Andrey Rahmatullin <w...@debian.org> writes: > Maybe it's time to document it in the Policy.
I think it would be a good idea, but it's some work because of the edge cases. Some of the things found by the Lintian check are tedious to fix (unless maybe we can write a tool?) and make it more annoying to package some software for Debian, so we should be clear on the project consensus on how much work we want people to do. For example, documentation HTML pages that load styles or JavaScript (for mobile support for instance) from a CDN are a privacy leak, as are web applications whose web pages similarly include CDN links. To be clear, I think we probably do care about those things and do want to ask people to change them and use JavaScript packaged in Debian, but it's also important to not underestimate how much work that is, since the norm in the web page world is to pin to specific versions of these JavaScript libraries and common style files. There are some other edge cases that are closer to Norbert's question. For example, gnubg (which I package) uses www.random.org as a random number source by default (the upstream default, for various reasons that involve fewer arguments with people who are absolutely convinced gnubg wins against human players because it cheats on dice). I've not changed that, but one could make an argument that's a privacy leak as well (and feel free to convince me that I should change it). -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>