[Foo2zjs-maintainer] Bug#449497: foo2zjs dispute

Steve Langasek vorlon at debian.org
Tue Nov 4 04:45:27 UTC 2008 

This bug isn't assigned to the tech ctte, but I'm going to go ahead and
weigh in anyway since the thread is still in my mailbox demanding a
response. :)

Anyway, the release team has now made their decision here, so it would again
be in order to assign this to the TC if the submitter wishes to appeal that
decision as well.

On Tue, Oct 28, 2008 at 02:41:41PM +0100, Giacomo A. Catenazzi wrote:

> Steffen Joeris wrote:
>> Maintainer:
>> --------------

>> The problem is as follows. The submitter sees the inclusion of the
>> getweb script as a violation of the DFSG. The script is provided by
>> upstream to download non-free firmware from his upstream webpage.  The
>> package includes documentation in README.Debian and a GUI interface
>> (hannah-foo2zjs) around the getweb script for the user's
>> convenience. Some printers need this non-free firmware to run, others
>> don't.  More information can be found in the bugreport. Could we
>> please ask you to settle this dispute?

>> Submitter:
>> --------------
>>
>> The submitter sees the getweb script's dependencies on external
>> data/files as potentially dangerous.  Once the package enters stable,
>> upstream changes (moving/modifying files, etc.) can break
>> functionality -- leading to a package that can no longer be considered
>> "stable."  External dependencies also potentially leave users
>> vulnerable to security risks (the upstream site could be spoofed or
>> hijacked and malicious files hosted instead of the legitimate firmware
>> files).  Also, the submitter views external dependencies as a possible
>> violation of the spirit of the debian policy, which currently is not
>> explicitly clear on the issue.  Section 2.2.1 says "... the packages
>> in main must not require a package outside of main for compilation or
>> execution (thus, the package must not declare a 'Depends',
>> 'Recommends', or 'Build-Depends' relationship on a non-main package)."
>>  This makes the policy clear about "packages," but it does not address
>> dependencies on other external non-packaged non-free files.  It is the
>> submitter's belief that Debian's policy should be reworded for clarity
>> on situations such as this.

> It is not a DFSG violation, because the file are not distributed
> by Debian, but I think it violated the policy.

> I think Debian should not assume a machine on the net, so I
> would interpret "main" in the stricter way.

Examining the package directly, here's what I've found:

- getweb is an optional script included in the package that can be used to
  download certain non-free files from the upstream website.
- The script is not run by default from the maintainer scripts when
  installing the package.
- Running the script is not required for the operation of the package in the
  general case: the package has a significant use case in terms of the
  printers it supports which don't require non-free downloads, and probably
  even a majority use case (though I'm personally not sure the latter is a
  distinction that should matter for inclusion in main).
- However, the hannah-foo2zjs in contrast exists only to be a graphical
  firmware downloader; while its description has a disclaimer that "this
  software [...] can potentially install non-free software", the reality
  appears to be that this is the /only/ thing that this package is useful
  for.

So I think the presence of the getweb script in the package is not an RC
bug, and perhaps not a bug at all.  There are other packages in the archive
that also optionally support pulling in data from websites, including
pciutils (/usr/bin/update-pciids), and while there are probably ways to
improve this, I don't see any reason it should be treated as
release-critical.

(In the specific case of foo2zjs, one way the script could be improved is to
not install these downloaded files under /usr/share/foo2zjs, since this
leaves files behind in /usr/share not owned by any package and not cleaned
up when foo2zjs is removed; I think the download location should be either
/var/lib or /usr/local/share.)

As for hannah-foo2zjs, I think this is a more significant problem.  AFAICS
the contents of this package aren't even part of the upstream foo2zjs
source, yet it's built from the Debian foo2zjs package, and creates a
package that is only useful for downloading non-free firmware.  I think it's
clear that the maintainers should split this into its own source package -
which should be trivial since the contents are entirely under
debian/hannah-package/ to begin with - and move it to contrib.  And I think
this aspect /does/ warrant being treated as RC, although it's not the issue
that was originally raised by the submitter.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the Foo2zjs-maintainer mailing list