On Fri, Apr 8, 2022 at 2:10 AM Paul Wise <p...@debian.org> wrote:
> On Thu, 2022-04-07 at 12:39 +0200, Oliver Falk wrote:
>
> > IMHO, the current solution doesn't really provide more security.
>
> Its about not asking browsers to do third-party requests, which is the
> policy for all Debian domains (where possible) and yes isn't a security
> issue, but it is a privacy and trust issue.
>
Fair point and if that's the policy, it's perfectly fine.
> > Currently, what happens is that the local CGI script is actually
> > called with the mail address instead of the hash, which I'd see as a
> > bigger issue.
>
> That issue does need to be fixed yeah, please file a separate bug
> report about that issue.
>
I thought about this again and well, this would actually break the
federation :-{
> > Note that Libravatar has a privacy policy in
> > place: https://www.libravatar.org/privacy/
>
> This privacy policy and your practices are different to Debian's, for
> example we don't log IP addresses by default, we don't use cookies or
> JavaScript by default, we prefer to use static HTML by default, we have
> Tor Onion sites, we delete old logs after a short period of time etc.
>
> > Libravatar is a community driven project with a lot of eyes on it and
> > we're fully committed to stay neutral; Read: We're not going to share
> > or sell data.
>
> I expect the Libravatar community is definitely trustworthy in general,
> but visitors to Debian websites shouldn't have to review the privacy
> policies and trustworthyness of third-parties when visiting our sites.
>
Again, fair point!
[ ... ]
> > Without digging much into it (esp. because I don't have the relevant
> > modules + config in place), I'd say the script should work; No idea
> > why it's currently throwing a server error.
>
> The script in the git repository has execute permissions, but the
> script on the server does not and this is reflected in the server logs.
> Other folks on the IRC channel said it has been disabled due to
> overloading the server, referring me to previous discussions.
>
OK, that explains the server error.
> > > so I'll leave it up to the Debian BTS admins to check and respond
> > > and maybe re-enable execution of the script again.
> > Thanks for checking!
>
> The Debian BTS admin has confirmed that the script needs fixing:
>
> <dondelelcaro> pabs: yeah, the design of libravatar.cgi needs to be
> readdressed before it gets renabled
>
Again, if I know exactly what is requested, I'm happy to help out with my
coding knowledge!
Oliver
