[3dprinter-general] Bug#884709: cura: Require explicit consent to anonymous slicing statistics

Petter Reinholdtsen pere at hungry.com
Thu Jan 25 07:37:42 UTC 2018 

Hi.

I asked on #debian-devel for input on this issue, and the general consensus
as I read it is that the default should be to not send out anything, and
this should only be changed when the user make an active choice to change it.

Here is the IRC thread.

<pere> hi.  I'm trying to locate a good reference on debians policy on spyware
  and software that 'call home', without any luck so far.  anyone know if there
  are any good explanation on Debians stance on this?
<nthykier> pere: I am not aware that we have a written policy on this.  We got
  some lintian tags for finding "privacy-braches" (e.g. facebook javascript
  load requests), which is the most structured thing I am aware of in this field.
<ron> yeah, there's probably a rough informal "kill it with fire"
  consensus - but then we also ship chrome, so ...
<pere> the background is trying to explain to upstream why its 'collect
  stats from users' mechanism should default to 'no' in Debian.
* pabs guesses the social contract is the closest thing to a policy we have on this
<ron> might be easier better to explain why it should default to no
  everywhere, and only be enabled with explicit consent :)
<pere> doing it upstream would reduce the translation burden in Debian, as
  the texts need to be changed to reflect the new default.
<pere> ron: nah, proved to not be very simple. :)
<pabs> which package is this about?
<wRAR> no, we don't have anything that you can send to the upstream, only
  ad-hoc lintian tags without a justification
<pere> see <URL: https://github.com/Ultimaker/Cura/issues/2810#issuecomment-359250182 >
  for the upstream discussion.  we simply disabled it in debian, but find it
  perfectly fine to ask the user on first use, as long as the default is 'no'.
<ron> if they don't see/accept the principle, then "Debian says you should"
  probably won't be convincing either
<ron> which really leaves 1. don't include it in debian, 2. else publicise
  it does this and patch it out.
<pere> I suspect the 'some random guy say so' have less weight than
  'the debian project as a whole say so'.
<pere> ron: we did 2 so far.
<wRAR> well, the debian project as a whole doesn't say anything on this
<wRAR> ron: 3. leave it as is
<ron> yeah, but anyone convinced by "appeal to authority" rather than
  the merits of the argument is on the losing side of logic to begin with ;)
<wRAR> indeed
<pere> my understanding of our culture, is that we do not accept 'phone
  home' software to enable the spyware feature by default.
<wRAR> it's not written anywhere
<pabs> I'd say leave it up to the user, first start should have buttons
  "spy on me" and "don't spy on me"
<wRAR> the lintian tags are not autoreject AFAIK
<pere> ron: feel free to chime in on the upstream bug, perhaps you have
  more success than me. :)
<pere> pabs: I'm fine with asking the user, as long as the casual user
  failing to read the question properly get 'no' as the default.
<pabs> I suggest not including yes/no buttons, because users never read those
<pabs> "spy on me" and "don't spy on me" buttons mean they don't have to
  read the question, just the button they click
<ron> the question doesn't need to be that loaded if it's really "anonymous"
  stats which help guide dev work or find bugs.
<ron> we don't ask "do you want debian to spy on you" for the popcon question :)
<wRAR> yup
<ron> but it definitely shouldn't be sending anything out without informed consent
<pabs> sure, I'm not saying to literally use that text :)
<pere> thank you.  I'm updating the Debian bug with this conversation.
-- 
Happy hacking
Petter Reinholdtsen

More information about the 3dprinter-general mailing list