Le ven. 10 sept. 2021 à 11:06, Felix Lechner <felix.lech...@lease-up.com> a écrit : > > Hi, > > > The severity chosen for these tags/checks is not justified by any of our > > policies, neither the Debian policy, not the best packaging practises nor > > any legal reason! > > > > There is no technical nor social justification for this severity. > > > > making our package compliant to this new privacy-policy doesn't add > > any value to our users. > > I believe Debian users have a reasonable expectation to read static > files on their own storage media without being monitored. That > objection is based on my own everyday experience in working to improve > Debian, the Golden rule [2] and item #4 of Debian's social contract > ("Our priorities are our users"). [2] > > The legal landscape is also changing. At least Europe and California > have seen shifts toward greater privacy protections for consumers > since the bug was filed. > > [1] https://en.wikipedia.org/wiki/Golden_Rule > [2] https://www.debian.org/social_contract > > > I simply morally disagree with removing donation requests from authors > > It is not the solicitation but the unexpected loading of network > resources that violates privacy expectations. Many micro-donation > services offer resources like images or active HTML components to > evoke feelings of familiarity or goodwill. That allows them to see who > is using which software, and who chooses not to donate. While such > gamesmanship may be common while browsing online (there are tools to > fight it [3][4]) it is unexpected when browsing static files located > on one's own storage media. > > Another, more generalized solution could be to modify all browsers > shipped in Debian so they do not load online resources without > confirmation. Unfortunately, that separates the solution from the > problems. It is more reliable to address the privacy breaches where > they occur, i.e. in the affected files. > > There is no issue with authors requesting donations (or even with > Debian promoting such requests, for example in package metadata). The > moral charge that Lintian's privacy expectations starve authors is not > reasonable. The request just has to be made without unexpectedly > loading online resources. > > [3] https://privacybadger.org/ > [4] https://noscript.net/ > > > I find it unacceptable that the burden to make packages "privacy"- > > compliant to some users is put on the shoulders of myself and fellow DDs. > > Lintian already reduces the workload by locating the issues for > maintainers. (We hope that most of our tags do that.) As for the > actual burden, the task of creating patches that drop lines from > upstream files is well within the capabilities of any DD with upload > privileges. The burden is not unreasonable. > > I will likely close this bug without action. > > Please reply to Bug#743694 if your response concerns Lintian's > treatment of privacy breaches. Thanks! > > Kind regards > Felix Lechner Note that I am working on a dh_fixhtml helper to automate the cleaning of privacy breach.
Bastien