Package: debian-cd Source: debian-cd Version: 3.1.17 Severity: important # How to reproduce? Do as follows: 1. get the installation DVD 1 from [1]; 2. use it to install Debian, optionally selecting a mirror; 3. notice that the target's "/etc/apt/sources.list" has both "security" and "updates" distributions/repositories for the "contrib" component. If no mirror was selected, only "security" distribution/repository is enabled. # How often it is reproduced? For "security" distribution/repository, it is always reproducible. In the case of "updates" distribution/repository, it applies only if a mirror was selected. # Other information No test was made for other architectures, download methods (e.g.: jiglo), or media types/variants (e.g.: CD, netinstall). These assume that you did `git clone --recursive "https://salsa.debian.org/images-team/debian-cd.git" && cd "debian-cd" `. ## Commits related to "contrib" component The following procedure was used to find what implemented "contrib" component: 1. use `git grep -Ei 'contrib' | sed -E '/(^|\/)(doc|info|man)|\.pot?:/d' `; 2. for each file, do a `git blame`, and look for related lines and corresponding commits that implemented "contrib" component; 3. checkout the previous from that commit (`git checkout hash~1`); 4. repeat from step 1 until there is no other match for that path; 5. do `git checkout master` and repeat from step 1 until there are no more paths matching the search for implementations of "contrib" component. This led to the following possibly problematic commits: Commit: e83ef58217c4f830ed12ecb314517818417c984d Date: 1999-11-11T17:10:37+0000 Note: "contrib" added for the first time. Commit: 916440cf9a265370facae13776213aefaa8a28d6 Date: 2002-12-07T10:22:40+0000 Note: makes the usage of "contrib" an opt-out. ## Commits related to popcon/popularity-contest The following procedure was used to find what added popcon/popularity-contest: 1. do `git log -p tasks/{,*/}popularity-contest* | less -I '+/contrib' +GN `, and take the coomit hash of the nearest line from above, to do so, type “?^commit”, Enter; 2. checkout the previous from that commit (`git checkout hash~1`); 3. repeat from step 1 until there is no other match for contrib on popcon. This results in the following list of possibly problematic commits: Commit: 8e74984498ffaff1d64fe125a5d09ca6d521c035 Date: 1999-12-27T23:11:18+0000 Note: adds popcon/popularity-contest which by default takes the most used packages, which as of today takes stuff from "main" and "contrib". # Possible list of affected paths The possibly related files, across all iterations of the steps from the procedures described earlier are as follows: tasks/*/popularity-contest tasks/popularity-contest* tasks/README CONF.sh tools/apt-selection tools/create_control tools/generate_di_list tools/grab_source_list tools/make_disc_trees.pl tools/sort_deps tools/start_new_disc tools/which_deb update-cd # Possible affected versions Based on the fact that the commits found date back to 1999, version tag 3.1.17, from 2015, was selected, since it is the oldest one which is still present in the pool ([2]). # Rationale and suggestions All in all, due to the way that which the DVD/CD process is done as of today, the inclusion of the packages that came from "contrib" also inserts this repository on the target's "/etc/apt/sources.list" since the apt-setup source package sees the list of sources. The reasoning for reporting this is that, according to the Debian Policy Manual, only the "main" component is part of Debian distribution ([3], [4]), while "contrib" is not ([5]), so the target's "/etc/apt/sources.list" should reflect that. Possible solutions include: a) make "contrib" an opt-in (instead of the current opt-out), and use opt-in for the Debian-provided media; b) move this bug to Debian Policy team so that the "contrib" component is also considered as part of the Debian distribution; c) since the only package that is currently fetched is "iucode-tool", find a way to detect which processors would need "iucode-tool", and ask for the user themselves to insert an extra media with the firmware, and only use that during install; d) remove "contrib" from popcon/popularity-contest. # References [1]: https://get.debian.org/images/release/current/amd64/bt-dvd/debian-11.0.0-amd64-DVD-1.iso.torrent . [2]: https://deb.debian.org/debian/pool/main/d/debian-cd/ . [3]: https://www.debian.org/social_contract#guidelines , search for “Works that do not meet our free software standards”. [4]: https://www.debian.org/doc/debian-policy/ch-archive#the-main-archive-area . [5]: https://www.debian.org/doc/debian-policy/ch-archive#the-contrib-archive-area . -- * https://libreplanet.org/wiki/User:Adfeno * Ativista não advogado, nem técnico de informática * Compre dos vendedores locais * Use e contribua ao software livre (diferente do gratuito) * Enviando docs.? Use OpenDocument. Outros tipos: vide endereço anterior * Use XMPP (federado, pai do WhatsApp) * E-mails assinados com OpenPGP (anexo "signature.asc")
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature