Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hello, [ Reason ] There are currently several issues with geoclue-2.0 in debian buster: 1) The daemon is not respecting the user choice to not query the location, that could be seen as a privacy/GDPR breach as it contacts MLS and sends data (ESSID,..) to them without explicit approval. This is only happening for "system" (non-flatpak) applications. 2) The indicator (in the gnome-shell,...) showing that geoclue is active and looking for the location of the computer is never turned on. 3) This version of geoclue is using a generic Mozilla Location service API key, Mozilla would like us to use a dedicated key for geoclue in debian: https://gitlab.freedesktop.org/geoclue/geoclue/-/issues/136 [ Impact ] There is a privacy issue and also the risk that geoclue might stop working overnight when MLS revoke the API key currently used. [ Tests ] Smoke testing on a debian buster VM [ Risks ] The changes are minimal and straightforward. All the patches have been backported from upstream git repository [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] 1) The biggest change is the fact that the daemon will now query the "agent" (gnome-shell or other) to check the user preference about the usage of geolocation before querying the location (and contacting MLS). 2) The "in_use" property is set now when there is a client requesting the location connected. 3) We also change the MLS API key to the one generated especially for debian and stop exposing it in the configuration file. While testing, I discovered that the daemon is crashing if submission-url is not defined in the configuration file, this is fixed as well. [ Other info ] NA -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.9.0-5-amd64 (SMP w/8 CPU threads) Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Permissive - Policy name: refpolicy
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..7f1315b --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,8 @@ +geoclue-2.0 for Debian +--------------------- + +geoclue uses the Mozilla Location Service (MLS) to estimate the location of +your computer. Please refer to the Privacy Notice on the Mozilla website for +all privacy concerns: https://location.services.mozilla.com/privacy + + -- Laurent Bigonville <bi...@debian.org> Thu, 23 Apr 2020 14:28:03 +0200 diff --git a/debian/changelog b/debian/changelog index 02ce138..4b654ce 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +geoclue-2.0 (2.5.2-1+deb10u1) buster; urgency=medium + + * debian/README.Debian: Add information about MLS and a link to the service + Privacy Notice page + * Check the maximum allowed accuracy level even for system applications. + Respect the value of the user preference concerning the usage of their + geolocation. This should fix the privacy and GDPR conformity concerns as + the user explicitly needs to enable the option. + Note that there is no distinction between the system applications + anymore, turning on the option is allowing them all to get the location. + (Closes: #924516, #958497) + * d/p/: Add a patch to make the Mozilla API key configurable + * debian/rules: Use the key that has been allocated to debian for MLS queries + * d/p: Add an upstream patch to fix the display of the usage indicator + * Fix crash if submission-url is not set in the config, patch from upstream + + -- Laurent Bigonville <bi...@debian.org> Fri, 25 Dec 2020 17:19:50 +0100 + geoclue-2.0 (2.5.2-1) unstable; urgency=medium * [da1f3cfb] New upstream version 2.5.2 diff --git a/debian/patches/0001-service-Check-the-maximum-allowed-accuracy-level-eve.patch b/debian/patches/0001-service-Check-the-maximum-allowed-accuracy-level-eve.patch new file mode 100644 index 0000000..f4183d8 --- /dev/null +++ b/debian/patches/0001-service-Check-the-maximum-allowed-accuracy-level-eve.patch @@ -0,0 +1,70 @@ +From: Laurent Bigonville <bi...@bigon.be> +Date: Fri, 23 Oct 2020 21:37:12 +0200 +Subject: service: Check the maximum allowed accuracy level even for system + apps + +We need to check the maximum allowed accuracy even for system apps +otherwise the user cannot disable the geolocalization for these +(max_accuracy set to 0) + +Fix: https://gitlab.freedesktop.org/geoclue/geoclue/-/issues/111 +--- + src/gclue-service-client.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +diff --git a/src/gclue-service-client.c b/src/gclue-service-client.c +index 247fdb6..62ea932 100644 +--- a/src/gclue-service-client.c ++++ b/src/gclue-service-client.c +@@ -447,6 +447,7 @@ handle_post_agent_check_auth (StartData *data) + GClueConfig *config; + GClueAppPerm app_perm; + guint32 uid; ++ gboolean system_app; + + uid = gclue_client_info_get_user_id (priv->client_info); + max_accuracy = gclue_agent_get_max_accuracy_level (priv->agent_proxy); +@@ -471,8 +472,11 @@ handle_post_agent_check_auth (StartData *data) + app_perm = gclue_config_get_app_perm (config, + data->desktop_id, + priv->client_info); ++ system_app = (gclue_client_info_get_xdg_id (priv->client_info) == NULL); + +- if (app_perm == GCLUE_APP_PERM_ALLOWED) { ++ if (app_perm == GCLUE_APP_PERM_ALLOWED || system_app) { ++ /* Since we have no reliable way to identify system apps, no ++ * need for auth for them. */ + complete_start (data); + return; + } +@@ -556,7 +560,6 @@ gclue_service_client_handle_start (GClueDBusClient *client, + const char *desktop_id; + GClueAppPerm app_perm; + guint32 uid; +- gboolean system_app = FALSE; + + if (priv->locator != NULL) { + /* Already started */ +@@ -569,7 +572,6 @@ gclue_service_client_handle_start (GClueDBusClient *client, + if (desktop_id == NULL) { + /* Non-xdg app */ + desktop_id = gclue_dbus_client_get_desktop_id (client); +- system_app = TRUE; + } + + if (desktop_id == NULL) { +@@ -605,14 +607,6 @@ gclue_service_client_handle_start (GClueDBusClient *client, + data->accuracy_level = ensure_valid_accuracy_level + (data->accuracy_level, GCLUE_ACCURACY_LEVEL_EXACT); + +- if (system_app) { +- /* Since we have no reliable way to identify system apps, no +- * need for auth for them. */ +- complete_start (data); +- +- return TRUE; +- } +- + /* No agent == No authorization */ + if (priv->agent_proxy == NULL) { + /* Already a pending Start()? Denied! */ diff --git a/debian/patches/0002-config-Make-the-Mozilla-API-key-configurable.patch b/debian/patches/0002-config-Make-the-Mozilla-API-key-configurable.patch new file mode 100644 index 0000000..d4a8c8c --- /dev/null +++ b/debian/patches/0002-config-Make-the-Mozilla-API-key-configurable.patch @@ -0,0 +1,79 @@ +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Tue, 1 Oct 2019 13:27:41 +0000 +Subject: config: Make the Mozilla API key configurable + +And do not expose it in the configuration file. +--- + data/geoclue.conf.in | 18 ++++++++++-------- + meson.build | 1 + + meson_options.txt | 3 +++ + src/gclue-config.c | 4 ++-- + 4 files changed, 16 insertions(+), 10 deletions(-) + +--- a/data/geoclue.conf.in ++++ b/data/geoclue.conf.in +@@ -42,13 +42,13 @@ enable=true + # Enable WiFi source + enable=true + +-# URL to the wifi geolocation service. The key can currenty be anything, just +-# needs to be present but that is likely going to change in future. +-url=https://location.services.mozilla.com/v1/geolocate?key=geoclue ++# URL to the WiFi geolocation service. If not set, defaults to Mozilla's ++# Location Service with a hardcoded key. To use a custom key, uncomment this URL ++# while changing YOUR_KEY to your MLS API key. ++#url=https://location.services.mozilla.com/v1/geolocate?key=YOUR_KEY + +-# To use the Google geolocation service instead of mozilla's, simply uncomment +-# this url while changing API_KEY to your Google API key and comment out or +-# remove the url above. ++# To use the Google geolocation service instead of Mozilla's, uncomment this URL ++# while changing YOUR_KEY to your Google API key. + # + # WARNING: Please make sure that you are complying with the Google's ToS and + # policies if you uncomment this: +@@ -63,8 +63,10 @@ url=https://location.services.mozilla.co + # + submit-data=false + +-# URL to submission API of Mozilla Location Service +-submission-url=https://location.services.mozilla.com/v1/submit?key=geoclue ++# URL to submission API of Mozilla Location Service. If not set, defaults to ++# Mozilla's API with a hardcoded key. To use a custom key, uncomment this URL ++# while changing YOUR_KEY to your MLS API key. ++#submission-url=https://location.services.mozilla.com/v1/submit?key=YOUR_KEY + + # A nickname to submit network data with. This is currently used for leaderboard: + # https://location.services.mozilla.com/leaders +--- a/meson.build ++++ b/meson.build +@@ -30,6 +30,7 @@ conf.set_quoted('PACKAGE_BUGREPORT', 'ht + conf.set_quoted('TEST_SRCDIR', meson.source_root() + '/data/') + conf.set_quoted('LOCALEDIR', localedir) + conf.set_quoted('SYSCONFDIR', sysconfdir) ++conf.set_quoted('MOZILLA_API_KEY', get_option('mozilla-api-key')) + conf.set10('GCLUE_USE_3G_SOURCE', get_option('3g-source')) + conf.set10('GCLUE_USE_CDMA_SOURCE', get_option('cdma-source')) + conf.set10('GCLUE_USE_MODEM_GPS_SOURCE', get_option('modem-gps-source')) +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -34,3 +34,6 @@ option('systemd-system-unit-dir', + option('dbus-srv-user', + type: 'string', value: 'root', + description: 'The user (existing) as which the service will run') ++option('mozilla-api-key', ++ type: 'string', value: 'geoclue', ++ description: 