Hi I see this repository https://salsa.debian.org/go-team/packages/golang-golang-x-telemetry which wasn't uploaded because of Debian's transition to disable telemtry, however this means that packages relying on that API seems to vendor the code instead: https://salsa.debian.org/go-team/packages/golang-golang-x-tools/-/tree/debian/sid/debian/go/src/golang.org/x/telemetry?ref_type=heads So we have the telemetry code anyway, but only harder to audit. I'm not a fan of telemetry and it would be great if it was disabled. I'm not sure there is any real hard policy on this in Debian though, any pointers? Still, disabling it when it is easy seems like a good idea. I think there is so much telemetry stuff happening in Debian packages generally without them labeled as telemetry, so the only thing that is different here is that the telemtry package is honest about what it is doing. So it feels a bit ironic that we punish it for that, and accept it in other packages that behaves in ways that allow telemtry without that being labeled as such. Can we improve this somehow? Couldn't we package golang-golang-x-telemtry properly and just make it a no-op? Then at least all API calls to it and package dependences would work, and we won't have to vendor that code in other packages. And making the telemtry calls be a no-op would be a clear design decision in the golang-golang-x-telemtry package that can be audited as such. Thoughts? Other ideas or reflections? /Simon
Attachment:
signature.asc
Description: PGP signature