Re: Keeping your Debian system secure =>why non-free

To: Thijs Kinkhorst <thijs@debian.org>
Cc: Yves-Alexis Perez <corsac@debian.org>, David Prévot <taffit@debian.org>, security@debian.org, Max Mustermann <bluemorpho@mykolab.com>, debian-www@lists.debian.org
Subject: Re: Keeping your Debian system secure =>why non-free
From: Osamu Aoki <osamu@debian.org>
Date: Sun, 14 Sep 2014 16:50:40 +0900
Message-id: <[🔎] 20140914075040.GA7905@goofy.local>
In-reply-to: <[🔎] b832d8f80d229db01c4807046dc2aff3.squirrel@aphrodite.kinkhorst.nl>
References: <5410A91D.9020203@mykolab.com> <[🔎] 1410379371.14921.16.camel@debian.org> <[🔎] 5410B174.20902@debian.org> <[🔎] 1410380830.14921.19.camel@debian.org> <[🔎] b832d8f80d229db01c4807046dc2aff3.squirrel@aphrodite.kinkhorst.nl>

Hi,

(Disclaimer: I use and maintain some non-free packages.  So please do not
shoot the messenger.)

As we all know non-free in the Debian archive is a friction point
between Debian and FSF.

On Thu, Sep 11, 2014 at 06:08:28PM +0200, Thijs Kinkhorst wrote:
> On Wed, September 10, 2014 22:27, Yves-Alexis Perez wrote:
> >> > I'm adding debian-www (contact point for all web pages) to CC: so they
> >> > can get a look.
> >>
> >> This section is handled by the security team (people in the team have
> >> commit access), but if they feel the need to let someone else fix stuff
> >> on their behalf, theyâ??re welcome to provide explicit guidance of what
> >> is
> >> to fix, and how.
> >
> > Is there anything else than CVS available in order to provide a patch? I
> > think removing the "contrib non-free" part would be ok (and maybe add
> > them to the security FAQ so people actually interested by those suites
> > can add the information themselves, although I'm unsure what does the
> > installer do right now).
> >
> > Team, what do you think?
> 
> I think the original claim that this "recommends" or advocates non-free is
> firmly overstating things. 

Suggesting to add contrib/non-free archive even with fair warning
causes tension with folks aligned with FSF, historically.  I have a first
hand experience doing so in my "Debian reference".
  https://bugs.debian.org/686481

In order to avoid the wrong impression of Debian distribution to contain
non-free in it, with zak's assistance, I came up with extra section
addressing this topic in /etc/apt/sources.list

 https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_debian_is_100_free_software

zak as then-DPL accepted this as our best effort, as I understood.  But
the person complaining "Debian to support non-free from FSF view point"
did not give us a clean "good job" response.  So bug is still open.

> The line just documents how you can use
> security updates and shows the suites that are available. If you don't
> want some of those suites it's trivial to leave them off.

Please note d-i does not put "contrib non-free" as default to
/etc/apt/sources.list.

> Seems like a non-issue to me. Has this actually caused a problem for someone?

Based on the above observation, unfortunately "YES, it causes problem".

Some words of caution for adding non-free and contrib there maybe
prudent thing to do for the better collaboration with FSF.  (Although
that may not be enough...).

Regards,

Osamu

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Re: Keeping your Debian system secure =>why non-free
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Keeping your Debian system secure =>why non-free
  - From: David Prévot <taffit@debian.org>
- Re: Keeping your Debian system secure =>why non-free
  - From: Yves-Alexis Perez <corsac@debian.org>
- Re: Keeping your Debian system secure =>why non-free
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: https://www.debian.org/intro/organization
Next by Date: Bug#760523: Broken link on Debian Jr. Page
Previous by thread: Re: Keeping your Debian system secure =>why non-free
Next by thread: Bug#761138: pagetrail misleading
Index(es):
- Date
- Thread