[tor-dev] Debian popcon as a vulnerability?

Griffin Boyce griffin at cryptolab.net
Sat Sep 13 23:17:11 UTC 2014

Hello all!

   I am wondering whether to force-uninstall Debian's popularity-contest 
package as part of Stormy's installation process. It would be good to 
have an idea how popular Stormy is, but on the other hand, I'm not sure 
how anonymous the reporting is on Debian's end.

   This is also relevant for users of the tor package, who might also be 
at mild risk (though far less so because the number of users is so high, 
and doesn't reveal location of location-hidden services).

   Anyone have opinions on this? I'm leaning towards checking if 
popularity-contest is installed and then asking if the user would like 
it to be removed.  If y'all have other recommendations, please comment 
here or on the ticket.

Ticket: https://trac.torproject.org/projects/tor/ticket/13154


"I believe that usability is a security concern; systems that do
not pay close attention to the human interaction factors involved
risk failing to provide security by failing to attract users."
~Len Sassaman

More information about the tor-dev mailing list