Re: Privacy policy of packages/softwares installed in Debian

[Gene Heskett <gheskett@shentel.net>]

On Monday 10 June 2019 04:11:54 am tomas@tuxteam.de wrote:

> On Mon, Jun 10, 2019 at 12:08:04AM -0700, npdflr wrote:
> > Thanks Jean for your reply.
> >
> > Non-free packages should definitely be checked with their privacy
> > policy. But what about free packages?
>
> Agreed.
>
> > The license for the Go programming language is
> > https://golang.org/LICENSE which is free but the privacy policy is
> > invasive https://policies.google.com/privacy?hl=en
>
> This is, at least, debatable. Go deems itself independent from Google
> (formally it is; whether it is "de facto" is a much more difficult
> question).
>
> > Would you say that all free packages via main repositories and via
> > other ways (after checking their license to be DFSG-compliant) can
> > be safely be allowed to connect to the internet?
>
> This is a very good question, and I think there's no clear-cut
> answer to it. When Debian and its Social Contract [0] were conceived,
> the focus was more on giving end users power through free software.
>
> Nowadays free software has "won" (of sorts), but the lines of
> conflict have shifted to a more subtle "place". Most of the software
> a Facebook user is in contact with is somehow "free". Heck, FB is
> one important contributor to the Linux kernel. But... would you say
> a FB user controls his/her use of FB? Tough call.
>
> To illustrate the point you made a bit better, I've seen Google
> beacons embedded in the Javascript included in free packages[1].
>
> Free but... privacy respecting? Up to debate.

I'm not a maintainer, just a user.

And a instance of the above should result in the instant moving of that 
package into the non-free category. And put a link to a readme 
explaining why its contamination by such tracking code has caused its 
status to be changed, and moved, in the former packages location. Only 
by pointing it out to the potential user, will such code eventually be 
removed.  I think debian needs to make that an upfront declaration and 
enforce it.

Any "hardware" surveys, which seem to be more invasive than ever these 
days, should pop up a requester for some sort of plainly stated 
permission before the results are sent "home". Any form of no should 
result in sending that data to /dev/null.

> You can help making Debian better by trying to find such things
> and reporting them as bugs. I think most Debian maintainers would
> agree that those go against the spirit of the Social Contract [0].

Yes, absolutely. I do not think debian could be said to have been harmed 
by such an action a year later.

> Cheers
> [0] https://www.debian.org/social_contract
>
> [1] In one case, a web app testing package, there was even a
>    comment in there "please, leave this in, since that's how
>    we make money", so the inclusion was not an accident. In
>    the other case, it was in a Debian package -- this one has
>    disappeared since, otherwise I'd have filed a bug report.
>
> -- tomás


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>