Re: Post-Lenny discussion on packages with external (potentially non-free) dependencies
On Tue, 17 Feb 2009, Michael S. Gilbert wrote:
> In the following, I recap the core problems at hand (listed in terms of
> importance/relevance) and the arguments on both sides that have been
> developed in the bug report .
> Summary of the problem: Some packages such as foo2zjs, pciutils,
> ttf-mathematica4.1, etc. have components that download files external
> to the Debian archives (from the internet) at runtime, which is
> problematic in many ways.
> 1. Provides a potential avenue for introducing malicious software
> onto users' systems
In the case of foo2zjs and pciutils, the software/data is not
downloaded automatically, but at the specific request of an admin by
running a special script.
It would be ideal if foo2zjs and pciutils had a mechanism to verify
that the files downloaded matched the expected contents by the use of
SHA256, gpg or some other file verification function. Since in neither
case should the downloaded files be executed directly (though I
suppose a specially crafted firmware would be annoying) this doesn't
seem like a serious security problem, but a wishlist bug.
In the case of ttf-mathematica4.1, the md5sum is verified by the
postinst script, so while it may be the case that this should be
changed to a more secure hash algorithm, it's still reasonable.
> 2. Components of the package may stop working in the midst of a
> stable release's lifetime
It is probably reasonable to make these scripts as flexible as
possible to find the proper location, and to allow users to easily
override the location in cases where it's changed. Again, a case where
a wishlist bug with a patch attached would most likely be accepted.
[In the case of ttf-mathematica4.1, since it doesn't fail the install,
and just complains, this isn't too bad.]
> 3. Allows packages in main to depend on external files, violating
> the spirit of the Debian Policy
ttf-mathematica4.1 isn't in main, and foo2zjs and pciutils don't
require a package outside of main for compilation and execution. It's
perfectly ok for packages outside of main to provide additional
functionality to packages in main, since that doesn't form a Depends:
relationship. [Compare and contrast foo2zjs with the linux kernel, for
> Hence, non-free components (if they are to be supported at all)
> should be included in the non-free archive instead of fetched
In order for this to occur, Debian must be able to distribute the
firmware. I'm not sure that this is the case for foo2zjs; it's
certainly not the case for ttf-mathematica4.1, and we already
distribute the pciids for pciutils.
> Argument: This is a hard argument to make, but since main is
> supposed to be 100% free, it only makes sense that all dependencies
> shoud be free as well.
The only thing we require is that the required dependencies, that is,
those things that form a Depends: relationship be free, not that
everything that could possibly enhance the operation of a package be
free. Obviously, the latter is the ideal state, but it's not a
Our days are precious, but we gladly see them going
If in their place we find a thing more precious growing
A rare, exotic plant, our gardener's heart delighting
A child whom we are teaching, a booklet we are writing
-- Frederick Rükert _Wisdom of the Brahmans_
[Hermann Hesse _Glass Bead Game_]