Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.project > #14040 > unrolled thread
| Started by | Ian Jackson <ijackson@chiark.greenend.org.uk> |
|---|---|
| First post | 2025-12-03 17:30 +0100 |
| Last post | 2025-12-07 16:50 +0100 |
| Articles | 6 — 4 participants |
Back to article view | Back to linux.debian.project
packages.debian.org wants cookies now ?! Ian Jackson <ijackson@chiark.greenend.org.uk> - 2025-12-03 17:30 +0100
Re: packages.debian.org wants cookies now ?! <tomas@tuxteam.de> - 2025-12-03 17:40 +0100
Re: packages.debian.org wants cookies now ?! Michel Verdier <listes@verdier.eu> - 2025-12-04 01:10 +0100
Re: packages.debian.org wants cookies now ?! Ian Jackson <ijackson@chiark.greenend.org.uk> - 2025-12-05 00:20 +0100
Re: packages.debian.org wants cookies now ?! Chris Hofstaedtler <zeha@debian.org> - 2025-12-07 16:10 +0100
Re: packages.debian.org wants cookies now ?! Ian Jackson <ijackson@chiark.greenend.org.uk> - 2025-12-07 16:50 +0100
| From | Ian Jackson <ijackson@chiark.greenend.org.uk> |
|---|---|
| Date | 2025-12-03 17:30 +0100 |
| Subject | packages.debian.org wants cookies now ?! |
| Message-ID | <LXXTP-6z7-9@gated-at.bofh.it> |
I tried to look something up on packages.debian.org and I got an error page saying I needed to enable JS. Then after I had enabled JS (which I normally have disabled) I got an error page from Fastly saying I needed to enable cookies. I tried in a private browsing tab and it loaded the page. Evidently it has stored a cookie (but I'm not sure where in the firefox UI they have hidden this information). I can't seem to find any information about what these cookies are for. I think this is undesriable, unreasonable, and probably illegal in the European Economic Area. I know we're all being hammered by llm criminals but I don't think this is the answer. Ian. -- Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own. Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.
[toc] | [next] | [standalone]
| From | <tomas@tuxteam.de> |
|---|---|
| Date | 2025-12-03 17:40 +0100 |
| Message-ID | <LXY3v-6Cr-5@gated-at.bofh.it> |
| In reply to | #14040 |
[Multipart message — attachments visible in raw view] — view raw
On Wed, Dec 03, 2025 at 03:13:48PM +0000, Ian Jackson wrote: > I tried to look something up on packages.debian.org and I got an error > page saying I needed to enable JS. Then after I had enabled JS (which > I normally have disabled) I got an error page from Fastly saying I > needed to enable cookies. > > I tried in a private browsing tab and it loaded the page. Evidently > it has stored a cookie (but I'm not sure where in the firefox UI they > have hidden this information). I can't seem to find any information > about what these cookies are for. > > I think this is undesriable, unreasonable, and probably illegal in the > European Economic Area. > > I know we're all being hammered by llm criminals but I don't think > this is the answer. I think that's the reason too. I have no idea whether there is any defense from that LLM denial-of-service (if there _is? οne, I'd like to hear about it!). I'm somewhat surprised that they don't adapt (I mean: pretending to "be" a browser is a solved problem). I'm pretty annoyed by that, too. Cheers -- tomás
[toc] | [prev] | [next] | [standalone]
| From | Michel Verdier <listes@verdier.eu> |
|---|---|
| Date | 2025-12-04 01:10 +0100 |
| Message-ID | <LY54Z-bul-1@gated-at.bofh.it> |
| In reply to | #14040 |
On 2025-12-03, Ian Jackson wrote: > I tried to look something up on packages.debian.org and I got an error > page saying I needed to enable JS. Then after I had enabled JS (which > I normally have disabled) I got an error page from Fastly saying I > needed to enable cookies. Javascript on packages.debian.org is harmless and no cookie is used on it. I disabled cookies here (firefox 140.5.0esr-1~deb13u1) and no error page was triggered. What version do you use? And which extension do you use? Fastly seems related to https://blog.mozilla.org/en/firefox/partnership-ohttp-prio/
[toc] | [prev] | [next] | [standalone]
| From | Ian Jackson <ijackson@chiark.greenend.org.uk> |
|---|---|
| Date | 2025-12-05 00:20 +0100 |
| Message-ID | <LYqM9-q23-3@gated-at.bofh.it> |
| In reply to | #14042 |
Michel Verdier writes ("Re: packages.debian.org wants cookies now ?!"):
> On 2025-12-03, Ian Jackson wrote:
> > I tried to look something up on packages.debian.org and I got an error
> > page saying I needed to enable JS. Then after I had enabled JS (which
> > I normally have disabled) I got an error page from Fastly saying I
> > needed to enable cookies.
>
> Javascript on packages.debian.org is harmless and no cookie is used on
> it. I disabled cookies here (firefox 140.5.0esr-1~deb13u1) and no error
> page was triggered. What version do you use? And which extension do you
> use?
I'm using firefox-esr as shipped in trixie. I have ublock origin
enabled. In my usual browser, I have JS and cookies totally disabled
by default.
I think it is possible that it worked for you because you allow
yourself to be surveilled more than I do. I find that compared to
people with a more "normal" (less defensive) default configuration, I
am more often asked to do more and more difficult captchas, get more
"security alerts" about "new devices" using my accounts, get randomly
blocked more often, etc.
But, it is also possible that something random changed in Fastly.
I observe that it works fine for me now in my normal browser, with JS
and cookies disabled.
So IDK if anyone did anything to fix this. If so, thanks.
> Fastly seems related to
> https://blog.mozilla.org/en/firefox/partnership-ohttp-prio/
I doubt that is related.
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
[toc] | [prev] | [next] | [standalone]
| From | Chris Hofstaedtler <zeha@debian.org> |
|---|---|
| Date | 2025-12-07 16:10 +0100 |
| Message-ID | <LZoyB-13Gb-1@gated-at.bofh.it> |
| In reply to | #14040 |
* Ian Jackson <ijackson@chiark.greenend.org.uk> [251203 17:21]: >I think this is undesriable, unreasonable, and probably illegal in the >European Economic Area. Cookies are not per-se illegal in EEA, incl. when not explicitly being asked for with a "cookie consent box". This misconception is however common, and I'd wish we can stop spreading this misconception. Best, Chris
[toc] | [prev] | [next] | [standalone]
| From | Ian Jackson <ijackson@chiark.greenend.org.uk> |
|---|---|
| Date | 2025-12-07 16:50 +0100 |
| Message-ID | <LZpbj-13UD-9@gated-at.bofh.it> |
| In reply to | #14054 |
Chris Hofstaedtler writes ("Re: packages.debian.org wants cookies now ?!"):
> Cookies are not per-se illegal in EEA, incl. when not explicitly
> being asked for with a "cookie consent box". This misconception is
> however common, and I'd wish we can stop spreading this
> misconception.
Cookies are often illegal. In this particular case, I think they are.
(And the stupid "consent" popups don't make them legal.)
Also they're probably personal data which the CDN don't have any
lawful basis for processing.
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.project
csiph-web