Recent searches
Search options
as the person who pushed for the alpine core team (now TSC) to adopt a policy of rejecting telemetry features in alpine-packaged software, i have opinions on flathub 
mostly i am concerned that pushing users to use vendor-provided builds distributed on flathub may be exposing users to harmful software misfeatures like telemetry in ways that they would not if those same users installed packages from a distribution which patches out these misfeatures as a matter of policy
i wish that flathub would explicitly ban telemetry and check for telemetry features during their review processes. i would be more likely to recommend flatpak in more cases if they did.
my philosophy here effectively boils down to a simple position: your computer should not be a rat.
to be clear: this policy only applies to software that has default-on telemetry. if it asks the end user if they consent to telemetry sharing, we don’t particularly care about that (as long as it is respecting user consent anyway, otherwise it’s a release-critical bug…)
my point here is that distributions sometimes do curation that upstream does not want, because the distribution is acting in the interests of its user base, while flathub is more about allowing upstreams to distribute their own builds.
do distributions need to curate all software? of course not.
but i would trust the alpine build of firefox to respect my privacy moreso than the flathub one, because i know that we patch firefox to be compliant with our telemetry policy, and i know flathub does not have any such policy.
but why should a distribution care about telemetry?
distributions are advocates for user concerns, including and especially user privacy. or, at least in the idealized world, they would be using their role as curator in this way.
why do we, as curators, care about browser telemetry? well, the world is backsliding into fascism, and if your browser shares with its telemetry service that you searched for “misoprostol”, then your door might get kicked in.
as curators we have a responsibility to reduce harm potential.
@ariadne Do you know what if any policy Debian has on this sort of thing?
I've found myself using flatpak builds of Firefox in a few cases to work around bugs that Bookworm didn't backport fixes for, but was not thrilled about crash reporting being (apparently) impossible to completely disable. You can make it not automatically submit, but it'll still save the crashdump and ask if you want to submit it (leaving potential for a user to accidentally say yes)
@ariadne But I'm curious if they patched some of that out in the idstro builds
And https://www.debian.org/social_contract is basically just licensing and developing in the open.