Control: tags -1 moreinfo On 2021-07-04 17:10:49 +0000, John Scott wrote: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: 981...@bugs.debian.org > Control: block 981702 by -1 > > Please unblock package privacybadger > > [ Reason ] > Privacy Badger is unique and different from other anti-tracking > extensions in that instead of using artificial whitelists and > blacklists, it learns based on one's browsing behavior. However, it was > privately disclosed by Google's Security Team that Privacy Badger's > learning, which is unique to each user, can itself enable > fingerprinting: > https://www.eff.org/deeplinks/2020/10/privacy-badger-changing-protect-you-better > > To address this, newer versions of Privacy Badger work by everyone > using the same whitelists, yellowlists, and blacklists, which are > aggregated from everyone's learning data. > > [ Impact ] > If this unblock isn't granted, or it's not possible for Privacy Badger > to be shipped in bullseye-updates during the release cycle, then users > would be left more vulnerable to fingerprinting, as they could be > identified based on their older Privacy Badger versions. Upstream has > indicated that this situation would be unacceptable (and I concur), so > it would be better to remove the package altogether then. > > This situation is not unlike the need to ship up-to-date ClamAV data in > stable-updates. > > [ Tests ] > Since this is a browser extension it's difficult to automate testing. I > have tested with Firefox ESR, Firefox non-ESR, and Chromium that it > works. > > [ Risks ] > This package is a leaf package, and if this package were to be instead > removed from Bullseye, users would need to install it manually by > fetching the extension from another source. The debdiff is quite large, > but consists mostly of changes to the website data and translations. > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > This is a request for pre-approval since I need to seek a sponsor to > update the package anyway. My debdiff was detected as malware so you'll > have to fetch it from > https://salsa.debian.org/-/snippets/549/raw/master/privacybadger.diff
119 files changed, 37556 insertions(+), 16534 deletions(-) This is too much for us to sensibly review. If possible, please provide a filtered debdiff (e.g., by filtering the website data and translations). Cheers > > unblock privacybadger/2021.6.8-1 > > -- Sebastian Ramacher
signature.asc
Description: PGP signature
