[Whonix-devel] Which Debian packages leak information to the network?

Jakub Wilk jwilk at debian.org
Wed May 18 18:33:52 CEST 2016

* Patrick Schleizer <adrelanos at riseup.net>, 2016-05-18, 15:50:
>we are a privacy-centric distro based on Debian and wanted to know what 
>Debian packages leak information about the system to the network 
>without a user's consent/expectation.
>As documented on the page below, a system's security also depends on 
>avoiding leaking any identifiable information to network adversaries by 

python-requests used to include kernel version number in User-Agent. 
(And also Python version, but that's less exciting.) This was fixed 
upstream in 2.8.0:

pip leaks even more stuff in U-A:
$ python -c 'import pip; print pip.download.user_agent()'
pip/8.1.2 {"cpu":"x86_64","distro":{"libc":{"lib":"glibc","version":"2.7"},"name":"debian","version":"stretch/sid"},"implementation":{"name":"CPython","version":"2.7.11+"},"installer":{"name":"pip","version":"8.1.2"},"openssl_version":"OpenSSL 1.0.2h  3 May 2016","python":"2.7.11+","system":{"name":"Linux","release":"4.5.0-2-amd64"}}

(As a side note, I don't think this is RFC-2616-compliant...)

>Popcon, bts, wnpp-check are the noted examples

Could you explain how any of these tools leak any information "without a 
user's consent/expectation"?

Jakub Wilk

More information about the Whonix-devel mailing list