Hello > > B) I am more concerned about the other part, where code is > > known to phone home, but the developers or packagers > > have decided that this is fine. The examples range from popcon > > to systemd's resolver (which I am told falls back on to google > > at 8.8.8.8) to chromium or firefox/iceweasel. For the time > > being these designed-in phone home packages are few, so it > > should not be a hardship to label them with a "leaking::" > > tag. > > > > I am sorry marc, but that's incorrect. popcon does not ever 'call > home' in either Debian or Devuan, unless you have *explicitly* agreed > to allow it to do that. And the reasons for popcon "calling-home" are > well stated and fully disclosed: it's a package to collect anonymous > statistics about package usage, and it sends such stats to the popcon > server once a week. popcon submissions are maintained encrypted and > stored only for the time necessary to process them. I can guarantee > this is the case in Devuan, since I am in charge of popcon.
Absolutely correct. I included popcon as an example of a package which does disclose system information to others, and the developers and packagers think this is ok. It turns out I think it is ok too, given that it openly discloses what it does, and is opt in. So there should be no objection to having it include a package tag that says it discloses information to others ? Not because popcon is a problem, but because it sets an example to other maintainers to check what information their packages disclose to the outside world ? > systemd is not in Devuan. Chromium comes from Google, and I would > never trust it anyway, notwhitstanding what Google promises to do > about it (but I have not seen the code, so my position might be proven > to be wrong). AFAIK Firefox comes with "calling-home" disabled by > default anyway. I was under the impression that firefox sends a daily report to its servers, but stand corrected. And I too do not know exactly what chromium sends back to its base. Wouldn't it be nice if the .deb files included a few tags to tell us ? > Please do not put everything in the same basket ;) I didn't mean to insinuate that popcon is somehow malicious - I mean to include a range of examples of code which uploads information to remote servers, and that it would be good to have some package-level metadata which tells us what is sent, so that it is more difficult to hide such activity. regards marc _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
