On 15326 March 1977, npd...@zoho.com wrote:
I am posting an excerpt from the 'Data privacy' page (https://www.debian.org/legal/privacy):
Service related logging
In addition to the explicitly listed services above the Debian infrastructure logs details about system accesses for the purposes of ensuring service availability and reliability, and to enable debugging and diagnosis of issues when they arise. This logging includes details of mails sent/received through Debian infrastructure, web page access requests sent to Debian infrastructure, and login information for Debian systems (such as SSH logins to project machines). None of this information is used for any purposes other than operational requirements and it is only stored for 15 days in the case of web server logs, 10 days in the case of mail log and 4 weeks in the case of authentication/ssh logs.
a) Does 'system' and 'Debian systems' in the above excerpt mean an installation of Debian OS?
No. It means a system installed and run by Debian admins providing a service. Like the machine handling this list, or a machine handling a webserver for www.debian.org.
b) I am assuming that 'Debian infrastructure' means the 'Debian Security Infrastructure' (https://www.debian.org/doc/manuals/securing-debian-howto/ch7) which is used to handle security in the stable distribution. Please correct me, if wrong.
No, it means the whole infrastructure. We have many machines.
c) Details regarding non-personally identifiable data: Does Debian (Debian.org) collect any kind of 'telemetry' or 'monitoring data' other than required for operational requirements? I am asking this as from a company's or business point of view: one is concerned about intellectual property, company data etc.
As written, no we do not.
d) (This is related to the above point) Does the statement in the above excerpt "This logging includes details..... login information for Debian systems" mean that Debian stores username and passwords of users? In my case: A local login not a network based login.
Not in the sense you read into it, no. We do not, in any way, collect users data of systems installed with Debian[1]. The above is for machines running "inside" the debian.org domain and affects Debian Developers, not any user who just happens to install Debian. [1] There is one tool named popcon. That does actually send data our way. That is opt-in and you can find more information at https://popcon.debian.org/ -- bye, Joerg