[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Draft: policy for vendors listed on Debian website

Hi there!

Please do not Cc: me, I read the debian-www@ list.

Adding the debian-cd@ mailing list because I ask some questions related
to the CD images.  For their information, the discussion started at:


On Sun, 20 Nov 2011 02:37:48 +0100, Javier Fernandez-Sanguino wrote:
> On 17 October 2011 20:40, Luca Capello <luca@pca.it> wrote:
>> On Mon, 17 Oct 2011 20:12:34 +0200, Luca Capello wrote:
>>> On Thu, 13 Oct 2011 20:25:16 +0200, David Prévot wrote:
>>>> Le 13/10/2011 04:16, Luca Capello a écrit :
>>>>> On Thu, 13 Oct 2011 02:23:42 +0200, Javier Fernández-Sanguino Peña wrote:
>>>>>>  - Vendor has to sell the "Official CD Debian images".
>>>>>>    Note: Even though vendors can send "additional CDs with unofficial
>>>>>>    software" I believe we should not list vendors which provide only
>>>>>>    "modified" CD Debian images.
>>>>> What is the rationale for that?  "modified" could also means that they
>>>>> change the default theme to their logo, for example, which I found fair.
>>>> If the CD is modified, how would it be possible to check if it is indeed
>>>> an official CD? It would brake the trust path…
>>>>         0: http://www.debian.org/CD/verify
>>> Point taken, but I still think that there are different levels of
>>> modification.

Actually, after having read again David's reply and the link he posted
(which I re-added), I think the verify page should be corrected to warn
that we are talking about CD *images*, not the content of them:
$ wget http://mirror.switch.ch/ftp/mirror/debian-cd/6.0.3/amd64/iso-cd/debian-6.0.3-amd64-CD-1.iso
$ wget http://mirror.switch.ch/ftp/mirror/debian-cd/6.0.3/amd64/iso-cd/MD5SUMS
$ wget http://mirror.switch.ch/ftp/mirror/debian-cd/6.0.3/amd64/iso-cd/MD5SUMS.sign
$ gpg --verify MD5SUMS.sign
gpg: Signature made Sun 09 Oct 2011 08:22:56 PM CEST using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B
$ md5sum -c MD5SUM
debian-6.0.3-amd64-CD-1.iso: OK
md5sum: WARNING: 65 listed files could not be read

I am not a CD expert, so a simple question: if I burn the verified image
above (debian-6.0.3-amd64-CD-1.iso), do the following commands produces
an image that will match its checksum in MD5SUMS?

  $ cat /dev/cdrom >image.iso
  $ dd if=/dev/cdrom of=image.iso

If not, the only way to verify that the CD bought from any vendor comes
actually from an "Official CD Debian image" is to verify the its
content.  The CD image contains an md5sum.txt file (why do we use no or
.txt extensions for such files, and not .md5/.sha*?):
$ sudo mount -o loop debian-6.0.3-amd64-CD-1.iso /media/cdrom0 
mount: warning: /media/cdrom0 seems to be mounted read-only.
$ ls /media/cdrom0/
autorun.inf  g2ldr.mbr    pool                 setup.exe
css          install      README.html          tools
debian       install.amd  README.mirrors.html  win32-loader.ini
dists        isolinux     README.mirrors.txt
doc          md5sum.txt   README.source
g2ldr        pics         README.txt
$ cd /media/cdrom0/
$ md5sum -c md5sum.txt && echo 'everything OK!'
./.disk/base_components: OK
everything OK!

But the md5sum.txt file is not signed, so good for the trust path...  Or
am I missing something?

>> Just to be sure we are aware of our website (I was not), please note
>> that, as Richard Atterer replied [1] at Francesca's initail email, we
>> ATM specifically allow such modifications [2].
>> [1] <http://lists.debian.org/20110307223248.GE23741%40meeep.lan>
>> [2] <http://www.debian.org/CD/vendors/info>
> (sorry for the late reply, I'll try to bring closure to this
> discussion, let's see if I manage to :)

Thank you for the follow-up.

> Take into account that, while we allow for modifications, we do not
> allow people to refer to these CDs as "official Debian CDs". If we
> list vendors that distribute CDs that are not the official ones we
> should explicitly label them in the list.

Fully agree.

> In any case, we don't say in that page that we will list any vendor
> regardless of what they do with our brand or with the CDs. We do not
> say that vendors have to provide "official Debian CDs" is the
> requirements for listing vendors (see "Requirements for being added to
> the vendor list" in that same page) but we do say: "The website should
> offer the current stable Debian release".
>>From my POV, that requirement rules out vendors that distribute
> *modified* versions of the stable Debian release. That is, they can
> provide the "official Debian CDs" of the stable Debian release AND
> other modified CDs but they CANNOT just provide "custom stable Debian
> release CDs".

I do not share your POV, but maybe this is just my English.  And this is
exactly why I have raised my voice: I do not think that the current
wording is clear.

> Notice that this does not prevent us from listing vendors that ship
> the official CDs and ship *addittional* CDs with software or
> *additional* (properly labelled) custom versions in the same
> website/store.
> It also does not prevent vendors from distributing only modified CDs
> on their own,  we just will not list them in the vendors page.
> For example, IMHO, we should not list vendors that *only* sell in
> their site substantially modified versions of Debian (i.e.
> derivatives) which could considered by some as being an "unofficial
> modified Debian CD". I'm thinking of derivatives should as (in the
> past) CoreLinux or any others that might come along.

I guess you meant <https://en.wikipedia.org/wiki/Corel_Linux>.

>> I am pointing it out to also understand if the policy Francesca and
>> Javier were referring to will be added/merged with [2] or if it is a
>> different thing.
> I hope I have made my point clear. Is the above something you can
> agree with? If so, and other members agree, I will commit changes to
> the info page.

After David's reply, my main concerns were about the words used, so I
perfectly agree with your reasoning, thank you for asking.

> PS: If no consensus is reached maybe we should try IRC instead to
> discuss this topic :)

IMHO this should have been recorded in the BTS, at least to have a
single place for all the information.

Thx, bye,
Gismo / Luca

Attachment: pgpZVJA0QPAkn.pgp
Description: PGP signature

Reply to: