[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#353277: ndiswrapper in main

On 3/25/06, Manoj Srivastava <srivasta@debian.org> wrote:
> On 22 Mar 2006, Anthony Towns stated:
> > On Mon, Mar 13, 2006 at 03:28:50PM -0500, Raul Miller wrote:
> >> On 3/7/06, Ian Jackson <ian@davenant.greenend.org.uk> wrote:
> >>> Why does contrib exist ?
> >> [essay elided.]
> >
> > So is there an alternate proposal to
> >
> > http://lists.debian.org/debian-ctte/2006/03/msg00037.html
> >
> > so we can have a vote and make a decision? AFAICS we've discussed
> > this pretty thoroughly.
>
>         I am going to be out of town for the latter half of next week,
>  so if a vote comes up when I am gone,  I support the resolution in
>  the mail:
>         http://lists.debian.org/debian-ctte/2006/03/msg00037.html
>
>         I am not sure I see that it is at variance with published
>  policy, nor do I see why it makes contrib ambiguous, really.

The ambiguity is in the resolution's interpretation of the quoted policy:

  ...  must not require a package outside of _main_ for
  compilation or  execution ...

Does no-operation or substandard operation satisfy requirements for
execution?

One argument in favor of the above resolution is that if no operation
is documented as a part of the ABI, that is sufficient for these
requirements.

But this concept is not expressed in policy, and it's just as reasonable
to require normal operation be possible to satisfy requirements for
execution.

Another argument put forward in favor of the above resolution is that
if no software has been packaged, this policy is irrelevant as the
requirements are for non-packaged software.

But this argument seems more dubious than the "no operation is sufficient
for the typical case" concept.

The final, and perhaps most convincing argument in favor of ndiswrapper
is that it allows the use of CIPE.  But CIPE seems flawed, and oddly
enough the most recent in-depth coverage of these issues seems old:
http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/010864.html

The last release of cipe (1.6.0) was in 2004.  The last debian update
to the cipe package (1.5.4) was in 2004.  There's not even an option
to use anything better than a 32 bit checksum for integrity purposes
(which is one of the more egregious security flaws in cipe).

Poking around a bit more, it looks like people have mostly abandoned
cipe for stuff like openvpn (which we also distribute).

I see no evidence that anyone cares enough about the cipe package to
justify it being in main.  If CIPE is the reason we have ndiswrapper in
main, I think we're doing our users a disfavor.

I'm not aware of any other arguments in favor of that resolution which
satisfy this policy.

Is "we should be distributing CIPE in main" really the reason for keeping
ndiswrapper in main?  or is there some better argument?

If there is such an argument, I'd like to understand it before I make a
proposal based on the idea that there are no better arguments in favor
of this resolution.

--
Raul
Reply to: