Bug#1068778: marked as done (geoclue and gpsd are running by default (they aren't needed and could be used for location tracking))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 24 Apr 2024 16:32:20 +0200 (CEST)
with message-id <1ffdb551-a9e9-7361-b524-31847de3c68e@sourcepole.ch>
and subject line Re: geoclue and gpsd are running by default (they aren't needed and could be used for location tracking)
has caused the Debian Bug report #1068778,
regarding geoclue and gpsd are running by default (they aren't needed and could be used for location tracking)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1068778: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068778
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: "submit@bugs.debian.org" <submit@bugs.debian.org>
• Subject: geoclue and gpsd are running by default (they aren't needed and could be used for location tracking)
• From: mYnDstrEAm <mYnDstrEAm@protonmail.ch>
• Date: Wed, 10 Apr 2024 22:54:04 +0000
• Message-id: <[🔎] _RGQU-7Cz-FCbfS3R7NuyoCvEReb1hZeFnsDBu4VlY6G9UYQg_Im-jtmUAY2GpTqOtABe_eyopbPCnDJuAdp3qZROQwpVlo5AaILnhtwGS0=@protonmail.ch>

Package: general

I wondered why Debian comes with geoclue-2.0 and gpsd running by default (which could be used for location tracking). Please do not install them by default or if you really must, please do not make them autostart.

At most it could be useful for a few users if it was installed but not enabled and not running by default (so just an option one could enable in the configs or which could be enabled by the user through a prompt). If it's running by default this also means that after upgrades it could be running again. This is a privacy issue, an undesired bloat service that requires to spend time to remove it, and a larger attack surface even if there was a proper and vulnerability-free permissions-management for GPS-location-access.

--- End Message ---

--- Begin Message ---

• To: 1068778-close@bugs.debian.org
• Cc: mYnDstrEAm <mYnDstrEAm@protonmail.ch>
• Subject: Re: geoclue and gpsd are running by default (they aren't needed and could be used for location tracking)
• From: Tomas Pospisek <tpo@sourcepole.ch>
• Date: Wed, 24 Apr 2024 16:32:20 +0200 (CEST)
• Message-id: <1ffdb551-a9e9-7361-b524-31847de3c68e@sourcepole.ch>

Hi mYnDstrEAm,

mYnDstrEAm wrote on Wed, 10 Apr 2024 22:54:04 +0000:

Package: general

I wondered why Debian comes with geoclue-2.0 and gpsd running by default (which could be used for location tracking). Please do not install them by default or if you really must, please do not make them autostart.

At most it could be useful for a few users if it was installed but not enabled and not running by default (so just an option one could enable in the configs or which could be enabled by the user through a prompt). If it's running by default this also means that after upgrades it could be running again. This is a privacy issue, an undesired bloat service that requires to spend time to remove it, and a larger attack surface even if there was a proper and vulnerability-free permissions-management for GPS-location-access.

I'm closing this bugreport for the following reasons:

1. You write: "geoclue-2.0 and gpsd running by default". On my system:

       $ ps faux|grep gpsd|grep -v grep
       $

   -> that means that gpsd is not running by default and we do not have
   fix that.

2. You write: "geoclue-2.0 and gpsd running by default". On my system:

       $ ps faux|grep geoclue|grep -v grep
       me         3089  0.0  0.0 234036  3100 ?        Sl   Apr20   0:00          \_ /usr/libexec/geoclue-2.0/demos/agent

       $ apt-cache rdepends geoclue-2.0 --installed
       geoclue-2.0
       Reverse Depends:
         redshift
         libqt5positioning5

   -> please check on your system, who depends on geoclue-2.0 and if
   you think it is necessary, create a wishlist bug report on those
   packages that you have installed that depend on geoclue-2.0.

   I might note, that the geoclue-2.0 dependency is not hard for the
   packages I have installed, but a recommendation, so that I can still
   deinstall geoclue-2.0 if I think I do not want it:

       $ ( dpkg -s redshift ; dpkg -s libqt5positioning5 ) | grep geoclue-2.0
       Recommends: geoclue-2.0
       Recommends: geoclue-2.0

3. I assume that packages depending on geoclue-2.0 will possibly be able
   to get some info on where you are. In the case of redshift that'll
   probably be used to adjust your display brightness/color. That isn't
   privacy invasive as far as I can see. So again no problem -> no bug.

   In the same vein you could argue "packages should not use the network,
   because that can invade your privacy, since they *can* send some info
   about you and your device to somewhere". So yes, of course they can,
   but the question is *do they*? If they don't then there's no breach of
   privacy.

4. When you assigning bug reports against "general" then it's very likely
   your bug report will be ignored, because nobody maintains a "general"
   package and thus nobody feels very much responsible for bugreports
   against the "general" pseudo package.

Thanks,
*t

--- End Message ---