Privacy on package level

Hello,

we are currently re-evaluating a “privacy enhanced” repository for Parabola (an other FSF endorsed OS), see this issue.

To see, what other privacy focused OS are doing, I would like to ask:

  • What is done in PureOS to enhance the users privacy on the packaging level?
  • Are there any of the packages patched to be more privacy friendly?
  • Are any packages blacklisted due to privacy reasons?
  • Are there any privacy guidelines for packages to be in PureOS’ repositories or to be blacklisted/removed?

Thanks for your work and answer.

Giving 502 Bad Gateway. Could be temporary but you may want to look into that.

Firefox is. However Purism is changing their strategy on that in the near future.

Depends what exactly you mean by privacy. The whole ethos of excluding blobs from the system, never mind about the repository, is privacy enhancing. However that isn’t specifically blacklisting an open source package for privacy reasons.

By the way, I have no connection with Purism. If you want an answer from Purism, best to contact them explicitly via email. https://puri.sm/contact/

Yes, this was temporary. Thanks for the hint.

That the OS should be free is out of question. The question is, what can be done to enhance the users privacy beyond having a free OS.

Ok, wrote them an email. I will post the answer here.

Here is the answer I got:
João Azevedo joao.azevedo@puri.sm wrote on Thu, 13. Feb 20 15:24:

Hello Theova,

On 2/13/20 11:04 AM, theova wrote:

Hello,

I have posted the question in the forum 1 and was redirected to this
email.

Some of your questions are not completely clear but I’ll try to reply to
them as best I can.

we are currently re-evaluating a “privacy enhanced” repository for
Parabola (an other FSF endorsed OS), see this issue 2.

To see, what other privacy focused OS are doing, I would like to ask:

  • What is done in PureOS to enhance the users privacy on the packaging
    level?

This questions is confusing. We draw most of the packages we use from
Debian Main repository.

By privacy on the packaging level you mean:

  • No telemetry on the user?
  • Zero knowledge from the distribution maintainers on what a user downloads?
  • Are there any of the packages patched to be more privacy friendly?
  • We maintained a fork of Firefox, but we are discontinuing that in
    favor of GNOME Web

https://puri.sm/posts/an-epiphany-regarding-purebrowser/

  • Are any packages blacklisted due to privacy reasons?

We have some packages backlisted for their licensing status not being
clear and some due to some dependencies being non free software.

  • Are there any privacy guidelines for packages to be in PureOS’
    repositories or to be blacklisted/removed?

Like I said above we draw our packages from Debian Main repository.

We do not have a contrib or nonfree repository

Thanks for your work and answer.


João Azevedo
Purism support