This bug isn't assigned to the tech ctte, but I'm going to go ahead and weigh in anyway since the thread is still in my mailbox demanding a response. :)
Anyway, the release team has now made their decision here, so it would again be in order to assign this to the TC if the submitter wishes to appeal that decision as well. On Tue, Oct 28, 2008 at 02:41:41PM +0100, Giacomo A. Catenazzi wrote: > Steffen Joeris wrote: >> Maintainer: >> -------------- >> The problem is as follows. The submitter sees the inclusion of the >> getweb script as a violation of the DFSG. The script is provided by >> upstream to download non-free firmware from his upstream webpage. The >> package includes documentation in README.Debian and a GUI interface >> (hannah-foo2zjs) around the getweb script for the user's >> convenience. Some printers need this non-free firmware to run, others >> don't. More information can be found in the bugreport. Could we >> please ask you to settle this dispute? >> Submitter: >> -------------- >> >> The submitter sees the getweb script's dependencies on external >> data/files as potentially dangerous. Once the package enters stable, >> upstream changes (moving/modifying files, etc.) can break >> functionality -- leading to a package that can no longer be considered >> "stable." External dependencies also potentially leave users >> vulnerable to security risks (the upstream site could be spoofed or >> hijacked and malicious files hosted instead of the legitimate firmware >> files). Also, the submitter views external dependencies as a possible >> violation of the spirit of the debian policy, which currently is not >> explicitly clear on the issue. Section 2.2.1 says "... the packages >> in main must not require a package outside of main for compilation or >> execution (thus, the package must not declare a 'Depends', >> 'Recommends', or 'Build-Depends' relationship on a non-main package)." >> This makes the policy clear about "packages," but it does not address >> dependencies on other external non-packaged non-free files. It is the >> submitter's belief that Debian's policy should be reworded for clarity >> on situations such as this. > It is not a DFSG violation, because the file are not distributed > by Debian, but I think it violated the policy. > I think Debian should not assume a machine on the net, so I > would interpret "main" in the stricter way. Examining the package directly, here's what I've found: - getweb is an optional script included in the package that can be used to download certain non-free files from the upstream website. - The script is not run by default from the maintainer scripts when installing the package. - Running the script is not required for the operation of the package in the general case: the package has a significant use case in terms of the printers it supports which don't require non-free downloads, and probably even a majority use case (though I'm personally not sure the latter is a distinction that should matter for inclusion in main). - However, the hannah-foo2zjs in contrast exists only to be a graphical firmware downloader; while its description has a disclaimer that "this software [...] can potentially install non-free software", the reality appears to be that this is the /only/ thing that this package is useful for. So I think the presence of the getweb script in the package is not an RC bug, and perhaps not a bug at all. There are other packages in the archive that also optionally support pulling in data from websites, including pciutils (/usr/bin/update-pciids), and while there are probably ways to improve this, I don't see any reason it should be treated as release-critical. (In the specific case of foo2zjs, one way the script could be improved is to not install these downloaded files under /usr/share/foo2zjs, since this leaves files behind in /usr/share not owned by any package and not cleaned up when foo2zjs is removed; I think the download location should be either /var/lib or /usr/local/share.) As for hannah-foo2zjs, I think this is a more significant problem. AFAICS the contents of this package aren't even part of the upstream foo2zjs source, yet it's built from the Debian foo2zjs package, and creates a package that is only useful for downloading non-free firmware. I think it's clear that the maintainers should split this into its own source package - which should be trivial since the contents are entirely under debian/hannah-package/ to begin with - and move it to contrib. And I think this aspect /does/ warrant being treated as RC, although it's not the issue that was originally raised by the submitter. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
