Comment by account42
2 days ago
Your link is about privacy issues in upstream software that Debian hasn't sufficiently worked around yet. The main advantage of the Distro model (as opposed to developer-maintained package ecosystems) is exactly that there is someone protecting you from questionable software "features".
I don't think Debian intentionally shields you from privacy-invading software. Other distros may differ on this point.
Debian does not mandate anything about privacy in its Policy Manual (which are the standards for selecting and packaging software that maintainers must adhere to): https://www.debian.org/doc/debian-policy/search.html?q=priva...
There's also no insistence on privacy in the Debian Social Contract or DFSG (not that these would be appropriate places for it, they're mainly about licensing)
> I don't think Debian intentionally shields you from privacy-invading software
There is a culture of valuing privacy though, including patching out privacy issues. Especially since a lot of Debian folks are from Europe, with corresponding GDPR knowledge.
I know that the lintian warnings pointing out privacy issues in HTML documentation do get a lot of patches.
Also, opensnitch is packaged as a mitigation.
You are right about the policy problem, Debian really needs to do something about that.
There is at least a privacy policy for Debian services.
https://www.debian.org/legal/privacy
> I don't think Debian intentionally shields you from privacy-invading software.
Don't they change the Firefox defaults for more privacy?
They do indeed, probably other packages have patches too.
Agreed, but it is definitely not enough, which is why some Debian folks packaged opensnitch.
Who protects you when the packagers decide to trust a shady CA (adding it to the root store) because it's used by the distro's infra?
Is this supposed to be some kind of gotcha argument? Against what?
Not exactly the same thing, but see https://en.wikipedia.org/wiki/GNU_IceCat#Additional_security....