On Thu, 2025-07-10 at 09:53 +0200, Simon Josefsson wrote: > I tend to agree -- the package is in contrib, which I think are entitled > to do "bad" things like downloading executables from the Internet and > use them? Correct; the package source itself is DFSG, but it depends on non- free binary blobs which is why it's in contrib. > > > Are these blobs distributable? I suppose not. Maybe having a list of > known URLs and have the client try all of them would be more reliable. > It may become a cat and mouse chase. I also have doubts about redistributabilty of the binary firmware itself. I couldn't find any license/readme either on the GitHub mirror or using the Wayback Machine to look at the original download site. In theory requiring the user to download each time via the postinst script works around it, at least from Debian's end, but I don't know about the site(s) that are actually hosting the firmware. This package has been orphaned for over a decade now, which is certainly less than ideal. Mathias
Attachment:
signature.asc
Description: This is a digitally signed message part