Re: Automatic downloading of non-free software by stuff in main
Ian Jackson wrote:
> Over the years, d-legal has discussed a number of packages which
> automatically download non-free software, under some circumstances.
>
> The obvious example is web browsers with extension repositories
> containing both free and non-free software.
>
> We have also recently discussed a media downloader/player which, when
> fed a particular kind of url, will offer to automatically download a
> proprietary binary-only protocol module to access the specified
> proprietary web service.
Another good example is language package-managers, such as pip, npm, and
cargo.
> We have generally put software like this in main, because it asks the
> user first, and can be used perfectly well without the proprietary
> parts. But the overall result is that a user who wants to use Free
> software can be steered by Debian into installing and using non-free
> software, sometimes unwittingly,
>
> I would like to establish a way to prevent this. (There are even
> whole Debian derivatives who have as one of their primary goals,
> preventing this. We should aim for most of the changes necessary for
> such derivatives to be in Debian proper, so the derivative can be
> little more than a change to the default configuration.)
I think this makes sense, but there's a further distinction we should
draw that I didn't see in your mail. Here's roughly what I'd love to
see:
- Packages in main must never automatically download or install non-free
or contrib software without user interaction. (For instance, if you
launch a browser and it auto-downloads and installs a proprietary
plugin in the background, that should be a bug of severity serious.)
- Packages in main must not point the user to specific non-free or
contrib software and recommend its installation, unless the user has
previously opted into receiving such recommendations. Such an opt-in
may be combined with questions regarding Debian's non-free repository.
(For instance, "you should download and install this specific
proprietary codec" should be a bug of severity serious. That said, we
need to find a way to make this requirement not compromise usability
by requiring the user to manually determine what they need)
- Packages in main may provide a mechanism for the user to download and
install other software (e.g. extensions) from a collection of such
software. If they do, that mechanism should (note: not "must", and
this should not change to become stricter in the future) either
require that all software in the collection be Free Software, *or*
make it easy for the user to determine the license of the software
they're installing.
- Packages should (note: not "must" yet, but we should change this to
"must" in the future) perform appropriate cryptographic integrity
verification of downloaded software from an appropriate chain of
trust, or should obtain such software from packages in the Debian
repository that already include such verification.
- For the sake of avoiding ambiguity, an interpreter for file formats or
network protocols that include software, such as scripts, may consider
the user browsing to a site or opening a file as "user interaction"
for the purposes of processing the software embedded or referenced by
that site or file. However, this does not extend to automatically
downloading or installing separate non-free software to interpret such
sites or files, such as non-free codecs or plugins; that must still
require explicit user interaction.
How does that sound?
Reply to: