On Tue, Apr 5, 2016 at 3:48 PM, Steven Chamberlain wrote: > The upstream maintainer of xscreensaver has explicitly asked Debian > to stop shipping it, which is a shame of course: > https://www.jwz.org/blog/2016/04/i-would-like-debian-to-stop-shipping-xscreensaver/
Hi Steven, The above post was a response to a heated discussion in bug #819703 which was dominated and poisoned by trolls not representative of the Debian community and definitely not by the package maintainer. It is understandable that the upstream author got upset. On our side we must not consider emotional outbursts in our decisions, but let things cool down and look at the facts. Of course, he dislikes the ways some things are done in Debian, but that is nothing new, and is shared by many within the Debian community for that sake. > > It *is* still a free software project, based on freely-licensed works of > many authors. Debian obviously may choose to ship it in any case, and > I'm sure it will continue to do so in wheezy-lts and jessie. Most definitely. We cannot rip out an important part of the desktop in a stable distribution. > > Removal from sid did sound extreme to me at first, but going forward, > software projects do need an upstream maintainer, and currently he > chooses to be hostile: > > Bug #819703 was a deliberate annoyance / anti-feature that impacted many It was of very low impact and simply a small annoyance. The emotional response to this was way over board. > of our users, and will create work for the package maintainer and stable > release managers to resolve. Even if it is only minor, it would not Minor indeed. > stand if Debian allowed that sort of thing to proliferate in all > software in its stable releases. If you fear that other upstreams would like to follow up and do the same, we have a general problem, not particularly with XScreenSaver. > > CVEs are not filed for security bugs and code commits don't seem to be > split out individually in any public repository, making security support > in stable releases problematic. (similar to the Oracle-MySQL situation) The upstream author has been sending us (the package maintainers) notices of security bugs in private e-mail. Take the example of the famous incident last year, thanks to Jamie we had patched Debian almost as soon as he discovered the issue. The security fixes can normally be extracted and backported to stable, as long as we know about them, of course. Which happened for stable without further complication in this example. > > Newer upstream versions add advertising for the upstream maintainer's > commercial ventures. The logos of DNA Lounge, DNA Pizza and Codeword The pizza logo was added to the code in 5.18, some 8 years ago? It is referenced by the dnalogo hack, which is not even built. If you see any DFSG non-free stuff in our packages, please refer to bug reports. > seem likely to be non-free by the DFSG. Their removal could further > incense the upstream maintainer, more-so than removing the package. This is pure speculation, not to base decisions on. Actually I don't think we have ever shipped the DNA logo hack. I don't even think it is built by default. We do remove it from the X11 app-default file, because there is no corresponding binary. This has never been a topic between us and upstream. Generally, talking for the maintainers over the last years (I have been involved since 2007), we have an excellent relation with upstream. He doesn't approve of all decisions and compromises that we end up having to do in the packaging, however we share a common goal of giving a large audience access to an excellent piece of software. > > Thanks for your consideration. I think I have considered the request carefully, and I don't see it worth to take this further at the moment. If the factual situation changes, I will review it. For now I don't think we should be carried away by emotions and escalate it to a larger problem than it has to be. Regards, Tormod
