Package: systemd
Version: 232-25
The systemd-resolved violates the Debian Free Software Guidelines due to the
hardcoded the Google DNS servers into the source code of the application.
Line 894 in:
https://github.com/systemd/systemd/blob/e16cb2e4efaba83f47da8355adc65fd83bbe8327/configure.ac
The first violation is the "Distribution of License" which states: "The rights
attached to the program must apply to all to whom the program is redistributed
without the need for execution of an additional license by those parties."
This is violated as Google demands the acceptance of their proprietary license,
Google Terms of Service, which is an additional license:
https://policies.google.com/terms
The second violation is the "License Must Not Contaminate Other Software" part,
which state: "The license must not place restrictions on other software that is
distributed along with the licensed software." This is also violated due to the
need to accept the Google Terms of Service.
When the resolved application is run without a configuration overwriting the
default and it defaults to the hardcoded DNS fall backs, the user MUST accept
the Google Term of Service as is required by Google.
The hardcoded Google DNS fallback servers kicks in when:
1. You do not have DNS set up via DHCP
2. You do not have DNS set up via /etc/resolv.conf
3. You are using systemd-resolved for internal DNS resolution
4. You have not configured systemd-resolved with a different policy for when no
discoverable DNS is available and /etc/resolv.conf contains nothing or invalid
entries.
Unless all four conditions are true, the default Google DNS servers are not
used.
However, there is a GREAT risk of a compromise of user privacy rights if the
application has a bug that result in the hardcoded values taking preference
even though one of the four conditions are met! This is not something easily
detected and which pose a great risk to people such as journalists and other
who might be using a VPN connection. Also the default hardcoded settings could
result in a DNS leakage if configured wrongly by mistake.
Debian has no associations or partnership with the American company Google.
Running with Google DNS servers hardcoded into the Debian code is deeply
problematic as the company is not only know for violating peoples privacy, but
also because NSA has infiltrated Googles data centers are revealed by the
Snowden documents:
https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html
Debian must not associate itself with a proprietary company like Google this
way as it clearly violates the Debian license.
If hardcoded defaults really are needed by Debian, which shouldn't be the case
as this is mostly only relevant for embedded systems without configuration
files, then we need an alternative to a proprietary American company.
Preferably Debian running its own DNS servers!
I recommend that systemd-resolved gets patched so that the hardcoded DNS
servers from Google are removed. If seriously needed, an alternative truly
"free" solution must be used instead.
An alternative solution is to remove systemd-resolved from the main system and
moved into the non-free section.
Kind regards