On Wed, 2005-10-26 at 19:41, Greg Troxel wrote:
>   I think this may be useful to earmark under a globally usable option, where
>   supported.  Any objections to the name "no-home-callback"?  I'm trying to
>   avoid the term "spyware" if possible, as that normally refers to things that
>   are quite a bit more malicious.
> 
>   no-home-callback        Disable automatic phone-home callbacks such as version checks.
> 
> I thing that the appropriate course is to log all such callbacks in
> pkg-vulnerabilities, perhaps as 'home-callback' if it sends no
> application data (and spyware if it does) and disable such callbacks
> as bug fixes.  There could perhaps be an option to enable them.  By
> default people should not be subjected to such behavior.

vulnerabilities might be one way to do it (but if you patch the package
to not do this, it's not really "vulnerable" any more, is it?)

another approach would be something along the lines of the
ACCEPTABLE_LICENSES check.  

ACCEPTABLE_BEHAVIORS += phone-home-during-{build,install,run} ?

we might want to distingush phone-home-during-build from
phone-home-during-execution.

I agree that the default behavior should be to abort the build and not
include the package in bulk binary builds, with a note explaining why.

quietly patching the package to not do the call-home doesn't really do
anything to discourage this behavior among package developers.

					- Bill