Author: marc Date: To: dng Subject: Re: [DNG] new freedesktop "standard": /etc/machine-id
Hello
> > B) I am more concerned about the other part, where code is
> > known to phone home, but the developers or packagers
> > have decided that this is fine. The examples range from popcon
> > to systemd's resolver (which I am told falls back on to google
> > at 8.8.8.8) to chromium or firefox/iceweasel. For the time
> > being these designed-in phone home packages are few, so it
> > should not be a hardship to label them with a "leaking::"
> > tag.
> >
>
> I am sorry marc, but that's incorrect. popcon does not ever 'call
> home' in either Debian or Devuan, unless you have *explicitly* agreed
> to allow it to do that. And the reasons for popcon "calling-home" are
> well stated and fully disclosed: it's a package to collect anonymous
> statistics about package usage, and it sends such stats to the popcon
> server once a week. popcon submissions are maintained encrypted and
> stored only for the time necessary to process them. I can guarantee
> this is the case in Devuan, since I am in charge of popcon.
Absolutely correct. I included popcon as an example of a package
which does disclose system information to others, and the developers
and packagers think this is ok. It turns out I think it is ok too,
given that it openly discloses what it does, and is opt in.
So there should be no objection to having it include a
package tag that says it discloses information to others ?
Not because popcon is a problem, but because it sets an
example to other maintainers to check what information
their packages disclose to the outside world ?
> systemd is not in Devuan. Chromium comes from Google, and I would
> never trust it anyway, notwhitstanding what Google promises to do
> about it (but I have not seen the code, so my position might be proven
> to be wrong). AFAIK Firefox comes with "calling-home" disabled by
> default anyway.
I was under the impression that firefox sends a daily
report to its servers, but stand corrected. And I too
do not know exactly what chromium sends back to its
base. Wouldn't it be nice if the .deb files included
a few tags to tell us ?
> Please do not put everything in the same basket ;)
I didn't mean to insinuate that popcon is somehow
malicious - I mean to include a range of examples
of code which uploads information to remote servers,
and that it would be good to have some package-level
metadata which tells us what is sent, so that it
is more difficult to hide such activity.