5/22/2025 at 7:58:57 AM
Debian will remove code that “calls home”
or tries to update software in a way that
bypasses the Debian packaging system.
by TekMol
5/22/2025 at 11:30:56 AM
Most good stuffed Distros do this. For example SUSE recently banned a package because of "calling home" e.g. did side-leading. https://security.opensuse.org/2025/05/07/deepin-desktop-remo...Debian indeed does this. In release FF has disabled telemetry: https://wiki.debian.org/Firefox
by exiguus
5/22/2025 at 2:22:14 PM
Unfortunately that is not entirely true.For example, when closing firefox on OpenSUSE Leap 15.6, "pingsender" is launched to collect telemetry:
It has been there for years. It is also on other distros.
by gus_
5/22/2025 at 4:30:32 PM
Did someone report/open a issue about it? Maybe it's as simple as them not being aware of it.by diggan
5/22/2025 at 1:04:21 PM
I wouldn't think the Firefox license allows them to do that. I thought only binaries built by Mozilla could use the FF brand.by winternewt
5/22/2025 at 1:07:04 PM
Indeed, Mozilla only recently allowed Debian to use the brand for their modified version: https://en.wikipedia.org/wiki/Debian%E2%80%93Mozilla_tradema...by rmccue
5/22/2025 at 3:13:34 PM
Recently? It was almost a decade ago: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=815006by jefftk
5/22/2025 at 1:20:32 PM
That’s the reason for a while we had IceWeaselby akdev1l
5/22/2025 at 8:48:22 AM
This is unfortunately not part of Debian Policy yet, and there are still lots of privacy issues of different severities in Debian.by pabs3
5/22/2025 at 10:05:03 AM
I don't use Debian for servers nor personal computers anymore, but the fact that they themselves host a page explaining potential privacy issues with Debian makes me trust them a lot more, and feel safer recommending it to others when it fits.by diggan
5/22/2025 at 1:56:13 PM
Thats just a wiki page, written by myself and a bunch of other Debian members/contributors. Don't read too much into it :)by pabs3
5/22/2025 at 10:13:26 AM
What are you using instead now? Nixos?by keysdev
5/22/2025 at 10:16:25 AM
Yeah, NixOS for all servers (homelab + dedicated remote ones) and Arch on desktop.by diggan
5/22/2025 at 10:22:59 AM
Arch is a minefield on this regard tbhby spookie
5/23/2025 at 1:13:22 PM
Hey, I might be too late to the party, but I'd love to get some more info to your comment.Imagine me: I'd consider myself a Linux noob, although I probably aren't anymore. I use Arch Linux for about 3 years now as my daily driver. I'm not young anymore - I didn't grew up with computers - I don't have it in my blood. I don't have formal education in anything computer and have never worked in the field. During Covid I learnt Linux from the Arch wiki. Now I'm using it. I configured some things and can control my computer through the command line.
Everytime I read comments like yours, I get the shivers. Did I miss something integral? What do I not know about? Especially network stuff is a blind spot for me. I didn't touch network stuff beyond the default wiki pages.
When I read comments like yours "Arch is a minefield" "With Arch it is so easy to shoot yourself in the foot", I never know what this could be specifically. How could this look like? Can you give me something more concrete? I'm really eager to know what everyone is talking about.
by WHA8m
5/22/2025 at 11:18:16 AM
To be even more honest, it is what you make of it ¯\_(ツ)_/¯by diggan
5/22/2025 at 12:50:25 PM
Windows is also what you make it with enough registry hacks, I'm not recommending it to anyone though.by moffkalast
5/22/2025 at 1:18:26 PM
Well, but windows comes with spyware by default and tries to activly keep it that way. A registry hack might stop working anytime.Windows is activly hostile to anything privacy related.
Arch comes with the default of do it yourself. Lots of footguns, but not hostile OS behavior. Great difference to me.
by lukan
5/23/2025 at 1:17:48 PM
This is a duplicate command to increase my chance of getting a late reply :) Hope that's fine.When I read comments like yours "Arch is a minefield" "With Arch it is so easy to shoot yourself in the foot", I never know what this could be specifically. How could this look like? Can you give me something more concrete? I'm really eager to know what everyone is talking about.
Imagine me: I'd consider myself a Linux noob, although I probably aren't anymore. I use Arch Linux for about 3 years now as my daily driver. I'm not young anymore - I didn't grew up with computers - I don't have it in my blood. I don't have formal education in anything computer and have never worked in the field. During Covid I learnt Linux from the Arch wiki. Now I'm using it. I configured some things and can control my computer through the command line.
Everytime I read comments like yours, I get the shivers. Did I miss something integral? What do I not know about? Especially network stuff is a blind spot for me. I didn't touch network stuff beyond the default wiki pages.
by WHA8m
5/22/2025 at 1:20:25 PM
Not really, sometimes it forces me to apply updates on shutdown/restart, even though I don't want to do it. None of the registry hacks seems to be able to disable this behavior. I've heard some people talking about a special distribution/version of Windows where you can disable this, but don't really feel like re-installing the entire OS just so when I boot into/away from Windows I don't get forced to wait for the slow update twice (one now, another in the future when I boot Windows next time).All because Ableton cannot be bothered to support Linux :/ I understand that though, just sucks...
by diggan
5/22/2025 at 2:20:35 PM
Arch has been bliss for me. I'm heavy on Flatpaks and primarily use Arch as a base operating system with very minimal config changes.by s_ting765
5/22/2025 at 4:24:54 PM
I'm on the market for a decent laptop. Don't want to side-line the thread, but is Arch supported decently on, say, Dell or any "enterprise grade" laptops?by karambahh
5/23/2025 at 1:21:34 PM
If in doubt, search the Arch forums for posts about the model you consider to buy. Best case: Some threads come up, but all problems could be solved. Worst case: No threads, or a lot of threads about obscure errors.by WHA8m
5/22/2025 at 4:48:13 PM
Short answer to a pretty broad question: YesMore color: I was happy running Arch on a 2012 vintage Dell Latitude (Intel, integrated graphics) for several years. I'm currently quite happy running Arch on a Lenovo Thinkpad T14s (gen2, AMD, integrated graphics).
Arch wiki does have many pages about arch-on-a-particular-model to help once you get a short list of models you're interested in, like this: https://wiki.archlinux.org/title/Lenovo_ThinkPad_T14s_(AMD)_...
by mos_basik
5/22/2025 at 4:54:39 PM
I haven’t tried much, but as long as you avoid nvidia or fancy laptops with weird components, you will be good. My recommendation is to go for business line, as they have more standardized peripherals. Better if there’s some linux support guarantee.by skydhash
5/22/2025 at 8:43:59 PM
I have a Dell Vostro 7620 currently running Arch. Even with the Nvidia graphics card I have run into very few issues (only once did a nvidia driver update did break the system), so I'd say go for it.by Eavolution
5/22/2025 at 8:30:14 AM
This policy is missing from nixpkgs, although there is a similar policy for the build process for technical reasons.So I can add spotify or signal-desktop to NixOS via nixpkgs, and they won’t succeed at updating themselves. But they might try, which would be a violation of Debian’s guidelines.
It’s a tough line — I like modern, commercial software that depends on some service architecture. And I can be sure it will be sort of broken in 10-15 years because the company went bust or changed the terms of using their service. So I appreciate the principles upheld by less easily excited people who care about the long term health of the package system.
by sshine
5/22/2025 at 8:49:20 AM
In the process of trying to update, Spotify on NixOS will likely display some big error message about how it's unable to install updates, which results in a pretty bad user experience when everything is actually working as intended. It seems fair to patch software to remove such error messages.by mort96
5/22/2025 at 1:36:23 PM
To be fair, we (Nixpkgs maintainers) do remove or disable features that phone home sometimes even though it's not policy. That said, it would be nice if it was policy. Definitely was discussed before (most recently after the devbox thing I guess.)by jchw
5/23/2025 at 6:04:38 AM
Discord downloads stuff every single time I start it. So there is definitely not a policy to remove this behaviour.And yes, good point, this was indeed discussed when devbox enabled AI training by default. It somehow seems like there is more than one category of phoning home at play here, since it is obviously tolerated in other cases.