'Your API key for Mozilla Location Service') +--- a/src/gclue-config.c ++++ b/src/gclue-config.c +@@ -216,8 +216,8 @@ load_enable_source_config (GClueConfig * + return enable; + } + +-#define DEFAULT_WIFI_URL "https://location.services.mozilla.com/v1/geolocate?key=geoclue"; +-#define DEFAULT_WIFI_SUBMIT_URL "https://location.services.mozilla.com/v1/submit?key=geoclue"; ++#define DEFAULT_WIFI_URL "https://location.services.mozilla.com/v1/geolocate?key="; MOZILLA_API_KEY ++#define DEFAULT_WIFI_SUBMIT_URL "https://location.services.mozilla.com/v1/submit?key="; MOZILLA_API_KEY + + static void + load_wifi_config (GClueConfig *config) diff --git a/debian/patches/0003-service-Sync-in_use-property-when-apps-get-connected.patch b/debian/patches/0003-service-Sync-in_use-property-when-apps-get-connected.patch new file mode 100644 index 0000000..1f5fcb6 --- /dev/null +++ b/debian/patches/0003-service-Sync-in_use-property-when-apps-get-connected.patch @@ -0,0 +1,43 @@ +From: Sujanan Bhathiya <sujananbhath...@gmail.com> +Date: Mon, 16 Mar 2020 17:19:30 +0530 +Subject: service: Sync in_use property when apps get connected + +Earlier we only synced in_use property when apps +get deleted from the service. Here we set the in_use +property when apps get connected to the service as well. +This fixes the issue #112 +--- + src/gclue-service-manager.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/src/gclue-service-manager.c b/src/gclue-service-manager.c +index d7f5e55..849debd 100644 +--- a/src/gclue-service-manager.c ++++ b/src/gclue-service-manager.c +@@ -140,6 +140,14 @@ delete_client (GClueServiceManager *manager, + sync_in_use_property (manager); + } + ++static void ++on_client_notify_active (GObject *gobject, ++ GParamSpec *pspec, ++ gpointer user_data) ++{ ++ sync_in_use_property (GCLUE_SERVICE_MANAGER (user_data)); ++} ++ + static void + on_peer_vanished (GClueClientInfo *info, + gpointer user_data) +@@ -216,6 +224,11 @@ complete_get_client (OnClientInfoNewReadyData *data) + } + g_debug ("Number of connected clients: %u", priv->num_clients); + ++ g_signal_connect (client, ++ "notify::active", ++ G_CALLBACK (on_client_notify_active), ++ data->manager); ++ + g_signal_connect (info, + "peer-vanished", + G_CALLBACK (on_peer_vanished), diff --git a/debian/patches/0005-config-Clear-error-after-submission-URL-lookup-fails.patch b/debian/patches/0005-config-Clear-error-after-submission-URL-lookup-fails.patch new file mode 100644 index 0000000..a438ce3 --- /dev/null +++ b/debian/patches/0005-config-Clear-error-after-submission-URL-lookup-fails.patch @@ -0,0 +1,23 @@ +From: "Jan Alexander Steffens (heftig)" <jan.steff...@gmail.com> +Date: Tue, 1 Oct 2019 13:42:11 +0000 +Subject: config: Clear error after submission URL lookup fails + +Otherwise we have a dangling pointer causing a crash when the error +value is reused. +--- + src/gclue-config.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/gclue-config.c b/src/gclue-config.c +index df4adcc..9ae2367 100644 +--- a/src/gclue-config.c ++++ b/src/gclue-config.c +@@ -255,7 +255,7 @@ load_wifi_config (GClueConfig *config) + &error); + if (error != NULL) { + g_debug ("No wifi submission URL: %s", error->message); +- g_error_free (error); ++ g_clear_error (&error); + priv->wifi_submit_url = g_strdup (DEFAULT_WIFI_SUBMIT_URL); + } + diff --git a/debian/patches/series b/debian/patches/series index 3a75c3b..a63e750 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,5 @@ 02-move-demo-lib.patch +0001-service-Check-the-maximum-allowed-accuracy-level-eve.patch +0002-config-Make-the-Mozilla-API-key-configurable.patch +0003-service-Sync-in_use-property-when-apps-get-connected.patch +0005-config-Clear-error-after-submission-URL-lookup-fails.patch diff --git a/debian/rules b/debian/rules index 0580fc3..440da91 100755 --- a/debian/rules +++ b/debian/rules @@ -16,12 +16,22 @@ ifneq ($(filter nodoc, $(DEB_BUILD_OPTIONS)),) BUILD_DOC := -Dgtk-doc=false endif +# The following API key has been allocated for Debian only +# If you are a derivative, please request your own key as discussed here: +# https://gitlab.freedesktop.org/geoclue/geoclue/-/issues/136 +# See also: https://location.services.mozilla.com/api and +# https://blog.mozilla.org/services/2019/09/03/a-new-policy-for-mozilla-location-service/ +ifeq ($(shell dpkg-vendor --query vendor),Debian) + MLS_API_KEY := -Dmozilla-api-key=484bfbac-6433-4492-aed3-16cc094eff93 +endif + override_dh_auto_configure: dh_auto_configure -- --libexecdir=/usr/lib/geoclue-2.0 \ -Ddbus-srv-user=geoclue \ -Dsystemd-system-unit-dir=/lib/systemd/system \ ${BUILD_DOC} \ - ${MM_NM_FLAGS} + ${MM_NM_FLAGS} \ + ${MLS_API_KEY} override_dh_auto_test: # testsuite fails on missing latitude (et.al)
