Re: CoC policy for package contents (was: Re: Can the community team remove packages or kick me out for not removing packages?)
Hi Iustin,
On Mon, Jul 21, 2025 at 04:59:32PM +0200, Iustin Pop wrote:
> On 2025-07-21 13:02:32, Wouter Verhelst wrote:
> > On Thu, Jul 17, 2025 at 04:34:40PM -0700, Russ Allbery wrote:
> > > The standard that we hold *ourselves* to is considerably more than just
> > > "don't be racist" for any definition of racist. The code of conduct we
> > > passed via GR says:
> > >
> > > 1. Be respectful
> > >
> > > In a project the size of Debian, inevitably there will be people with
> > > whom you may disagree, or find it difficult to cooperate. Accept that,
> > > but even so, remain respectful. Disagreement is no excuse for poor
> > > behaviour or personal attacks, and a community in which people feel
> > > threatened is not a healthy community.
> > >
> > > I think that's the relevant point, and respectful is a much higher
> > > standard than simply "not racist." It also, directly to your point,
> > > applies to behavior towards anyone in the project.
> > >
> > > But that's not directly relevant to the contents of *packages*, and
> > > therefore not particularly useful for resolving the point of this thread.
> >
> > This is an accurate statement, I would think.
> >
> > When I wrote the code of conduct, I did not make it explicit that I
> > thought it was not meant to apply to the contents of packages, but I
> > think that anyone who reads it can understand that this is the case by
> > the language used.
> >
> > However, I think it's clear by now that we need a project-wide consensus
> > on what policies apply to the contents of packages. This discussion
> > keeps popping up, and we don't really have a good answer, since we never
> > had a GR about the subject.
> >
> > I think we should, so hence my posting this to -vote. Please follow up
> > there.
>
> This is an excellent proposal, thank you for the email.
>
> > I can see four options that would hold relevancy in a vote like this:
> >
> > - The code of conduct applies, unmodified, to all source code in all our
> > packages
> > - The code of conduct does not apply to any contents of any of our
> > packages, and no alternative code of conduct is required (i.e.,
> > everything is allowed for our packages)
> >
> > I do not believe either of these two options are appropriate, but
> > they're opinions that someone could validly hold.
> >
> > - The code of conduct applies to all program messages or documentation
> > texts that could be seen by a user in the normal use of a Debian
> > system, as well as to anything written by a Debian developer for the
> > Debian project. However, the following exceptions apply:
> > - Quotes by historic people when provided in appropriate context,
> > - Historic texts that are widely disemminated outside of Debian.
>
> This sounds good (with the later updates you mention in a follow-up
> email), but I think this following paragraph hides a problem. Or, at
> least, a problem for me. Inline below:
>
> > The main paragraph mentions "program messages (...) that could be seen
> > by a user in the normal use of a Debian system", which does not
> > encompass things like offensive messages in source code comments, or
> > problematic variable names. This is not an accident; we are not the
> > morality police, and I think it serves no purpose for us to try to patch
>
> Here you say that we (the Debian project) does not want to be a morality
> police, in other words we would be somewhat neutral, but then
> immediately follow with:
>
> > out code of conduct-violating things in upstream source code. This is
> > not because I think things like that are not a problem; rather, because
> > I think it is a fight that should be fought upstream, not in Debian.
>
> I.e. we just can't afford to be the morality police, but we agree with
> it and wish someone would do it.
More like, we think it's a good idea if someone did it, but it's not the
main focus of our project and we should focus on the things that we can
change (i.e., what gets into Debian), rather than trying to impose our
will upon the larger (Free Software) world.
> Now, I don't think (fortunes-*-off excepted) that so far this has been a
> significant problem in Debian,
I can think of a few more examples that caused controversies in in the
past:
- A system load monitor, about 20 years ago, that used a cartoon of a
lady who was progressively undressed as the computer got warmer.
- A toolkit called "weboob" (for "WEB Outside Of Browser") that had
devolved into a bunch of juvenile boob jokes
- The sudo "insults" feature which used to be enabled by default but was
disabled after a bug report with complaints
So, yes, fortunes-*-off is the current problem, but not the first one,
and probably also not the last one, and it makes sense to clarify what
we think is or isn't allowed.
> but this raises the question: do we actually want to push for it
> (enforcing the current morality standards, which can change over
> time), just in a limited basis, or do we want to be neutral, and ship
> software as-is?
>
> My point is here that setting a CoC for package data is just a proxy for
> what we actually want, which I'm not sure is clear (to me; it might
> already be to other people). If it is, then deriving the CoC for
> packages from it should be rather straightforward.
Honestly, what *I* want is an answer, that we all can agree with, to the
question of whether the code of conduct applies to what we package, and
if so whether it fully applies or only partially.
Do I think we absolutely definitely need to have one? Not really.
Do I think it's a good idea to have one? Yes, definitely.
Do I think the answer "the code of conduct does not apply to packages in
Debian and anything is allowed there" is appropriate? Well, that's
complicated, as then that opens the door to blatant coc violations in
changelog entries. Someone writing a changelog entry with "**** the XYZ
team for making my life a living hell with this stupid requirement" in
it is potentially violating the code of conduct.
So having a policy is probably better than not having a policy. And if
we're already having a policy, then I think it makes sense to also look
at what kind of messages are being produced by our software to our
users. But that is not the main reason why I think we need this policy.
The questions that pop up here are things like, is it appropriate to
ship sudo with the "insults" option enabled by default? My answer to
that one would be, probably not. Or, is it appropriate to have Debian
developers spend a truckload of time on patching out anything that looks
remotely like it might be an insult? Well, also probably not.
So I think that the messages produced by the software that we ship
should be respectful towards our users and the larger world, and not do
things that could be considered problematic were it to be done by a
human being in a situation where the code of conduct were to apply. And
if that is not the case, then we should probably patch that kind of
thing out.
I *also* think that it's not a problem if software in Debian does such
things optionally, if explicitly enabled. But perhaps not everyone
agrees with that, and that's fine.
Since we're dealing with free software, patching it for our uses in the
most egragious cases is fine and possible and legal. But to make
upstream abide by these things, that's a lot more work, and honestly not
what we're trying to do. So if upstream constantly adds four letter
words to their git commits or their code comments, well, meh, it's not
going to keep me awake at night...
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
I will have a Tin-Actinium-Potassium mixture, thanks.
Reply to: