Processed (with 1 error): Re: Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Processing control commands: > tag -1 wishlist Unknown tag/s: wishlist. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore. > tag -1 + wontfix Bug #765503 [lintian] lintian: privacy-breach should be a warning, not an error Bug #743694 [lintian] Downgrade most of privacy-breach* tags from severity: error to pedantic Ignoring request to alter tags of bug #765503 to the same tags previously set Ignoring request to alter tags of bug #743694 to the same tags previously set -- 743694: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743694 765503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765503 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Processed (with 1 error): Re: Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Processing control commands: > tag -1 wishlist Unknown tag/s: wishlist. Recognized are: patch wontfix moreinfo unreproducible help security upstream pending confirmed ipv6 lfs d-i l10n newcomer a11y ftbfs fixed-upstream fixed fixed-in-experimental sid experimental potato woody sarge sarge-ignore etch etch-ignore lenny lenny-ignore squeeze squeeze-ignore wheezy wheezy-ignore jessie jessie-ignore stretch stretch-ignore buster buster-ignore bullseye bullseye-ignore bookworm bookworm-ignore trixie trixie-ignore. > tag -1 + wontfix Bug #743694 [lintian] Downgrade most of privacy-breach* tags from severity: error to pedantic Bug #765503 [lintian] lintian: privacy-breach should be a warning, not an error Added tag(s) wontfix. Added tag(s) wontfix. -- 743694: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743694 765503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765503 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Control: tag -1 wishlist Control: tag -1 + wontfix Hi, Paul Wise wrote on 11. Sep. 2021: > I think that the privacy breaches that lintian complains about > represent several sets of bugs that all need fixing: I strongly agree with pabs and his (no more copied) explanations and reasoning. These are real issues which are clearly neither minor nor even pedantic. These are issues which need to be fixed. >From my point of view, this is not even a bug, but a feature request. Regards, Axel -- ,''`. | Axel Beckert , https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Processed: Re: Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Processing control commands: > severity -1 normal Bug #743694 [lintian] Downgrade most of privacy-breach* tags from severity: error to pedantic Bug #765503 [lintian] lintian: privacy-breach should be a warning, not an error Severity set to 'normal' from 'important' Severity set to 'normal' from 'important' -- 743694: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743694 765503: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765503 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Control: severity -1 normal
Hi,
On Fri, Sep 10, 2021 at 6:21 AM Daniel Leidert wrote:
>
> I would doubt our FTP masters if they accept packages with
> lintian errors
Actually, they do! The FTP Masters publish the list of tags they do
not accept. [1] The privacy tags are not on it. Lintian offers a
command line option ('--ftp-master-rejects') to check prospective
uploads against the list. For convenience, we also dedicated a page to
it on our website. [2]
When this bug was filed over seven years ago, the potential rejection
of uploads supported an elevated severity. The cited reason holds no
longer. Somewhat sadly, the privacy topic also does not resonate with
contributors. [3][4] As another point of evidence Bug#765503—filed
half a year later and then merged into this report—reached us with a
more appropriate 'normal' severity. [5]
In consideration of the changed circumstances, the present report is
likewise downgraded to 'normal'.
Kind regards
Felix Lechner
[1] https://ftp-master.debian.org/static/lintian.tags
[2] https://lintian.debian.org/autoreject
[3] https://lists.debian.org/debian-vote/2021/09/msg1.html
[4] https://lists.debian.org/debian-vote/2021/09/msg5.html
[5] https://bugs.debian.org/765503
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
I think that the privacy breaches that lintian complains about represent several sets of bugs that all need fixing: The browsers shipping in Debian place no barriers between local files on disk, sites on the local network and sites on the Internet. So if someone reads some local documentation they didn't get from Debian using a browser from Debian, they could have a privacy violation. The documentation available in Debian may suggest readers request resources not available as local files on disk. Even if we fix the browsers available in Debian, users may read Debian documentation using browsers not available in Debian, they could have a privacy violation. When Debian documentation is copied to the web the same occurs. The web applications available in Debian may suggest visitors request resources not available on the same web service. Since most web browsers don't block third-party requests by default, those visitors, who are only indirectly Debian users, could have a privacy violation. The same applies when Debian documentation is copied to a website. Daniel Leidert wrote: > To put packages through NEW they have to be lintian clean. Not in my experience, I haven't tested it for the privacy tags though. > The severity is not backed up by any of our policies. I believe the issues to be a violation of the social contract, albeit one of the parts that are aspirational rather than concrete. > what right do we have to remove donation requests That would be the wrong thing to do but that isn't what is requested. > you have already configured your whole system The majority people who are affected by privacy violations probably don't understand that those violations exist, nor that mitigations exist nor what those mitigations are nor how to configure them and probably those mitigations are going to break their workflows. > they are still tracked by hundreds of cookies > while browsing websites or reading mails This is being improved by the browser vendors, which are moving towards blocking third-party cookies entirely. > It just creates burden on fellow developers. I believe that the burden exists, but is fairly minimal, replacing an image with a styled button or similar is usually fairly simple. PS: there are many more types of privacy violations in Debian: https://wiki.debian.org/PrivacyIssues -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Am Freitag, dem 10.09.2021 um 15:46 +0200 schrieb Bill Allombert: > On Fri, Sep 10, 2021 at 02:41:20PM +0200, Daniel Leidert wrote: > > And once again: What is the sense and what right do we have to remove > > donation > > requests just because they use icons of paypal/patreon/github/whatever > > which we > > cannot distribute? > > If upstream cannot be bothered to provide a DFSG-compatible donation > document, one can just replace it by an explicit link to the page on its > website. Users need an internet connection to make a donation in any > case. What are you talking about? How is such a donation link not DFSG compatible and how does it violate the DFSG? Daniel -- Regards, Daniel Leidert | https://www.wgdd.de/ GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78 https://www.fiverr.com/dleidert https://www.patreon.com/join/dleidert signature.asc Description: This is a digitally signed message part
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
On Fri, Sep 10, 2021 at 02:41:20PM +0200, Daniel Leidert wrote: > And once again: What is the sense and what right do we have to remove donation > requests just because they use icons of paypal/patreon/github/whatever which > we > cannot distribute? If upstream cannot be bothered to provide a DFSG-compatible donation document, one can just replace it by an explicit link to the page on its website. Users need an internet connection to make a donation in any case. Cheers, -- Bill. Imagine a large red swirl here.
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Am Freitag, dem 10.09.2021 um 15:10 +0200 schrieb Bill Allombert: > On Fri, Sep 10, 2021 at 02:41:20PM +0200, Daniel Leidert wrote: > > Am Freitag, dem 10.09.2021 um 13:56 +0200 schrieb Bill Allombert: [..] > > > Lintian errors do not by themselves create more work to package > > > maintainers since they can be ignored, > > > > a) This is untrue. To put packages through NEW they have to be lintian > > clean. > > Is it actually the case ? This is not my experience. Citing the Reject FAQ: Lintian errors and warnings, without a good reason to ignore them, can get you a reject. Sometimes there are valid reasons, but then you should either file a bug against lintian if it's generally wrong, or include an override in your package, giving a reason in the changelog for it. I have seen it (and I would doubt our FTP masters if they accept packages with lintian errors TBH). I filed a bug because I believe the severity is wrong. https://bugs.debian.org/743649#13 Regards, Daniel -- Regards, Daniel Leidert | https://www.wgdd.de/ GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78 https://www.fiverr.com/dleidert https://www.patreon.com/join/dleidert signature.asc Description: This is a digitally signed message part
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
On Fri, Sep 10, 2021 at 02:41:20PM +0200, Daniel Leidert wrote: > I'm not sure why this x-post over a dozen addresses, but if you wish so... > > Am Freitag, dem 10.09.2021 um 13:56 +0200 schrieb Bill Allombert: > > On Fri, Sep 10, 2021 at 04:05:32AM -0700, Felix Lechner wrote: > > > Hi, > > > > > > > The severity chosen for these tags/checks is not justified by any of our > > > > policies, neither the Debian policy, not the best packaging practises > > > > nor > > > > any legal reason! > > > > > > > > There is no technical nor social justification for this severity. > > > > > > > > making our package compliant to this new privacy-policy doesn't add > > > > any value to our users. > > [snip] > > > Thanks for taking this stance. Phoning home without the user consent has > > always been treated as a RC bug. > > Please provide examples. > > > Lintian errors do not by themselves create more work to package > > maintainers since they can be ignored, > > a) This is untrue. To put packages through NEW they have to be lintian clean. Is it actually the case ? This is not my experience. Cheers, -- Bill. Imagine a large red swirl here.
