Does "geoclue" pose a security issue?

Who needs it and why?

pkg info geoclue

geoclue-2.7.1_1
Name : geoclue
Version : 2.7.1_1
Installed on : Sat Aug 24 20:56:14 2024 PDT
Origin : net/geoclue
Architecture : FreeBSD:14:amd64
Prefix : /usr/local
Categories : net gnome devel
Licenses : LGPL21 and GPLv2
Maintainer : desktop@FreeBSD.org
WWW : https://gitlab.freedesktop.org/geoclue/geoclue/wikis/home
Comment : D-Bus service that provides location information
Options :
DEMO : on
DOCS : on

Description :
Geoclue is a D-Bus service that provides location information. The primary goal of
the Geoclue project is to make creating location-aware applications as simple as
possible, while the secondary goal is to ensure that no application can access location
information without explicit permission from user.


I think that "geoclue" is part of the xfce installation. It cannot be delete because it's one of dependencies of xfce.

pkg delete geoclue

Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 7 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
geoclue: 2.7.1_1
libgepub: 0.6.0_5
thunar: 4.18.11
webkit2-gtk3: 2.34.6_10
xfce: 4.18_1
xfce4-desktop: 4.18.1_4
xfce4-tumbler: 4.18.2_2

Number of packages to be removed: 7

The operation will free 98 MiB.
 
The answer to your question is in the description isn’t it?

It is for applications that try to determine the user’s geographic location for e.g. weather information.
 
The answer to your question is in the description isn’t it?
I think the OPs point was that, perhaps, this shouldn't be a MANDATORY part of XFCE.

Perhaps offering a dummy geoclue that lies about your location for folks who wish to not be so revealed? (or, does geoclue already include support for such a lie?)
 
If I want to know what weather is like, I go outside :-)

From old geoip to new geoclue, in almost 20 years. That's is a long development cycle for "whereami@" utility :-)

Tho, If someone wants to know whereami@ they should at least ask me first and not my ISP - hehe
 
Looks like location and specific parts of geoclue can be disabled via conf.d override and a quick look at the sample conf

Apparently this should report something if geoclue can get a location (just times-out for me):

Code:
/usr/local/libexec/geoclue-2.0/demos/where-am-i

This conf looks like it'll disable location:

Code:
/usr/local/etc/geoclue/conf.d/99-disable.conf

Code:
[network-nmea]
enable=false

[3g]
enable=false

[cdma]
enable=false

[modem-gps]
enable=false

[wifi]
enable=false
url=http://localhost/

[compass]
enable=false
 
It cannot be delete because it's one of dependencies of xfce.
It isn't a dependency of xfce. It is a configurable option in both www/webkit2-gtk3 and www/webkit2-gtk4. You use one of those for Xfce, that is why it cannot be deleted. The way to get rid of geoclue is to switch off the option in www/webkit2-gtkN, then rebuild and reinstall both webkit2 and xfce4.

Consider it one more good reason to use ports instead of packages!
 
Back
Top