[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#966532: RFS: ukui-system-monitor/1.0.0-1 [ITP] -- Monitor for UKUI desktop environment

I'd consider it problematic including packages in Debian from companies[0] which must comply with local laws[1] that can force them to include backdoors and also prevent them from disclosing that they've been forced to so.

The supply chains of Open Source Linux distributions are especially vulnerable against such attacks and even more so once official packages from these companies are included. Never mind that they're open source when not every release gets audited and the maintainer can be coerced to include functionality (against their will).

Why do Kylin OS packages need to be available in Debian?

I guess the same is true from any Australian company since the passing of the infamous AABill.
Maybe packages coming from such jurisdictions shouldn't be included in Debian or at least marked so that an unsuspecting users doesn't end up running them without understanding the risks.

[0] China's 'secure' OS Kylin - a threat to U.S offensive cyber capabilities? https://www.zdnet.com/article/chinas-secure-os-kylin-a-threat-to-u-s-offensive-cyber-capabilities/
[1] See China's Article 77 of the state security law https://www.chinalawtranslate.com/en/2015nsl/


regards,
Joachim

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, July 30, 2020 10:07 AM, handsome_feng <jianfengli@ubuntukylin.com> wrote:

> Package: sponsorship-requests
> Severity: wishlist
> X-Debbugs-Cc: jianfengli@ubuntukylin.com
>
> Dear mentors,
>
> I am looking for a sponsor for my package "ukui-system-monitor":
>
> -   Package name : ukui-system-monitor
>     Version : 1.0.0-1
>     Upstream Author : lixiang@kylinos.cn
>
> -   URL : https://www.ukui.org
> -   License : GPL-3+
> -   Vcs : https://github.com/ukui/ukui-system-monitor
>     Section : x11
>
>     It builds those binary packages:
>
>     ukui-system-monitor - Monitor for UKUI desktop environment
>
>     To access further information about this package, please visit the following
>     URL:
>
>     https://mentors.debian.net/package/ukui-system-monitor/
>
>     Alternatively, one can download the package with dget using this command:
>
>     dget -x https://mentors.debian.net/debian/pool/main/u/ukui-system-
>     monitor/ukui-system-monitor_1.0.0-1.dsc
>
>     Changes since the last upload:
>
>     ukui-system-monitor (1.0.0-1) unstable; urgency=medium
>     .
>     -   Initial release. (Closes: #966527)
>
>         Regards,
>         handsome_feng
>
>         -- System Information:
>         Debian Release: bullseye/sid
>         APT prefers unstable
>         APT policy: (500, 'unstable')
>         Architecture: amd64 (x86_64)
>         Foreign Architectures: i386
>
>         Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads)
>         Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
>         Shell: /bin/sh linked to /usr/bin/dash
>         Init: systemd (via /run/systemd/system)
>         LSM: AppArmor: enabled
>
Reply to: