[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [pkg-go] Bug#856139: certspotter: long description advertises commercial service

First of all, a clarification: This post (like most in this thread) is
primarily about Debian's philosophy, not about certspotter (but I do talk about
that at the end as well).  For this reason, I'm not CC'ing the bug.

On Fri, Aug 11, 2017 at 05:26:58PM -0400, Faidon Liambotis wrote:
> On Fri, Aug 11, 2017 at 08:03:09AM -0400, Wouter Verhelst wrote:
> > If a free software implementation of the remote service exists that a
> > package can work with, then it can remain in main. If not, it cannot.
> There are no free software server-side implementation of e.g. the ICQ
> protocol, as far as I know, but multiple client-side implementations in
> main.

That is a bug as far as I'm concerned; a client designed purely (or mostly) for
such a non-free service should not be in main.

> For that matter, there is no free software server-side implementation of
> QUIC, so I guess by that rule, Chromium should be in contrib as well.

No.  The question is not "is there non-free software that the program can work
with?"  That would be much too broad, and it would make anything that touches
the network non-free.  Instead, the question is "is non-free software required
for major functionality of the program?"  With an ICQ client, it is.  With a
web browser, it's not.

Also note that the reason we split our free packages between main and contrib
is a service to our users: those who do not want to depend on non-free software
can disable contrib.  Not showing an ICQ client to those users is a service to
them, not a burden: it's what they ask for when putting only main in their

Now if an upstream or a maintainer gets upset about software being moved from
main to contrib, that is a sign that they (like Debian) would prefer to live in
a world where all software is free.  Because of that, they don't want to
support non-free software, which means (if all dependencies are packaged) that
their software should be in main.  So when people tell them "your software
belongs in contrib", especially if the reason is that it requires non-free
software (as opposed to non-packaged software), it hurts their pride.

I think that is a good thing: it should be an incentive for them to get rid of
the dependency.  However, I've seen on multiple occasions that the response is
to deny the problem and to push for keeping the software in main anyway,
claiming something to the effect of "it's more important for our users that
they have access to this software than it is to have a completely free system".

That is a disservice to our users.  While for many users this is true, those
users will have contrib (and probably non-free) enabled in their sources.list.
So moving the package to contrib doesn't change anything for them.  The only
people who see a difference are the ones who asked not to see this kind of
software, and they will no longer see it.  That is a great outcome, not
something to get upset about.

> As for certspotter [...]

It has become clear a while ago (to me anyway) that certspotter belongs in
main.  From the start, the bug report was about the description, not about the
program itself and thus the fix would be to change that, not to move the
package to contrib.  I agree with the bug that descriptions of Debian packages
(even those in non-free) should not advertise non-free software or services.
If there is a free option (and there must be for it to be in main) that should
be mentioned as the recommended way to use the program.  If there also is a
non-free option, it can be mentioned as an alternative, especially if many
users are expected to know about it.  If it is unknown to most users, I think
it should be left out.

> the conversation has derailed quite a bit [...] Not cool.

Actually, that is "cool".  Jonas made the larger community aware of the issue,
which means we can discuss it.  On our mailing lists, the tangents this went to
are not off-topic.  Perhaps the bug should be removed from the Cc, but that's a
minor issue.

> - People called SSLMate "non-free" and objected to the certspotter
> description pointing to it.

No, pointing does not need to be a problem.  Recommending it (in effect
advertising for it) is.

> - I don't have any personal or business connection to SSLMate or
>   certspotter, other than using the software and maintaining the
>   package. I haven't communicated with my upstream about this issue
>   either and my comment on the bug report are just my views. I just want
>   to be fair to a nice upstream, who has graciously released part of
>   their business as free (as in speech and as in beer) software, for
>   anyone to use instead of using their service.

I agree that it is unfortunate that people get so upset over discussions like
this one, and I appreciate that you keep it away from upstream, so they are not
bothered with it; this has nothing to do with them.


Attachment: signature.asc
Description: PGP signature

Reply to: