Re: Privacy guarantees

[Paul Wise <pabs@debian.org>]

On Fri, Sep 10, 2021 at 2:44 PM Felix Lechner wrote:

> A fellow developer and I have reached an impasse over the appropriate
> level of privacy guarantees in Debian. [1]

I think that lintian privacy tags currently represent several sets of bugs:

The browsers shipping in Debian place no barriers between local files
on disk, sites on the local network and sites on the Internet. So if
someone reads some local documentation they didn't get from Debian
using a browser from Debian, they could have a privacy violation.

The documentation available in Debian may suggest readers request
resources not available as local files on disk. Even if we fix the
browsers available in Debian, users may read Debian documentation using
browsers not available in Debian, they could have a privacy violation.

The web applications available in Debian may suggest visitors request
resources not available on the same web service. Since most web
browsers don't block third-party requests by default, those visitors,
who are only indirectly Debian users, could have a privacy violation.
The same applies when Debian documentation is copied to a website.

> Would this esteemed group please advise if the topic is in some form
> suitable for a General Resolution?

I'm not sure a GR is the appropriate mechanism to fix privacy issues
in Debian, instead I would encourage interested folks to form a group
focused on detecting, fixing and mitigating these issues. See the work
of the Reproducible Builds folks for an example how such a group can
move Free Software forward on a particular issue.

https://wiki.debian.org/PrivacyIssues
https://reproducible-builds.org/

-- 
bye,
pabs

https://wiki.debian.org/PaulWise