while there is an existing “Addon Security Rating” in the store it is only concerned with the capabilities granted to the docker container. I suggest adding a privacy score component to it that requires developers to declare which data is published/loaded to 3rd parties.
For example just loading the of the offical addon “Configurator” leads to 33 network requests, mostly external. The requests in this case are mostly for cdns and fonts which could be easily hosted within ha.
Having a score that penalizes these, and some potentially more egregious cases of privacy issues would create more awareness for users and developers and in the long term lead to more secure addons.
Sound like self reported rating.
Cant really trust self reported items, only third party verified and even then third party must be verified trust source
I see your point, but at the moment we have neither.
HA is a largely volunteer driven project, so having too hard requirements on contributions would hinder progress. But just having a self report form would require people to think about these issues.
There is always the option to see the source, but since there is already the notion of an “offical repository” and security score i would like to see this quality control to extent to privacy considerations - backend and frontend. On the frontpage after all there is "We like to keep your privacy private. "
There is no need for any CDN. Te main selling point of HA is that is not hosted in the cloud. Every HA instance is perfectly capable of serving the content by itself. Since its locally hosted its better than any CDN could ever be.
I have similar concerns than you. Maybe you can check my recent forum post Internet of Things Bill of Rights - any opinions? and the associated issues and pull request that try to get that kind of information in the component documentation of home-assistant.