I tried to look something up on packages.debian.org and I got an error
page saying I needed to enable JS. Then after I had enabled JS (which
I normally have disabled) I got an error page from Fastly saying I
needed to enable cookies.

I tried in a private browsing tab and it loaded the page. Evidently
it has stored a cookie (but I'm not sure where in the firefox UI they
have hidden this information). I can't seem to find any information
about what these cookies are for.

I think this is undesriable, unreasonable, and probably illegal in the
European Economic Area.

I know we're all being hammered by llm criminals but I don't think
this is the answer.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- PyGate Linux v1.5.1
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, Dec 03, 2025 at 03:13:48PM +0000, Ian Jackson wrote:

I tried to look something up on packages.debian.org and I got an error
page saying I needed to enable JS. Then after I had enabled JS (which
I normally have disabled) I got an error page from Fastly saying I
needed to enable cookies.

I tried in a private browsing tab and it loaded the page. Evidently
it has stored a cookie (but I'm not sure where in the firefox UI they
have hidden this information). I can't seem to find any information
about what these cookies are for.

I think this is undesriable, unreasonable, and probably illegal in the European Economic Area.

I know we're all being hammered by llm criminals but I don't think
this is the answer.

I think that's the reason too. I have no idea whether there is any
defense from that LLM denial-of-service (if there _is? ?ne, I'd like
to hear about it!). I'm somewhat surprised that they don't adapt
(I mean: pretending to "be" a browser is a solved problem).
I'm pretty annoyed by that, too.
Cheers
--
tom s


--- PyGate Linux v1.5.1
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2025-12-03, Ian Jackson wrote:

I tried to look something up on packages.debian.org and I got an error
page saying I needed to enable JS. Then after I had enabled JS (which
I normally have disabled) I got an error page from Fastly saying I
needed to enable cookies.

Javascript on packages.debian.org is harmless and no cookie is used on
it. I disabled cookies here (firefox 140.5.0esr-1~deb13u1) and no error
page was triggered. What version do you use? And which extension do you
use?

Fastly seems related to https://blog.mozilla.org/en/firefox/partnership-ohttp-prio/

--- PyGate Linux v1.5.1
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Michel Verdier writes ("Re: packages.debian.org wants cookies now ?!"):

On 2025-12-03, Ian Jackson wrote:

I tried to look something up on packages.debian.org and I got an error
page saying I needed to enable JS. Then after I had enabled JS (which
I normally have disabled) I got an error page from Fastly saying I
needed to enable cookies.

Javascript on packages.debian.org is harmless and no cookie is used on
it. I disabled cookies here (firefox 140.5.0esr-1~deb13u1) and no error
page was triggered. What version do you use? And which extension do you
use?

I'm using firefox-esr as shipped in trixie. I have ublock origin
enabled. In my usual browser, I have JS and cookies totally disabled
by default.

I think it is possible that it worked for you because you allow
yourself to be surveilled more than I do. I find that compared to
people with a more "normal" (less defensive) default configuration, I
am more often asked to do more and more difficult captchas, get more
"security alerts" about "new devices" using my accounts, get randomly
blocked more often, etc.

But, it is also possible that something random changed in Fastly.

I observe that it works fine for me now in my normal browser, with JS
and cookies disabled.

So IDK if anyone did anything to fix this. If so, thanks.

Fastly seems related to https://blog.mozilla.org/en/firefox/partnership-ohttp-prio/

I doubt that is related.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- PyGate Linux v1.5.1
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

* Ian Jackson <ijackson@chiark.greenend.org.uk> [251203 17:21]:

I think this is undesriable, unreasonable, and probably illegal in the >European Economic Area.

Cookies are not per-se illegal in EEA, incl. when not explicitly
being asked for with a "cookie consent box". This misconception is
however common, and I'd wish we can stop spreading this
misconception.

Best,
Chris

--- PyGate Linux v1.5.1
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Chris Hofstaedtler writes ("Re: packages.debian.org wants cookies now ?!"):

Cookies are not per-se illegal in EEA, incl. when not explicitly
being asked for with a "cookie consent box". This misconception is
however common, and I'd wish we can stop spreading this
misconception.

Cookies are often illegal. In this particular case, I think they are.
(And the stupid "consent" popups don't make them legal.)

Also they're probably personal data which the CDN don't have any
lawful basis for processing.

Ian.

--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.

Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

--- PyGate Linux v1.5.1
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)