Thanks for getting the ball rolling Patrick. Very useful discussion
python-requests: fixed upstream
pip: leaks info about system package versions.
gnome-calculator: sets cookie. Bug open upstream for 2 years but not fixed by devs. Workaround is being done with Flatpak restrictions.
weather applications: leak location data but none enabled by default
Notes:
Apparmor network filtering not supported by upstream stock kernels:
https://bugs.debian.org/712451
Some advocate using sandbox frameworks like flatpak for blocking leaky apps.
Debian probably needs a privacy team to audit all packages that send
data to the network and develop mitigation, configuration or patches
to counter these.
+10 I strongly support Paul’s plan to have a review team look through packages and engage upstream projects to clean up leaks. He is open to attending a brainstorm session at DebConf16 if someone organizes it.