---- On Mon, 10 Jun 2019 04:14:59 -0700 Jean-Philippe MENGUAL <
jpmengual@debian.org> wrote ----
> One thing seems sure, Debian will never have a privacy policy, I think,
> but maaybe may request any package (or some packages) to include a
> PRIVACY file. Should require to change the Debian maintainer and dev policy.
I had inquired for privacy policy of Debian in general, before on the mailing list:
debian-project@lists.debian.org.
(I couldn't help but inquire as there is so much "telemetry" ... etc used by some operating systems to monitor user data)
Except for the popcon tool which is opt-in, Debian doesn't collect any user data.
I am posting the conversation I had, incase it seems to be relevant to the current topic for packages.
#---------------------------------------------------------------------------------------------------------------------------------------------#
---- On Wed, 27 Feb 2019 13:02:28 -0800 Joerg Jaspert <
joerg@debian.org> wrote ----
On 15326 March 1977,
npdflr@zoho.com wrote:
> I am posting an excerpt from the 'Data privacy' page
> (
https://www.debian.org/legal/privacy):
> Service related logging
> In addition to the explicitly listed services above the Debian
> infrastructure logs details about system accesses for the purposes of
> ensuring service availability and reliability, and to enable debugging
> and diagnosis of issues when they arise. This logging includes details
> of mails sent/received through Debian infrastructure, web page access
> requests sent to Debian infrastructure, and login information for
> Debian systems (such as SSH logins to project machines). None of this
> information is used for any purposes other than operational
> requirements and it is only stored for 15 days in the case of web
> server logs, 10 days in the case of mail log and 4 weeks in the case
> of authentication/ssh logs.
> a) Does 'system' and 'Debian systems' in the above excerpt mean an
> installation of Debian OS?
No. It means a system installed and run by Debian admins providing a
service. Like the machine handling this list, or a machine handling a
webserver for
www.debian.org.
> b) I am assuming that 'Debian infrastructure' means the 'Debian
> Security Infrastructure'
> (
https://www.debian.org/doc/manuals/securing-debian-howto/ch7) which
> is used to handle security in the stable distribution. Please correct
> me, if wrong.
No, it means the whole infrastructure. We have many machines.
> c) Details regarding non-personally identifiable data: Does Debian
> (Debian.org) collect any kind of 'telemetry' or 'monitoring data'
> other than required for operational requirements? I am asking this as
> from a company's or business point of view: one is concerned about
> intellectual property, company data etc.
As written, no we do not.
> d) (This is related to the above point) Does the statement in the
> above excerpt "This logging includes details..... login information
> for Debian systems" mean that Debian stores username and passwords of
> users? In my case: A local login not a network based login.
Not in the sense you read into it, no. We do not, in any way, collect
users data of systems installed with Debian[1]. The above is for machines
running "inside" the debian.org domain and affects Debian Developers,
not any user who just happens to install Debian.
[1] There is one tool named popcon. That does actually send data our
way. That is opt-in and you can find more information at
https://popcon.debian.org/ --
bye, Joerg
#---------------------------------------------------------------------------------------------------------------------------------------------#
---- On Mon, 10 Jun 2019 01:11:54 -0700 <
tomas@tuxteam.de> wrote ----
>> Would you say that all free packages via main repositories and via other ways (after checking their license to be DFSG-compliant) can be safely be allowed to connect to the internet?
> This is a very good question, and I think there's no clear-cut
> answer to it. When Debian and its Social Contract [0] were conceived,
> the focus was more on giving end users power through free software.
I'll just focus only on free packages available via 'Official Debian' main repositories.
The free packages in Official Debian main repositories can be categorized as
1. Default (already installed and available for use after installing Debian via an official Debian image/iso)
2. Available for manual download and installation.
I think the default packages build/represent the Debian operating system and would also represent Debian's privacy policy in general.
So, there should not be any problem regarding privacy atleast for the default packages.
As for the free packages available for manual download and installation via Official Debian main repositories, it should also represent Debian's privacy policy in general but I am not sure (hoping someone can clarify). One way to check for privacy policy of such packages would be to check whether the package in synaptic package manager has a homepage link to know it's website/source.