Package: general Severity: wishlist Tags: security Hi.
I think Debian has the following two problems (or rather its security conscious users) with respect to software that gets into the system: First, more and more packages install software which sneaks around the package manager (and thus typically around any security support from Debian) by downloading further code, plugins and so on. Examples include programms like firefox, thunderbird (both, the add-ons and bad things like silent/automatic downloaded blobs as OpenH264, even though the later has been disabled in Debian :-) ) but also many others like josm, picard or ruby gems integration. For the user it's not really visible when he crosses the line where such plugins are simply proper Debian packages and where he gets binaries or other code from 3rd parties, which are out of any security support proper, and possibly even compromised. Unfortunately, doing something about this wouldn't be very easy, because it would require patching all these packages :-( Second, there is a growing number of packages, for which no sources are available (not talking about the Debian source package, but the sources from the software). Examples include, steam, firmware packages and so on. This software is, for policy reasons, in non-free. Many non-free packages have however their sources available and are for other reasons in non-free. One may not be happy about them not being DFSG compatible, but at least one can read their code and check for any backdoors or security holes. Examples include many documentation packages in non-free or software like unrar. I can understand that for some packages (typically the firmware packages) there is no alternative to having them - but I don't quite understand why Debian needs to ship packages (e.g. like steam) which is by no means necessary and install code into the system that's not only incompatible with the ideas of FLOSS but also not auditable. Of course there are people who wand to have these packaged and maintainers who are doing some good work on them, so maybe there can be a solution that fits both sides' needs: Why not adding another section which is so to say even "worse" than non-free, e.g. call it non-open (or some better name). This would contain any packages that contain anything (i.e. software) for which there are no sources, while anything else, where software is available that's just not DFSG compatbile, would remain in non-free. A policy change should enforce that of course. The benefit of this would be that it's far easier for users to rule out any non-open software, but still continue to use "just non-free" packages, which aren't perfect from their licensing but cannot contain anything evil (or at least one could find it in the code). With e.g. apt_preferences, one could still selectively allow certain such closed-source packages, e.g. firmware packages. Thanks in advance for your consideration. Sincerely, Philippe
