Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > linux.debian.project > #14040 > unrolled thread

packages.debian.org wants cookies now ?!

Started byIan Jackson <ijackson@chiark.greenend.org.uk>
First post2025-12-03 17:30 +0100
Last post2025-12-07 16:50 +0100
Articles 6 — 4 participants

Back to article view | Back to linux.debian.project


Contents

  packages.debian.org wants cookies now ?! Ian Jackson <ijackson@chiark.greenend.org.uk> - 2025-12-03 17:30 +0100
    Re: packages.debian.org wants cookies now ?! <tomas@tuxteam.de> - 2025-12-03 17:40 +0100
    Re: packages.debian.org wants cookies now ?! Michel Verdier <listes@verdier.eu> - 2025-12-04 01:10 +0100
      Re: packages.debian.org wants cookies now ?! Ian Jackson <ijackson@chiark.greenend.org.uk> - 2025-12-05 00:20 +0100
    Re: packages.debian.org wants cookies now ?! Chris Hofstaedtler <zeha@debian.org> - 2025-12-07 16:10 +0100
      Re: packages.debian.org wants cookies now ?! Ian Jackson <ijackson@chiark.greenend.org.uk> - 2025-12-07 16:50 +0100

#14040 — packages.debian.org wants cookies now ?!

FromIan Jackson <ijackson@chiark.greenend.org.uk>
Date2025-12-03 17:30 +0100
Subjectpackages.debian.org wants cookies now ?!
Message-ID<LXXTP-6z7-9@gated-at.bofh.it>
I tried to look something up on packages.debian.org and I got an error
page saying I needed to enable JS.  Then after I had enabled JS (which
I normally have disabled) I got an error page from Fastly saying I
needed to enable cookies.

I tried in a private browsing tab and it loaded the page.  Evidently
it has stored a cookie (but I'm not sure where in the firefox UI they
have hidden this information).  I can't seem to find any information
about what these cookies are for.

I think this is undesriable, unreasonable, and probably illegal in the
European Economic Area.

I know we're all being hammered by llm criminals but I don't think
this is the answer.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

[toc] | [next] | [standalone]


#14041

From<tomas@tuxteam.de>
Date2025-12-03 17:40 +0100
Message-ID<LXY3v-6Cr-5@gated-at.bofh.it>
In reply to#14040

[Multipart message — attachments visible in raw view] — view raw

On Wed, Dec 03, 2025 at 03:13:48PM +0000, Ian Jackson wrote:
> I tried to look something up on packages.debian.org and I got an error
> page saying I needed to enable JS.  Then after I had enabled JS (which
> I normally have disabled) I got an error page from Fastly saying I
> needed to enable cookies.
> 
> I tried in a private browsing tab and it loaded the page.  Evidently
> it has stored a cookie (but I'm not sure where in the firefox UI they
> have hidden this information).  I can't seem to find any information
> about what these cookies are for.
> 
> I think this is undesriable, unreasonable, and probably illegal in the
> European Economic Area.
> 
> I know we're all being hammered by llm criminals but I don't think
> this is the answer.

I think that's the reason too. I have no idea whether there is any
defense from that LLM denial-of-service (if there _is? οne, I'd like
to hear about it!). I'm somewhat surprised that they don't adapt
(I mean: pretending to "be" a browser is a solved problem).

I'm pretty annoyed by that, too.

Cheers
-- 
tomás

[toc] | [prev] | [next] | [standalone]


#14042

FromMichel Verdier <listes@verdier.eu>
Date2025-12-04 01:10 +0100
Message-ID<LY54Z-bul-1@gated-at.bofh.it>
In reply to#14040
On 2025-12-03, Ian Jackson wrote:

> I tried to look something up on packages.debian.org and I got an error
> page saying I needed to enable JS.  Then after I had enabled JS (which
> I normally have disabled) I got an error page from Fastly saying I
> needed to enable cookies.

Javascript on packages.debian.org is harmless and no cookie is used on
it. I disabled cookies here (firefox 140.5.0esr-1~deb13u1) and no error
page was triggered. What version do you use? And which extension do you
use?

Fastly seems related to
https://blog.mozilla.org/en/firefox/partnership-ohttp-prio/

[toc] | [prev] | [next] | [standalone]


#14043

FromIan Jackson <ijackson@chiark.greenend.org.uk>
Date2025-12-05 00:20 +0100
Message-ID<LYqM9-q23-3@gated-at.bofh.it>
In reply to#14042
Michel Verdier writes ("Re: packages.debian.org wants cookies now ?!"):
> On 2025-12-03, Ian Jackson wrote:
> > I tried to look something up on packages.debian.org and I got an error
> > page saying I needed to enable JS.  Then after I had enabled JS (which
> > I normally have disabled) I got an error page from Fastly saying I
> > needed to enable cookies.
> 
> Javascript on packages.debian.org is harmless and no cookie is used on
> it. I disabled cookies here (firefox 140.5.0esr-1~deb13u1) and no error
> page was triggered. What version do you use? And which extension do you
> use?

I'm using firefox-esr as shipped in trixie.  I have ublock origin
enabled.  In my usual browser, I have JS and cookies totally disabled
by default.

I think it is possible that it worked for you because you allow
yourself to be surveilled more than I do.  I find that compared to
people with a more "normal" (less defensive) default configuration, I
am more often asked to do more and more difficult captchas, get more
"security alerts" about "new devices" using my accounts, get randomly
blocked more often, etc.

But, it is also possible that something random changed in Fastly.

I observe that it works fine for me now in my normal browser, with JS
and cookies disabled.

So IDK if anyone did anything to fix this.  If so, thanks.

> Fastly seems related to
> https://blog.mozilla.org/en/firefox/partnership-ohttp-prio/

I doubt that is related.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

[toc] | [prev] | [next] | [standalone]


#14054

FromChris Hofstaedtler <zeha@debian.org>
Date2025-12-07 16:10 +0100
Message-ID<LZoyB-13Gb-1@gated-at.bofh.it>
In reply to#14040
* Ian Jackson <ijackson@chiark.greenend.org.uk> [251203 17:21]:
>I think this is undesriable, unreasonable, and probably illegal in the
>European Economic Area.

Cookies are not per-se illegal in EEA, incl. when not explicitly 
being asked for with a "cookie consent box". This misconception is 
however common, and I'd wish we can stop spreading this 
misconception.

Best,
Chris

[toc] | [prev] | [next] | [standalone]


#14055

FromIan Jackson <ijackson@chiark.greenend.org.uk>
Date2025-12-07 16:50 +0100
Message-ID<LZpbj-13UD-9@gated-at.bofh.it>
In reply to#14054
Chris Hofstaedtler writes ("Re: packages.debian.org wants cookies now ?!"):
> Cookies are not per-se illegal in EEA, incl. when not explicitly 
> being asked for with a "cookie consent box". This misconception is 
> however common, and I'd wish we can stop spreading this 
> misconception.

Cookies are often illegal.  In this particular case, I think they are.
(And the stupid "consent" popups don't make them legal.)

Also they're probably personal data which the CDN don't have any
lawful basis for processing.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

[toc] | [prev] | [standalone]


Back to top | Article view | linux.debian.project


csiph-web