3gny5ZizMiA4lmaRC+HPUOW6bcEeNEemH8zumQNu3A3CxStW62s6rSaf9C9WK++G
TRwtP43gN6OlM6GZM4jssYk7GD4chjmbb74LujQWuuHSMyxED6MOhUH2RyMTHl1y
gPx2x6XGyByyu8s/DcbuJzjhQ16Xy64GIx1/uOb03HuxnHRrM5astHM0FqF4kWW4
JrzXU5jMzm7/a2Fqz3MZBZsBgUAZTql+LerkZG8WIrIJing1ocnDQvo/bYS/yL7G
LN4h2Iojsq/NE3mIZbpRsP/60nRyFagRjNDWAL3HrZ8h9dLRec4NrsGisGB7NqDc
ypOHEwPrZ25Ha2w5hGBz1LPH0tNvK1KNX9IWbYFABPm8qIQ9uNB7R+Eej+WyRdVQ
CoSqJxhqugd/FlFFL74/
=OPRB
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Which Debian packages leak information to the network?
  - From: Elmar Stellnberger <estellnb@gmail.com>

References:
- Which Debian packages leak information to the network?
  - From: Patrick Schleizer <adrelanos@riseup.net>
- Re: Which Debian packages leak information to the network?
  - From: Jakub Wilk <jwilk@debian.org>
- Re: Which Debian packages leak information to the network?
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: Which Debian packages leak information to the network?
Next by Date: Re: Which Debian packages leak information to the network?
Previous by thread: Re: Which Debian packages leak information to the network?
Next by thread: Re: Which Debian packages leak information to the network?
Index(es):
- Date
- Thread