[Foo2zjs-maintainer] Bug#503813: foo2zjs: getweb script depends on non-free firmware
Michael Gilbert
michael.s.gilbert at gmail.com
Fri Oct 31 12:41:25 UTC 2008
i'll go ahead and start the discussion since no one else is running
with it. this matter is rather urgent since the problem is now being
considered release-critical for lenny. i see three possible courses
of action:
1. ignore the problem: mark the bug wontfix
rationalle: the firmware fetching stuff is a small component of the
package and the debian policy is not explicitly clear on the matter
cons: leaves vector for possible security attacks and script can
become non-functional (e.g. getweb has been non-functional in over a
year in etch)
2. fix the problem now: either remove getweb completely or make a
separate foo2zjs-contrib package with just getweb, and have this ready
for the lenny release
rationalle: since getweb is a security risk and could break, it should
be eliminated
cons: less functionality for user. some work for the maintainer.
3. fix the problem later: same as above, but tag lenny-ignore
rationalle: same as above, but with limited time, this is the least
path of resistance
cons: same as above, but leaves users vulnerable during the lenny time frame.
there is also the matter of whether the policy should be clarified for
this type of situation -- and whether all other cases of fetching
scripts should be tagged release-critical. i will leave this for
further discussion since it isn't so urgent.
let me again stress that action is URGENT since this is
release-critical for lenny.
regards,
mike
More information about the Foo2zjs-maintainer
mailing list