by sshine
5/23/2025 at 4:32:10 PM
What I mean is, it definitely isn't explicit policy to remove features that phone home; but, it is sometimes still done at the package maintainer's discretion. For things that are unfree all bets are off. (Removing or interfering with such code may be against the license.)by jchw
5/22/2025 at 8:55:57 AM
I'm glad that opensnitch is available in Debian trixie too, to mitigate the issues that Debian has not found yet.by pabs3
5/22/2025 at 2:28:37 PM
Why can't I get GNOME stop calling home? (on a Debian installation) Each time I fire up my Debian VM with GNOME here on my OSX host system Little Snitch pops up because some weird connection to a GNOME web endpoint. One major pet peeve of mine.by binaryturtle
5/22/2025 at 4:47:47 PM
You can ask the gnome team if they'd accept a patch. They might be of the idea that patching stuff out is bad.by LtWorf
5/22/2025 at 3:17:53 PM
Please send patches.by 28304283409234
5/22/2025 at 10:22:30 AM
I was extremely disappointed to recently learn that visidata(1) phones home, and that this functionality has not been disabled in the Debian package, despite many people requesting its removal:by vaporary
5/22/2025 at 1:41:05 PM
The maintainer’s responses in that thread are really frustrating. They just keep describing the bug as though the package’s behavior is acceptable.I wonder what debian’s process is for dealing with such maintainers.
I hope they make “no phone home” actual policy soon.
by hedora
5/22/2025 at 2:48:56 PM
Infuriating. The developer is just making excuses and refusing to address the users' actual concern. And why are they phoning home in the first place? What is this critical use case that requires this intrusion? "This daily count of users is what keeps us working on the project, because otherwise we have feel like we are coding into a void."
by ryandrake
5/22/2025 at 8:09:25 PM
> So, they wrote code to phone home (by default) and then digging in and defending it... just for their feelings? You've got to be kidding me!Is that better or worse than phoning home to serve ads?
Also, if feels misleading to me to call fetching a motd phoning home. You know Ubuntu does this too right? That feels more worthy of outrage than this.
If someone tells me, this software phones home, and it's not transmitting anything other than a ping; kinda feels like they're lying to me about what it's actually doing.
I'm not upset by the author wanting a bit of human connection to the people who enjoy his software. I empathize with the desire to see people enjoy the stuff I've made. Is it a privacy risk? Perhaps, but it's not even on the top 1k that I see daily. There's more important windmills to tilt at.
But... if you really just wanna be outraged; I recently wrote a DNS server that I use as the default for my home system. Currently It prints every request made, you might wanna try something like that. If you're that upset about this, you're gonna be blown away by what else is going on you didn't even know about.... and that's just dns queries, it's not even the telemetry getting sent!
by grayhatter
5/22/2025 at 1:54:26 PM
This is one of my favorite things about Debian.by JohnFen
5/22/2025 at 8:14:46 AM
It's not guaranteed that they manage to catch all the software that does this though :Dby guappa
5/22/2025 at 8:18:46 AM
Any such leftover behavior is going to be a reportable and fixable bug then.by phoe-krk
5/22/2025 at 8:30:14 AM
I'm not sure it's explicitly in the policy or if any team can decide what to do…by guappa
5/22/2025 at 8:49:04 AM
It isn't in policy yet no.by pabs3
5/22/2025 at 12:22:36 PM
It's not guaranteed that policies enforce every possible case though.by gosub100
5/22/2025 at 10:57:03 AM
So they have their own Go fork?Just one possible example, among many others that have telemetry code into them.
by pjmlp
5/22/2025 at 11:13:51 AM
No they don't. The formulation in TFA is a bit too generic - Debian will usually not remove any code that "calls home". There are perfectly valid reasons for software to "phone home", and yes, that includes telemetry. In fact, Debian has its own "telemetry" system:Telemetry is perfectly acceptable as long as it is opt-in and does not contain personal data, and both apply to Go's telemetry, so there's no need for a fork.
by deng
5/22/2025 at 12:36:42 PM
> Telemetry is perfectly acceptable as long as it is opt-in and does not contain personal dataTelemetry contains personal data by definition. It just varies how sensitive & how it's used. Also it's been shown repeatedly that 'anonymized' is shaky ground.
In that popcon example, I'd expect some Debian-run server to collect a minimum of data, aggregate, and Debian maintainers using it to decide where to focus effort w/ respect to integrating packages, keeping up with security updates, etc. Usually ok.
For commercial software, I'd expect telemetry to slurp whatever is legally allowed / stays under users' radar (take your pick ;), vendor keeping datapoints tied to unique IDs, and sell data on "groups of interest" to the highest bidder. Not ok.
Personal preference: eg. a crash report: "report" or "skip" (default = skip), with a checkbox for "don't ask again". That way it's no effort to provide vendor with helpful info, and just as easy to have it get out of users' way.
It's annoying the degree to which vendors keep ignoring the above (even for paying customers), given how simple it is.
by RetroTechie
5/22/2025 at 12:46:19 PM
> Telemetry contains personal data by definitionWhy it has to include PII by definition? I'd say DNF Counting (https://github.com/fedora-infra/mirrors-countme) should be considered "telemetry", yet it doesn't seem to collect any personal data, at least by what I understand telemetry and personal data to mean.
I'm guessing that you'd either have to be able to argue that DNF Counting isn't telemetry, or that it contains PII, but I don't see how you could do either.
by diggan
5/22/2025 at 1:51:04 PM
IPs are PII. You hit the server, and your anonymity is breached.by kevin_thibedeau
5/22/2025 at 2:08:53 PM
Yes, so the vendor must not store it. Something along those lines is usually said in the privacy policy. If you don't trust the vendor to do that, then do not opt-in to sending data, or even better, do not use the vendor's software at all.by deng
5/22/2025 at 2:40:41 PM
Sometimes, we have to or we simply want to run software from developers we don't know or entirely trust. This just means that the software developer needs to be treated as an attacker in your threat model and mitigate accordingly.I would argue that users can't inherently trust the average developer anymore. Ideas about telemetry, phoning home, conducting A/B tests and other experiments on users, and fundamentally, making the software do what the developer wants instead of what the user wants, have been thoroughly baked in to many, many developers over the last 20 or so years. This is why actually taking privacy seriously has become a selling point: It stands out because most developers don't.
by ryandrake
5/22/2025 at 5:45:15 PM
I can't argue that you are wrong, but I can argue that, for myself, if I don't trust a developer to not screw me over with telemetry, I cannot trust the developer to not screw me over with their code. I can't think of a scenario where this trust isn't binary, either I can trust them (with telemetry AND code execution), or I can't trust them with either. Could you describe what scenario I am missing?by happysadpanda2
5/22/2025 at 7:33:37 PM
You’re not missing anything. In general, I don’t think you can really trust the vast majority of software developers anymore. Incentives are so ridiculously aligned against the user.If you take the next step: “do not use software from vendors you don’t trust,” you are severely limiting the amount of software you can use. Each user gets to decide for himself whether this is a feasible trade off.
by ryandrake
5/22/2025 at 2:05:58 PM
The ongoing problem with popcon is that it's known not to be accurate, but since it's the data that's available, people make decisions based on it.popcon is least likely to be turned on by:
- organizations with any kind of sensible privacy policy (which includes almost everyone running more than a handful of machines)
- individuals concerned about privacy
popcon is most likely to be turned on by Debian developers, and people new to Debian who have just installed it for the first time.
by dsr_
5/22/2025 at 3:20:40 PM
Yeah, isn't that a shame? Wouldn't it be nice if instead of catastrophizing that telemetry data is always only ever there to spy on us, that we might assume that there are actually trustworthy projects out there? Especially for FOSS projects, which can usually not afford extensive in-house user testing, telemetry provides extremely valuable data to see how their software is used and where it can be improved, especially in the UX department, where many FOSS is severely lacking. This thread here is a perfect example of this kind of black/white thinking that telemetry must be ripped out of software no matter what, usually based on some fundamental viewpoint that anonymity is impossible anyway, so why bother even trying. This is not helping. I usually turn on telemetry for FOSS that offers it, because I hope they will use this to actually improve it.by deng
5/22/2025 at 5:16:54 PM
Turning it on and being unable to turn it off aren't the same.by LtWorf
5/22/2025 at 12:43:43 PM
> Telemetry contains personal data by definition.No. Please look up the definition of "telemetry" and "personal data". The latter always refers to an identifiable person.
by deng
5/22/2025 at 1:31:14 PM
Virtually all anonymization schemes are reversible, so “identifiable” isn’t carrying any weight in your definition.“Person” isn’t either, unless the software knows for sure it’s not being uses by a person.
by hedora
5/22/2025 at 2:03:04 PM
By your definition, all data is PII.by deng
5/22/2025 at 3:15:01 PM
Many corporate privacy policies per their customer contracts agree with this. Even a single packet regardless of contents is sending the IP address and that is considered by many companies to be PII. Not my opinion, it's in thousands of contracts. Many companies want to know every third party involved in tracking their employees. Deviating from this is a compliance violation and can lead to an audit failure and monetary credits. These policies are strictly followed on servers and less so on workstations but I suspect with time that will change.by Bender
5/22/2025 at 3:29:01 PM
I can only repeat myself from above: it's about what data you store and analyze. By your definition, all internet traffic would fall under PII regulations because it contains IP addresses, which would be ludicrous, because at least in the EU, there are very strict regulations how this data must be handled.If you have a nginx log and store IP addresses, then yes: that contains PII. So the solution is: don't store the IP addresses, and the problem is solved. Same goes for telemetry data: write a privacy policy saying you won't store any metadata regarding the transmission, and say what data you will transmit (even better: show exactly what you will transmit). Telemetry can be done in a secure, anonymous way. I wonder how people who dispute this even get any work done at all. By your definitions regarding PII, I don't see how you could transmit any data at all.
by deng
5/22/2025 at 3:31:50 PM
By your definitions regarding PII, I don't see how you could transmit any data at all.On the server side you would not. Your application would just do the work it was intended to do and would not dial out for anything. All resources would be hosted within the data-center.
On the workstation it is up to the corporate policy and if there is a known data-leak it would be blocked by the VPN/Firewalls and also on the corporate managed workstations by IT by setting application policies. Provided that telemetry is not coded in a way to be a blocking dependency this should not be a problem.
Oh and this is not my definition. This is the definition within literally thousands of B2B contracts in the financial sector. Things are still loosely enforced on workstations meaning that it is up to IT departments to lock things down. Some companies take this very seriously and some do not care.
by Bender
5/22/2025 at 1:35:00 PM
> Telemetry is perfectly acceptable as long as it is opt-in and does not contain personal data, and both apply to Go's telemetry, so there's no need for a fork.This changed somewhat recently. Telemetry is enabled by default (I think as of Golang 1.23?)
I am only aware since I relatively recently ran into something similar to this on a fresh VM without internet egress: https://github.com/golang/go/issues/68976
https://github.com/golang/go/issues/68946
If golang doesn't fully address this I guess Debian really should at least change the default (of they haven't already).
by enfuse
5/22/2025 at 1:46:03 PM
It creates telemetry data, but actually transmitting it is opt-in.by deng
5/22/2025 at 1:51:08 PM
Attempts to contact external telemetry servers under default configuration is the issue. That not all of the needlessly locally aggregated data would actually be transmitted is separate.by enfuse
5/22/2025 at 11:06:39 AM
“Will remove” means that it’s one of the typical/accepted reasons why patches are applied by Debian maintainers, as in meaning 4 here [0], not that there is a guarantee of all telemetry being removed.by layer8
5/22/2025 at 10:38:09 AM
One of the many reasons I switched from Ubuntu to Debian 2 years ago. Another reason was snap.by lqet
5/22/2025 at 10:47:11 AM
Yup. Snap is emblematic of all the complexity Canonical bakes into Ubuntu.by master_crab
5/22/2025 at 1:43:18 PM
That and the whole systemd stack. Canonical employees had enough votes to force upstream it into debian.I switched to devuan. It’s great, but it sucks that the community split over something so needlessly destructive.
by hedora
5/22/2025 at 1:43:03 PM
Between snap and having completely different network implementations between "desktop" and "server" versions really made me fall back down the learning curve of nix.Especially since I was novice at best before the systemd thing, and my Ubuntu dive involved trying to navigate all 3 of these pretty drastic changes at once (oh yea and throw containers on top of that).
I went into it with the expectation that it was going to piss me off, and boy did it easily exceeded that threshold.
by beerandt
5/22/2025 at 1:09:55 PM
God, I wish someone would do this to discord already. I'm so sick of updating it through my package manager every other day only for discord to then download its own updates anyway.Yes, I've disabled the update check. No, it doesn't solve the problem.
by mystified5016
5/22/2025 at 1:25:42 PM
This is no longer true.Most obvious example is Firefox. The Debian Project allows Firefox to update outside the packaging system, automatically, at the whim of Firefox.
And there's the inclusion of non-Free software in the base install, which is completely against the Debian Social Contract.
The Debian Project drastically changed when they decided to allow Ubuntu to dictate their release schedule.
What used to be a distro by sysadmins for sysadmins, and which prized stability over timeliness has been overtaken by Ubuntu and the Freedesktop.Org people. I've been running Debian since version 3, and I used to go _years_ between crashes. These days, the only way to avoid that is to 1) rip out all the Freedesktop.Org code (pulseaudio, udisks2, etc.), and 2) stick with Debian 9 or lower.
by BarbaryCoast
5/22/2025 at 1:52:08 PM
> Most obvious example is Firefox. The Debian Project allows Firefox to update outside the packaging system, automatically, at the whim of Firefox.No, it's not. Stable ships ESR which has its update mechanism is disabled. Same for Testing/Unstable. It follows standard releases, but autoupdate is disabled.
Even Official Firefox Package for Debian from Mozilla has its auto-updates disabled and you get updates from the repository.
Only auto-updating version is the .tar.gz version which you extract to your home folder.
This is plain FUD.
Moreover:
Debian doesn't ship pulseaudio anymore. It's pipewire since forever. Many people didn't notice this, it was that smooth. Ubuntu's changes are not allowed to permeate without proper rigor (I follow debian-devel), and it's still released when it's ready. Ubuntu follows Debian Unstable, and Unstable suite is a rolling release, and they can snapshot it and start working on it whenever they want.
I'm using Debian since version 3 too, and I still reboot or tend my system only at kernel changes. It's way snappier w.r.t. Ubuntu with the same configuration for the same tasks, and is the Debian we all know and like (maybe sans systemd. I'll not open that can of worms).
by bayindirh
5/22/2025 at 9:17:41 PM
pulseaudio is default for atleast kde desktop in current debian stable. Trixie might change that, but its not official release yetby redeeman
5/22/2025 at 3:18:45 PM
Firefox only updates on its own if installed outside of the package manager. This applies to Debian and its forks. If I click on Help -> About it says, "Updates disabled by your organization". I personally would like to see distributions suggest installing Betterfox [1] or Arkenfox [2] to tighten up Firefox a bit.by Bender
5/22/2025 at 1:38:11 PM
Long time Debian fan, current Devuan user. I'm sure it still has it's problems, but it feels nice and stable, especially on older hardware that is struggling with the times. (Thinkpad R61i w/core2duo T8100 swapped in and middleton bios)by officeplant
5/22/2025 at 2:15:15 PM
>Most obvious example is Firefox. The Debian Project allows Firefox to update outside the packaging system, automatically, at the whim of Firefox.It seems likely that you personally chose to install a flatpak or tar.gz version probably because you are running an older no longer supported version of Debian.
>These days, the only way to avoid that (crashes) is...
Running older unsupported versions with known never to be fixed security holes isn't good advice nor is ripping out the plumbing. Its almost never a great idea to start ripping out the floorboards to get at the pipes.
Pipewire seems pretty stable and if you really desire something more minimal it's better to start with something minimal than stripping something down.
Void is nice on this front for instance.
by michaelmrose