> Dear marc,
>
> unwanted "calls-home" are normally found and disclosed if the software
> is free, so I really don't think this is a problem. Asking the
> development team of a distribution with 50k+ packages to guarantee
> that nothing ever uses user information for unwanted means is just
> plain impossible. Not even Debian can do that. This is done,
> indirectly, by all the people who look at the code, and contribute to
> the packages.

So I think that there are two categories to this:

A) There may be free software which has been
hacked/compromised to covertly to phone home.
Finding these cases is hard, but if it is found,
chances are excellent that this will be fixed in
a hurry. I agree that Debian/Devuan can't make any
absolute guarantees in this respect.

B) I am more concerned about the other part, where code is
known to phone home, but the developers or packagers
have decided that this is fine. The examples range from popcon
to systemd's resolver (which I am told falls back on to google
at 8.8.8.8) to chromium or firefox/iceweasel. For the time
being these designed-in phone home packages are few, so it
should not be a hardship to label them with a "leaking::"
tag.

The reason for labelling the ones in category B) is
disclosure: Those of us who are concerned about privacy
matters can look for those tags to make the tradeoff. It
also means that those who want to spy on people without
disclosing it fall into category A) which if found out
should count as deception and maybe, one day, a crime.

regards

marc