Q) What are the privacy considerations for popularity-contest ?

A) Each popularity-contest host is identified by a random 128bit uuid
   (MY_HOSTID in /etc/popularity-contest.conf). This uuid is used to
   track submissions issued by the same host. It should be kept secret.
   The reports are sent by email or HTTP to the popcon server.  The
   server automatically extracts the report from the email or HTTP and
   stores it in a database for a maximum of 20 days or until the host
   sends a new report. This database is readable only by Debian
   Developers.  The emails are readable only by the server admins.
   Every day, the server computes a summary and post it on
   <>. This summary
   is a merge of all the submissions and does not include uuids.
   Known weaknesses of the system:
   1) Your submission might be eavesdropped. We evaluate the possibility
   to use public-key cryptography to protect the submission while in
   2) Someone who knows that you are very likely to use a particular package
   reported by only one person (e.g. you are the maintainer) might infer you
   are not at home when the package is not reported anymore. However this is
   only a problem if you are gone for more than two weeks if the computer is
   shut-down and 23 days if it is let idle.
   3) Unofficial and local packages are reported. This can be an issue
   due to 2) above, especially for custom-build kernel packages.
   We are evaluating how far we can alleviate this problem.


