On Mon, Jun 10, 2019 at 12:08:04AM -0700, npdflr wrote: > Thanks Jean for your reply. > > Non-free packages should definitely be checked with their privacy policy. But what about free packages? Agreed. > The license for the Go programming language is https://golang.org/LICENSE which is free but the privacy policy is invasive https://policies.google.com/privacy?hl=en This is, at least, debatable. Go deems itself independent from Google (formally it is; whether it is "de facto" is a much more difficult question). > Would you say that all free packages via main repositories and via other ways (after checking their license to be DFSG-compliant) can be safely be allowed to connect to the internet? This is a very good question, and I think there's no clear-cut answer to it. When Debian and its Social Contract [0] were conceived, the focus was more on giving end users power through free software. Nowadays free software has "won" (of sorts), but the lines of conflict have shifted to a more subtle "place". Most of the software a Facebook user is in contact with is somehow "free". Heck, FB is one important contributor to the Linux kernel. But... would you say a FB user controls his/her use of FB? Tough call. To illustrate the point you made a bit better, I've seen Google beacons embedded in the Javascript included in free packages[1]. Free but... privacy respecting? Up to debate. You can help making Debian better by trying to find such things and reporting them as bugs. I think most Debian maintainers would agree that those go against the spirit of the Social Contract [0]. Cheers [0] https://www.debian.org/social_contract [1] In one case, a web app testing package, there was even a comment in there "please, leave this in, since that's how we make money", so the inclusion was not an accident. In the other case, it was in a Debian package -- this one has disappeared since, otherwise I'd have filed a bug report. -- tomás
Attachment:
signature.asc
Description: Digital signature