foo2zjs dispute

To: control@bugs.debian.org, debian-ctte@lists.debian.org
Cc: 449497@bugs.debian.org, steffen.joeris@skolelinux.de, mkoch@debian.org, Luca Capello <luca@pca.it>, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: foo2zjs dispute
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Tue, 28 Oct 2008 19:56:08 +1100
Message-id: <[🔎] 200810281956.14820.steffen.joeris@skolelinux.de>
Mail-followup-to: debian-ctte@lists.debian.org

reassgin 449497 tech-ctte,foo2zjs
thanks

Dear Technical Committee Members

Currently, there is a dispute about a certain part of the foo2zjs package. 
Unfortunately, we do not seem to be able to solve it and thus require your 
assistance. We have tried to get a paragraph together to state the problem, 
but it seems we ended up with two different paragraphs. The first one is from 
the maintainer (myself) and the second one belongs to the bug submitter 
(Michael Gilbert). Could you please pass your judgement on this case?
You will find further information in the bugreport and I am sure that the 
submitter as well as the maintainers are happy to answer any follow-up 
questions. At the moment, the bug is marked as RC, which might have an impact 
for the lenny release.
Thanks in advance for your time and judgement.

Cheers
Steffen


Maintainer:
--------------

The problem is as follows. The submitter sees the inclusion of the
getweb script as a violation of the DFSG. The script is provided by
upstream to download non-free firmware from his upstream webpage.  The
package includes documentation in README.Debian and a GUI interface
(hannah-foo2zjs) around the getweb script for the user's
convenience. Some printers need this non-free firmware to run, others
don't.  More information can be found in the bugreport. Could we
please ask you to settle this dispute?


Submitter:
--------------

The submitter sees the getweb script's dependencies on external
data/files as potentially dangerous.  Once the package enters stable,
upstream changes (moving/modifying files, etc.) can break
functionality -- leading to a package that can no longer be considered
"stable."  External dependencies also potentially leave users
vulnerable to security risks (the upstream site could be spoofed or
hijacked and malicious files hosted instead of the legitimate firmware
files).  Also, the submitter views external dependencies as a possible
violation of the spirit of the debian policy, which currently is not
explicitly clear on the issue.  Section 2.2.1 says "... the packages
in main must not require a package outside of main for compilation or
execution (thus, the package must not declare a 'Depends',
'Recommends', or 'Build-Depends' relationship on a non-main package)."
 This makes the policy clear about "packages," but it does not address
dependencies on other external non-packaged non-free files.  It is the
submitter's belief that Debian's policy should be reworded for clarity
on situations such as this.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: foo2zjs dispute
  - From: "Giacomo A. Catenazzi" <cate@debian.org>
- Re: foo2zjs dispute
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Bug#449497: foo2zjs dispute
  - From: Andreas Barth <aba@not.so.argh.org>

Next by Date: Processed: creating a bug for the tech-ctte as requested via http://www.debian.org/devel/tech-ctte
Next by thread: Re: foo2zjs dispute
Index(es):
- Date
- Thread