[Dev] the 'your-privacy' blacklisting process should be more rigorous

Bill Auger mr.j.spam.me at gmail.com
Tue Jun 20 04:32:45 GMT 2017 

i intended to raise the question of whether the 'your-privacy' package
should be included in the parabola 'base' and 'base-openrc' packages -
however after taking a closer look at it today, it seems to me
whatever processes or criteria used are not very thoughtful - clearly
these are not so straight-forward as licensing issues of
'your-freedom' but i think there is much room for improvement here
especially regarding the information explaining the rationale for
blacklisting any particular package - even with freedom issues,
parabola has tended to take a zealous approach at the first sign of
doubt without requiring proof, as demonstrated by the recent chromium
controversy - although the hard-line approach may appear admirable to
some, such actions should be immediately followed up with some
responsible investigation, validation, and most importantly for
transparency: a report on the findings and final decision of at least
one paragraph long - there should probably be an entire wiki page
devoted to this and it should be standard protocol for any blacklisted
package - currently the only documentation required or recommended for
a blacklisted package is a single line
"original-package:[libre-replacement]:[ref]:[id]:short description" in
the blacklist.txt file itself (per:
https://wiki.parabola.nu/How_to_Blacklist_a_package)

this lack of documentation is most clear on the 'your-privacy'
blacklist - currently, most of the blacklisted packages say only
"provides support for unsafe and dangerous for privacy services" - but
that is not more than a re-iteration of the description of the the
'your-privacy' package itself: "This package will remove support for
protocols and services known to endanger privacy." - even so,
"provides support for" is not a valid implication - the mere fact that
your PC has a network card installed with it's driver loaded "provides
support for unsafe and dangerous for privacy services" - i personally
am very dis-satisfied with such vague justification - another example
is the description of the 'your-freedom_emu' blacklist which not
indicate anything that would justify it: "This package removes
emulators that runs free games and/or OS technically." - "... runs
free games and/or OS ..." is clearly not a problem so i suspect there
is a more valid explanation lurking here that was unfortunately left
un-said

i propose that each of those blacklisted programs should have a
detailed explanation as to what precisely are its problematical points
- they should also indicate whether or not a replacement exists in the
'libre' or 'non-prism' repos and perhaps with a link to any relevant
discussion that took place regarding that package and ideally pointing
at the actual non-free components or privacy invading mechanism in the
code itself - in cases where no replacement exists it would be
reasonable to say why that is so (either it is technically not
possible or simply no one has had the time to do it yet) - in the
latter case it could also be added to the under-utilized "Package Todo
List" https://www.parabola.nu/todo/ which currently has exactly 3
items on it from 2010 - without such information only the person who
blacklisted the package knows why and so it will probably never be
rescued

More information about the Dev mailing list