Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: 981...@bugs.debian.org Control: block 981702 by -1
Please unblock package privacybadger [ Reason ] Privacy Badger is unique and different from other anti-tracking extensions in that instead of using artificial whitelists and blacklists, it learns based on one's browsing behavior. However, it was privately disclosed by Google's Security Team that Privacy Badger's learning, which is unique to each user, can itself enable fingerprinting: https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better To address this, newer versions of Privacy Badger work by everyone using the same whitelists, yellowlists, and blacklists, which are aggregated from everyone's learning data. [ Impact ] If this unblock isn't granted, or it's not possible for Privacy Badger to be shipped in bullseye-updates during the release cycle, then users would be left more vulnerable to fingerprinting, as they could be identified based on their older Privacy Badger versions. Upstream has indicated that this situation would be unacceptable (and I concur), so it would be better to remove the package altogether then. This situation is not unlike the need to ship up-to-date ClamAV data in stable-updates. [ Tests ] Since this is a browser extension it's difficult to automate testing. I have tested with Firefox ESR, Firefox non-ESR, and Chromium that it works. [ Risks ] This package is a leaf package, and if this package were to be instead removed from Bullseye, users would need to install it manually by fetching the extension from another source. The debdiff is quite large, but consists mostly of changes to the website data and translations. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing This is a request for pre-approval since I need to seek a sponsor to update the package anyway. My debdiff was detected as malware so you'll have to fetch it from https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff unblock privacybadger/2021.6.8-1
signature.asc
Description: This is a digitally signed message part