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Same here, no idea why this x-post over so mayn addresses...
Am Freitag, dem 10.09.2021 um 04:05 -0700 schrieb Felix Lechner:
>
> > The severity chosen for these tags/checks is not justified by any of our
> > policies, neither the Debian policy, not the best packaging practises nor
> > any legal reason!
> >
> > There is no technical nor social justification for this severity.
> >
> > making our package compliant to this new privacy-policy doesn't add
> > any value to our users.
>
> I believe Debian users have a reasonable expectation to read static
> files on their own storage media without being monitored. That
> objection is based on my own everyday experience in working to improve
> Debian, the Golden rule [2] and item #4 of Debian's social contract
> ("Our priorities are our users"). [2]
If you are *that* concerned about the privacy breaches created by websites
contacting servers you have already configured your whole system to deal with
that. And then this whole thing here does not add any value. It also doesn't
add much value to other users less concerned either, because we only change a
few HTML sites while they are still tracked by hundreds of cookies while
browsing websites or reading mails.
It just creates burden on fellow developers. While we have often found
reasonable solutions (e.g. packaging javascript libraries and using them
instead of web resources), I don't think this here is one of them. IIRC I got
this error because of a donation request a software author made in their
software using an icon at an online resource. I am not willing to remove or
cripple that. If you are, well, then better come up with a solution for these
cases.
FTR: What I see is not users requesting this. What I see is a small group of
developers which made that their objective and try to enforce that objective by
misusing lintian to produce error messages instead of messages with a justified
priority.
>
[..]
> I will likely close this bug without action.
Well, then I bring this to the TC's attention. I believe your actions aren't
justified.
Regards, Daniel
--
Regards,
Daniel Leidert | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78
https://www.fiverr.com/dleidert
https://www.patreon.com/join/dleidert
signature.asc
Description: This is a digitally signed message part
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
On Fri, Sep 10, 2021 at 04:05:32AM -0700, Felix Lechner wrote:
> Hi,
>
> > The severity chosen for these tags/checks is not justified by any of our
> > policies, neither the Debian policy, not the best packaging practises nor
> > any legal reason!
> >
> > There is no technical nor social justification for this severity.
> >
> > making our package compliant to this new privacy-policy doesn't add
> > any value to our users.
>
> I believe Debian users have a reasonable expectation to read static
> files on their own storage media without being monitored. That
> objection is based on my own everyday experience in working to improve
> Debian, the Golden rule [2] and item #4 of Debian's social contract
> ("Our priorities are our users"). [2]
>
> The legal landscape is also changing. At least Europe and California
> have seen shifts toward greater privacy protections for consumers
> since the bug was filed.
>
> [1] https://en.wikipedia.org/wiki/Golden_Rule
> [2] https://www.debian.org/social_contract
>
> > I simply morally disagree with removing donation requests from authors
>
> It is not the solicitation but the unexpected loading of network
> resources that violates privacy expectations. Many micro-donation
> services offer resources like images or active HTML components to
> evoke feelings of familiarity or goodwill. That allows them to see who
> is using which software, and who chooses not to donate. While such
> gamesmanship may be common while browsing online (there are tools to
> fight it [3][4]) it is unexpected when browsing static files located
> on one's own storage media.
>
> Another, more generalized solution could be to modify all browsers
> shipped in Debian so they do not load online resources without
> confirmation. Unfortunately, that separates the solution from the
> problems. It is more reliable to address the privacy breaches where
> they occur, i.e. in the affected files.
>
> There is no issue with authors requesting donations (or even with
> Debian promoting such requests, for example in package metadata). The
> moral charge that Lintian's privacy expectations starve authors is not
> reasonable. The request just has to be made without unexpectedly
> loading online resources.
>
> [3] https://privacybadger.org/
> [4] https://noscript.net/
>
> > I find it unacceptable that the burden to make packages "privacy"-
> > compliant to some users is put on the shoulders of myself and fellow DDs.
>
> Lintian already reduces the workload by locating the issues for
> maintainers. (We hope that most of our tags do that.) As for the
> actual burden, the task of creating patches that drop lines from
> upstream files is well within the capabilities of any DD with upload
> privileges. The burden is not unreasonable.
Thanks for taking this stance. Phoning home without the user consent has
always been treated as a RC bug.
Lintian errors do not by themselves create more work to package
maintainers since they can be ignored, instead they present an
advance warning of a potential bug report about privacy violation,
which can save time unless the maintainers plan was to hide the issue
under the carpet which contradict SC #3 "we will not hide problems".
Cheers,
--
Bill.
Imagine a large red swirl here.
Bug#743694: lintian: Downgrade most of privacy-breach* tags from severity: error to pedantic
Hi,
> The severity chosen for these tags/checks is not justified by any of our
> policies, neither the Debian policy, not the best packaging practises nor
> any legal reason!
>
> There is no technical nor social justification for this severity.
>
> making our package compliant to this new privacy-policy doesn't add
> any value to our users.
I believe Debian users have a reasonable expectation to read static
files on their own storage media without being monitored. That
objection is based on my own everyday experience in working to improve
Debian, the Golden rule [2] and item #4 of Debian's social contract
("Our priorities are our users"). [2]
The legal landscape is also changing. At least Europe and California
have seen shifts toward greater privacy protections for consumers
since the bug was filed.
[1] https://en.wikipedia.org/wiki/Golden_Rule
[2] https://www.debian.org/social_contract
> I simply morally disagree with removing donation requests from authors
It is not the solicitation but the unexpected loading of network
resources that violates privacy expectations. Many micro-donation
services offer resources like images or active HTML components to
evoke feelings of familiarity or goodwill. That allows them to see who
is using which software, and who chooses not to donate. While such
gamesmanship may be common while browsing online (there are tools to
fight it [3][4]) it is unexpected when browsing static files located
on one's own storage media.
Another, more generalized solution could be to modify all browsers
shipped in Debian so they do not load online resources without
confirmation. Unfortunately, that separates the solution from the
problems. It is more reliable to address the privacy breaches where
they occur, i.e. in the affected files.
There is no issue with authors requesting donations (or even with
Debian promoting such requests, for example in package metadata). The
moral charge that Lintian's privacy expectations starve authors is not
reasonable. The request just has to be made without unexpectedly
loading online resources.
[3] https://privacybadger.org/
[4] https://noscript.net/
> I find it unacceptable that the burden to make packages "privacy"-
> compliant to some users is put on the shoulders of myself and fellow DDs.
Lintian already reduces the workload by locating the issues for
maintainers. (We hope that most of our tags do that.) As for the
actual burden, the task of creating patches that drop lines from
upstream files is well within the capabilities of any DD with upload
privileges. The burden is not unreasonable.
I will likely close this bug without action.
Please reply to Bug#743694 if your response concerns Lintian's
treatment of privacy breaches. Thanks!
Kind regards
Felix Lechner
