Re: [Foo2zjs-maintainer] Bug#449497: TC proposal for dispute
the paragraph for the technical committee seems like a very good
start. however, i request the following rewrite of the fourth
sentance:
The submitter sees the getweb script's dependencies on external
data/files as potentially dangerous. Once the package enters stable,
upstream changes (moving/modifying files, etc.) can break
functionality -- leading to a package that can no longer be considered
"stable." External dependencies also potentially leave users
vulnerable to security risks (the upstream site could be spoofed or
hijacked and malicious files hosted instead of the legitimate firmware
files). Also, the submitter views external dependencies as a possible
violation of the spirit of the debian policy, which currently is not
explicitly clear on the issue. Section 2.2.1 says "... the packages
in main must not require a package outside of main for compilation or
execution (thus, the package must not declare a 'Depends',
'Recommends', or 'Build-Depends' relationship on a non-main package)."
This makes the policy clear about "packages," but it does not address
dependencies on other external non-packaged non-free files. It is the
submitter's belief that Debian's policy should be reworded for clarity
on situations such as this.
thank you for your consideration. i appologize for being difficult,
but i believe that it is better to address the issue now, since the
impending release forces action on the matter. i am certain that
ignoring the problem will result in no action until the next release
(1.5 years from now). i am not willing to wait.
Reply to: