Bug#898479: [gnome] gnome-software should detach fwupd as a dependency

[kardan]

fwupd consists of 

> fwupd - Firmware update daemon
> fwupd-doc - Firmware update daemon documentation (HTML format)
> fwupd-tests - Test suite for firmware update daemon
> gir1.2-fwupd-2.0 - GObject introspection data for libfwupd
> libfwupd-dev - development files for libfwupd
> libfwupd2 - Firmware update daemon library
> fwupdate - Tools to manage UEFI firmware updates
> libfwup-dev - Development headers for libfwup
> libfwup1 - Library to manage UEFI firmware updates

gnome-software depends on libfwupd2 and suggests fwupd. On a fresh
stretch 

- "dpkg -l|grep fwupd" lists

> ii  libfwupd1:amd64 0.7.4-2 amd64 Firmware update daemon library

- "apt-get autoremove gnome-software" will remove fowllowing packages

> The following packages will be REMOVED:                
>   fonts-sil-gentium fonts-sil-gentium-basic gnome gnome-core
> gnome-software gnome-software-common hyphen-en-us libappstream-glib8
> libbsh-java libfwupd1 libgcab-1.0-0 libreoffice libreoffice-help-en-us
> libreoffice-librelogo libreoffice-nlpsolver libreoffice-ogltrans
> libreoffice-pdfimport libreoffice-script-provider-bsh
> libreoffice-script-provider-js libreoffice-script-provider-python
> libreoffice-wiki-publisher mythes-en-us task-gnome-desktop

including libfwupd1, which

> Description-en: Library to manage UEFI firmware updates
>  fwupdate provides functionality to update system firmware. It has
> been initially designed to update firmware using UEFI capsule
> updates, but it is designed to be extensible to other firmware update
> standards. .
>  This library is to allow for the simple manipulation of UEFI firmware
> updates. Description-md5: e3969afc33c85ca9cf78ec51008936f0

has the functionality to "update system firmware".

Can you guarantee that it is not used by any application
(without user interaction)?

> that sounds like visiting any web site in a browser. Should
> we stop installing Firefox?
> 
> Checking for updates using apt also reveals that information.

Question is to whom. LVFS is still hosted on an amazon server
(although planned to be transferred to the Linux Foundation []). Debian
should not repeat Ubuntu's mistakes. We know that Canonical / Ubuntu /
Gnome had ties with amazon's quick search and hoped that debian
developers had more scruples regarding privacy.

https://en.wikipedia.org/wiki/Ubuntu_(operating_system)#Amazon_controversy

Quoting the article:

> According to the developer, fwupd.org is hosted on Amazon EC2. Amazon
> (beside many other companies as well) has donated $2000 per year to
> develop the project, and provides some hosting features for free as
> well. fwupd.org domain name is registered in the personal name of the
> project’s developer (if you check from who.is).

> > https://fosspost.org/analytics/privacy-security-concern-regarding-gnome-software
>
> Did you read the replies from the fwupd maintainer, Richard Hughes?
> 
> I would actually argue that Debian GNOME should recommend fwupd like
> most other distros do.

His answer was longer, just quoting relevant parts:

> Sure, we get the IP address and the user-agent when downloading the
> firmware file. The metadata is downloaded from the CDN so we see very
> little as there are basically no logs there. You only upload the
> firmware report when you’ve actually done a firmware update and you
> want to *opt-in* to sharing metadata with us. We show you in the
> console exactly what data is sent; the *exact* json string.

I read his answers and including the reaction to add a dialogue for
Redhat. Why doesn't Debian request something similar as the article
suggested?

https://github.com/GNOME/gnome-software/commit/d695afcf9a762fdee500c26e9d42e7f42149d950

As a debian user i expect that services hosted by private companies are
not enabled by default. If this is not the case, some users may be
disappointed and loose trust in Debian.

If fwupd is an import service for the system, why is it only included
in GNOME?

Best,
kardan