#Debian has been moving more towards the deb.debian.org mirror which is provided by a single CDN company, #Fastly. It works well, but also feeds an enormous amount of #metadata to a single company, and it can be used to track computers and maybe even people. And the privacy policy in effect is unclear. Fastly says the #privacy policy of the "subscriber" applies, but the privacy policy for deb.debian.org is not listed anywhere I could find. Anyone have any insight here?
@miyuru Does the AWS mirror have a clearer privacy policy somewhere? That front page is just as minimal as the Fastly one
@eighthave there is https://www.debian.org/mirror/list with lots of alternatives.
@eighthave I don’t even know *why* this happened, really. I cannot imagine the mirror scripts/lists take that much effort to maintain. We’ll keep on providing a mirror and keep on only using what little logs there are for looking at faults or unusual usage.
@interpipes @eighthave Well, maintaining a list of geographically diverse, "blessed" mirrors of consistent quality (that is, good enough to have ftp.*.debian.org point at them without having too many users complain) does take a lot of effort, that noone seems to really be interested in sustaining. The Debian System Administrators (the people who maintain the debian.org systems, and on whom the maintenance of the mirror list has fallen "by default") have decided to focus on maintaining the backends for a couple of CDNs for the user-facing services blessed by debian.org instead.
https://mirror-master.debian.org/status/mirror-status.html gives an idea of the breadth of the issue (for instance, look at the random assortment of versions for the sync scripts). That set of monitoring scripts is what's used to generate the list of mirrors that's shipped with the debian-installer.
As for the deb.debian.org fastly config, it's all in git: https://salsa.debian.org/dsa-team/mirror/cdn-fastly/-/blob/master/services/archive.yaml?ref_type=heads
@olasd @interpipes I understand why DSA would make that choice, I'm not faulting them. My goal is to raise awareness of the advantages and disadvantages of each approach, and to increase user privacy. That requires transparency about what happens with the data and metadata, and commitments from any organizations running the mirrors.
@eighthave @neil As far as I know Fastly chooses not to store logs but instead allows customers to have them forwarded directly to their own storage endpoint
@andydavies @neil that would be nice, do you have any documentation on that?
@eighthave @neil This is the clearest statement I know on the subject of customer request logs https://docs.fastly.com/en/guides/data-management#customer-request-logs
I’ve also had discussions with Fastly where they’ve talked about how they don’t want to store customer request log data for privacy reasons
@andydavies @neil I'm looking for actual privacy policies since those would be legally binding and the company could be help liable for violations. I've seen a lot of language like that, it promises little, since it has broad, vague exceptions like "except where explicitly stated in the Documentation and related to the functional performance of the services". Like, if some gov asks nicely for data, would handing it over be considered "functional performance of the services"?
@andydavies @neil Hi @eighthave we have a lot more information about our trust/ privacy practices and our ethical standards on our website: https://www.fastly.com/solutions/customer-trust
and our privacy/ data processing policies are on our website too:
—https://www.fastly.com/privacy/
—https://www.fastly.com/data-processing
@haubles @andydavies @neil thanks, I've read through those already, and it is still difficult for me to say what data about deb.debian.org Fastly actually keeps and for how long. Here are the policies of some other Debian mirrors, which are much simpler but perhaps leave out a couple key details like what log format they use.
* https://ftp.lysator.liu.se/datahanteringspolicy.txt
* https://plug-mirror.rcac.purdue.edu/info.html
* https://mirror.fcix.net/policy/
* https://mirror.ossplanet.net/
@eighthave there is also https://cdn-aws.deb.debian.org/ which used by AWS.
I think the deb.debian.org pointed to both previously, but now its only using fastly now.