[Foo2zjs-maintainer] Bug#449497: foo2zjs: application depends on non-free firmware
Joost Yervante Damad
andete at debian.org
Sun Oct 26 06:38:51 UTC 2008
Hello all,
>
> ok, my point is that dependencies on external data/files are
> potentially dangerous. if the maintainer of the upstream site makes
> changes (as has been done in the past with foo2zjs), then the package
> no longer works as intended. if someone replaces the upstream files
> with malicious code, then you have a security issue. both of these
> problems are normally considered grave, and for good reason -- hence
> this is a grave problem as well. why would you risk exposing users to
> these problems if you can take steps now to eliminate them?
>
> debian main should have no external dependencies (that is what contrib
> is for). and maybe the text of the debian policy doesn't make this
> 100% clear right now, but it is within its spirit. if it is too easy
> to misinterpret the intent, then the wording should be updated for
> clarity.
>
> it is my belief that the getweb script must be removed from the package.
I understand your sentiment, and it is indeed a "grey" area situation. If I
take policy literary, I think this package is fine in main, but it is not as
simple...
In order to get this bug rolling (and lenny released ;-) ), can you all live
with me splitting up the package in two packages:
1) foo2zjs: this contains everything, and lives in mains, which Suggests:
2) foo2zjs-contrib: this contains getweb
I know a package with just a script is not nice, but it is more in the spirit
of the debian policy indeed.
thanks, Joost
More information about the Foo2zjs-maintainer
mailing list