[Foo2zjs-maintainer] Bug#449497: foo2zjs: application depends on non-free firmware

[Michael Gilbert]

severity 449497 serious
thank you

i don't see how this bug can be considered anything less than serious.
 as i explained in my last message, there are two potential grave
problems: security and breakage.  and even if neither of these
problems exist now, they certainly could arise during the lenny's
lifetime.  in fact, we don't even know if the upstream files are fully
trustworthy right now.  also, someone could spoof the upstream site.
there are a lot of potential problems, which is why software in main
should not have external dependencies.  again, if these issues can be
resolved before the release, then they should -- they should not be
ignored.

also, i believe that by reducing the severity, you are covering up the
importance of this problem -- and those like it.  people in debian
really need to put some thought and consideration into the clarity of
the current policy on issues like this.  you are putting your users at
risk and reducing the reliability of the system.

some have argued that this issue shouldn't be considered a problem
since the majority of the package is dfsg-free.  this is an incorrect
interpretation.  if any part of a package is non-free, then the whole
package should be considered non-free until the offending component is
fully removed.

i am increasing the severity one more time to make sure that this bug
is given appropriate consideration by the release team.  it should be
up to them to mark it lenny-ignore, and if that is their decision, i
will not object.

otherwise, i believe that the only reasonable solution (that can be
completed in time for the release) is to remove getweb and add some
documentation on getting getweb upstream if the user needs it.