I think the problem is worse than Paul Wise outlines. The package description claims anonymity. This is only true if it cannot be trivially defeated.
The common use case for equivs is to create a package based on the hostname. Gladly popcon gives us numbers[1]. So about 8% of the submitters are using equivs. (Some machines will use packages generated using equivs without actually having installed equivs.) Let's assume that half of them employ a metapackage based on the hostname. The hostname is kind of public. It occurs in message-ids, bug reports, etc. So using this scheme we can almost trivially deanonymize 4% of the users. Another case is looking at packages whose versions are newer than sid or experimental. Most likely the machine owner is the maintainer or an uploader. This also works for mentors and for them probably even better, because their packages tend to wait for a long time until being uploaded. A quick grep on the maintainer field shows about 2000 different maintainer addresses. Let's guess every fourth maintainer is using using pop-con and can be deanonymized using this technique. Another 0.5%. These numbers are low for the general but still alarming. The risk of being deanonymized is way higher for maintainers or developers unless they are aware of the problem an work around[2] it or simply remove popcon. Please remove the false anonymity claim until this is fixed as it leads users into wrong beliefs. I therefore suggest upgrading severity to rc-ness. Imo the default for popcon should be only listing packages that originate from Debian. Everything else is none of our business. Unfortunately I cannot provide a solution or patch. For instance the Origin field (in dpkg-query --showformat) does not help here. An option might be to use aptitude search '~i ~ODebian' -F '%p'. (Thanks Paul!) This would introduce a dependency on aptitude. Helmut [1] http://qa.debian.org/popcon.php?package=equivs [2] http://bonedaddy.net/pabs3/log/2012/10/29/thoughts-on-debian-testing/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
