Re: jessie release goals

[Christoph Biedl <debian.axhn@manchmal.in-ulm.de>]

Christoph Anton Mitterer wrote...

> 2) No more packages that bypass the package management system and secure
> apt:
> a) There are still several (typically non-free) packages which download
> stuff from the web, install or at least un-tar it somwhere without
> checking any integrity information that would be hardcoded in that
> package.
> 
> b) Another problem are IMHO plugins like Firefox extensions, kinda
> bypassing APT. I think at least those that are installed via a package,
> shouldn't be upgradable/overwritable anymore with online versions.

I'd like to enhance that topic to the question under which
circumstances a package is allowed to "phone home", i.e. to contact a
service provided by upstream without the consent of the user. For the
records, I wouldn't mind much if the rule is "never".

Still an answer might be not as easy as it seems, a few situations:

* Automatic update checks don't make sense, mostly they confuse users.

* As an example, nagios3 upstream embedded several requests to the
  nagios homepage on the start page of any local installation. That
  I consider both annoying and a privacy breach, so I patched that
  away locally. But perhaps such behaviour should be banned entirely.

* On the other hand, there are packages that do need frequent updates,
  virus scanners to start with, also ad blockers. Not sure whether
  these should be granted an exception. If not, somebody would have to
  take the task to provide these updates in an APT way.

Just sharing a few thoughts on that ...

    Christoph