Your message dated Wed, 24 Apr 2024 16:32:20 +0200 (CEST)
with message-id <1ffdb551-a9e9-7361-b524-31847de3c...@sourcepole.ch>
and subject line Re: geoclue and gpsd are running by default (they aren't
needed and could be used for location tracking)
has caused the Debian Bug report #1068778,
regarding geoclue and gpsd are running by default (they aren't needed and could
be used for location tracking)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068778: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: general
I wondered why Debian comes with geoclue-2.0 and gpsd running by default (which
could be used for location tracking). Please do not install them by default or
if you really must, please do not make them autostart.
At most it could be useful for a few users if it was installed but not enabled
and not running by default (so just an option one could enable in the configs
or which could be enabled by the user through a prompt). If it's running by
default this also means that after upgrades it could be running again. This is
a privacy issue, an undesired bloat service that requires to spend time to
remove it, and a larger attack surface even if there was a proper and
vulnerability-free permissions-management for GPS-location-access.
--- End Message ---
--- Begin Message ---
Hi mYnDstrEAm,
mYnDstrEAm wrote on Wed, 10 Apr 2024 22:54:04 +0000:
Package: general
I wondered why Debian comes with geoclue-2.0 and gpsd running by default
(which could be used for location tracking). Please do not install them
by default or if you really must, please do not make them autostart.
At most it could be useful for a few users if it was installed but not
enabled and not running by default (so just an option one could enable
in the configs or which could be enabled by the user through a prompt).
If it's running by default this also means that after upgrades it could
be running again. This is a privacy issue, an undesired bloat service
that requires to spend time to remove it, and a larger attack surface
even if there was a proper and vulnerability-free permissions-management
for GPS-location-access.
I'm closing this bugreport for the following reasons:
1. You write: "geoclue-2.0 and gpsd running by default". On my system:
$ ps faux|grep gpsd|grep -v grep
$
-> that means that gpsd is not running by default and we do not have
fix that.
2. You write: "geoclue-2.0 and gpsd running by default". On my system:
$ ps faux|grep geoclue|grep -v grep
me 3089 0.0 0.0 234036 3100 ? Sl Apr20 0:00
\_ /usr/libexec/geoclue-2.0/demos/agent
$ apt-cache rdepends geoclue-2.0 --installed
geoclue-2.0
Reverse Depends:
redshift
libqt5positioning5
-> please check on your system, who depends on geoclue-2.0 and if
you think it is necessary, create a wishlist bug report on those
packages that you have installed that depend on geoclue-2.0.
I might note, that the geoclue-2.0 dependency is not hard for the
packages I have installed, but a recommendation, so that I can still
deinstall geoclue-2.0 if I think I do not want it:
$ ( dpkg -s redshift ; dpkg -s libqt5positioning5 ) | grep geoclue-2.0
Recommends: geoclue-2.0
Recommends: geoclue-2.0
3. I assume that packages depending on geoclue-2.0 will possibly be able
to get some info on where you are. In the case of redshift that'll
probably be used to adjust your display brightness/color. That isn't
privacy invasive as far as I can see. So again no problem -> no bug.
In the same vein you could argue "packages should not use the network,
because that can invade your privacy, since they *can* send some info
about you and your device to somewhere". So yes, of course they can,
but the question is *do they*? If they don't then there's no breach of
privacy.
4. When you assigning bug reports against "general" then it's very likely
your bug report will be ignored, because nobody maintains a "general"
package and thus nobody feels very much responsible for bugreports
against the "general" pseudo package.
Thanks,
*t
--- End Message ---
