[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Post-Lenny discussion on packages with external (potentially non-free) dependencies

Michael S. Gilbert wrote:

> Summary of the problem: Some packages such as foo2zjs, pciutils,
> ttf-mathematica4.1, etc. have components that download files external
> to the Debian archives (from the internet) at runtime, which is
> problematic in many ways.

If possible, the to be downloaded data should be packaged so most of
below problems are solved or mitigated.

> 1.  Provides a potential avenue for introducing malicious software onto
> users' systems

Well, input validation is very common for web applications. The
validation can consist of verifying the structure or a checksum etc, but
should always be present IMHO.

> 2.  Components of the package may stop working in the midst of a
> stable release's lifetime
> Argument: Since the location and composition of external files is
> outside of the package maintainer's control, upstream changes can break
> stable scripts.

If possible the package should self adjust to or give the user the
opportunity to influence the location of the external files. Sometimes
it's possible to fallback to a location under the maintainer's control
so the package will continure to work.

If that's not possible, the package should not be included in the stable
release itself IMHO and people are encouraged to discuss the inclusion
in the volatile archive.

> 3.  Allows packages in main to depend on external files, violating the
> spirit of the Debian Policy

Like Don explained it could be a convenience script, in that case the
package is not really depending on the external files.

Not packaging external files because it would be too small packages is
not an argument IMHO as it could get included in the package itself in
that case or similar things can be packaged together.

> 4.  Parts of the package work as intended only under certain
> circumstances
> Argument: Since an internet connection is not guaranteed on the user's
> end, the program does not work as intended when the net is either down
> or unavailable.  For example, a user with a printer supported by
> foo2zjs's getweb will not be able to make that printer work if they use
> their machine as a standalone.  As much of Debian as possible should be
> fully functional even when standalone.  Hence, non-free components (if
> they are to be supported at all) should be included in the non-free
> archive instead of fetched externally.
> Rebuttal: None yet.

Well yes, depending on an internet connection should be avoided if possible.

> 5.  Allows packages in main to potentially depend on non-free files

If the functioning of the package needs the non-free files, it is not
just a convenience script, and I would put the package in contrib.



Reply to: