Debian Bug report logs - #449497
foo2zjs: getweb script depends on non-free firmware

version graph

Package: foo2zjs; Maintainer for foo2zjs is Debian Printing Team <debian-printing@lists.debian.org>; Source for foo2zjs is src:foo2zjs.

Reported by: Michael Gilbert <michael.s.gilbert@gmail.com>

Date: Tue, 6 Nov 2007 04:42:01 UTC

Severity: important

Merged with 503813, 503814

Found in version foo2zjs/20070718dfsg-6

Done: Michael Koch <konqueror@gmx.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: foo2zjs: application depends on non-free firmware
Date: Mon, 05 Nov 2007 23:38:21 -0500
Package: foo2zjs
Version: 20070718dfsg-6
Severity: serious
Justification: Policy 2.2.1

foo2zjs relies heavily upon non-free firmware that is hosted at the
upstream site.  this behavior, i believe, does not adhere to the spirit of 
the debian policy for software in main (packages should not require 
packages outside of main).

although semantically, the foo2zjs package does not rely on a debian 
package outside of main, it does however depend on binary firmware packages 
outside of main (at the upstream host site).

i believe that the package, as is, belongs in contrib instead of main.

mike

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (400, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.22-3-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages foo2zjs depends on:
ii  libc6                         2.6.1-6    GNU C Library: Shared libraries

Versions of packages foo2zjs recommends:
ii  foomatic-db-engine      3.0.2-20061031-1 linuxprinting.org printer support 

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: foo2zjs: application depends on non-free firmware
Date: Tue, 6 Nov 2007 16:11:05 +1100
[Message part 1 (text/plain, inline)]
severity 449497 wishlist
tags 449497 wontfix
thanks

Hi Michael

To the best of my knowledge, not all printers need this firmware. Thus, the 
package is operational without additional firmware. Unfortunately, some 
printers need firmware, that is right. Please feel free to ask hp or the 
other printer vendors to somehow free their firmware :)
We have done everything we could to keep the package in main and provide a way 
for users to manually and easily add additional things, if they want and 
need. The package however still provides functionality without these things 
and I do not see a dependency against a non-free package. Therefore, I 
lowered the severity to make sure that the package still migrates to testing 
and added the wontifx tag.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Severity set to `wishlist' from `serious' Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Tue, 06 Nov 2007 05:09:03 GMT) Full text and rfc822 format available.

Tags added: wontfix Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Tue, 06 Nov 2007 05:09:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #19 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: foo2zjs: application depends on non-free firmware
Date: Tue, 6 Nov 2007 00:23:39 -0500
the appropriate solution should be to split the package into separate
foo2zjs and foo2zjs-contrib packages, where the contrib package
contains only the getweb firmware fetching stuff.

has debian-legal reviewed the package?  its really up to them to
determine whether this is a policy violation or not.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #24 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Cc: 449497@bugs.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: foo2zjs: application depends on non-free firmware
Date: Tue, 6 Nov 2007 16:48:50 +1100
[Message part 1 (text/plain, inline)]
On Tue, 6 Nov 2007 04:16:50 pm you wrote:
> i believe that the proper solution is to split the package into
> foo2zjs and foo2zjs-contrib -- where the contrib package will have
> only the non-free getweb stuff.
Nah, a package split with only this script in it would be overkill.
The script is offered for convenience and so is the hannah-foo2zjs package.
I am also not convinced that the getweb script is enough to state that the 
package should be contrib. It does not depend on any software directly. It is 
just a nice method of getting the firmware and integrating it into the system 
properly. By all means, ask debian-legal about it, but then please also check 
other packages in the debian archive, which might do the same. I am sure that 
there are other "downloader" packages, which are way more obvious and 
problematic than foo2zjs (following your definition of contrib that is :) ).

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #29 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: foo2zjs: application depends on non-free firmware
Date: Fri, 9 Nov 2007 23:39:55 -0500
the problem with external dependencies is that functionality can be
broken due to circumstances outside of your control.  vis a vis, the
getweb stuff is currently broken (in unstable as well as stable!)
because the upstream author randomly decided to modify his directory
naming scheme.  this is why debian policy required that there are no
dependencies on packages outside of main.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #34 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: debian-legal@lists.debian.org, 449497@bugs.debian.org
Subject: Policy on Binary Firmware Fetching in Main (e.g. foo2zjs)
Date: Sat, 10 Nov 2007 00:32:08 -0500
i recently submitted a serious bug against foo2zjs because the package
provides a non-free firmware fetching script (called getweb) in main.
i believe this to be a serious bug for two reasons:

the first is that packages in main should not have any dependencies on
non-free software.  however, debian policy is not entirely clear on
the issue.  section 2.2.1 says "... the packages in main must not
require a package outside of main for compilation or execution (thus,
the package must not declare a 'Depends', 'Recommends', or
'Build-Depends' relationship on a non-main package)."  this makes the
policy clear about dependencies on "packages," but it does not address
dependencies on other external non-free files.

the second reason is that the upstream author recently modified his
directory naming scheme, which broke that same firmware fetching stuff
(the script now links to the wrong locations).  so, not only is the
version of foo2zjs in unstable broken, but the version in stable is
broken as well because of this.  this would never happen if the
package did not have external dependencies.

the maintainer does not believe this to be an issue [1] because the
firmware fetching stuff is a small part of the total package.  i
suggested that he could split out the firmware fetching stuff into a
contrib package instead, but he didn't seem to think that was a good
idea.  and even so, that still doesn't solve the second problem.  the
correct solution would be to put the firmwares into a non-free
package.

at the maintainer's discretion, the bug is currently tagged "wishlist"
and "wont-fix."  i completely disagree, but i will defer to
debian-legal's take on the matter.

mike

[1] http://bugs.debian.org/449497




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #39 received at 449497@bugs.debian.org (full text, mbox):

From: md@Linux.IT (Marco d'Itri)
To: 449497@bugs.debian.org
Cc: debian-legal@lists.debian.org
Subject: Re: Bug#449497: Policy on Binary Firmware Fetching in Main (e.g. foo2zjs)
Date: Sun, 11 Nov 2007 18:21:07 +0100
[Message part 1 (text/plain, inline)]
On Nov 10, Michael Gilbert <michael.s.gilbert@gmail.com> wrote:

> the maintainer does not believe this to be an issue [1] because the
> firmware fetching stuff is a small part of the total package.  i
The maintainer is correct.

> suggested that he could split out the firmware fetching stuff into a
> contrib package instead, but he didn't seem to think that was a good
> idea.  and even so, that still doesn't solve the second problem.  the
> correct solution would be to put the firmwares into a non-free
> package.
This may or may not be useful, but it would still not make foo2zjs
depend on that firmware as I explained in my other message.

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #44 received at 449497@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: debian-legal@lists.debian.org, 449497@bugs.debian.org
Subject: Re: Policy on Binary Firmware Fetching in Main (e.g. foo2zjs)
Date: Mon, 12 Nov 2007 00:50:31 -0500
i received the following message from the upstream author of foo2zjs.  
it is his belief that much of the package should be non-free.  see below.

Rick Richardson wrote:
> It is not the firmware only.  It is also ICC/ICM Color Correction files.
> And PATENTS.  Patents by IBM and ATT in the USA and others...

> This should be non-free!!!!!

> -Rick

> From the COPYING file:

> Copyright HP...
>   sihp1000.img (2001)
>   sihp1005.img (2002)
>   sihp1018.img (2005)
>   sihp1020.img (2005)
>   hpclj2600n-0.icm (2003) 3700

> Copyright Konica Minolta...
>    CPWL12W.icm (1998)
>    CPWL24W.icm (1998)
>    CPWL6W.icm (1998)
>    DL2200RGB.icm (1999)
>    DL2312.icm (2001)
>    DL2324.icm (2001)
>    km2430_0.icm (2003)
>    km2430_1.icm (2003)
>    km2430_2.icm (2003)
>    km2530_0.icm (2003)
>    km2530_1.icm (2003)
>    km2530_2.icm (2003)

> Copyright Rick Richardson.  All Rights Reserved.
>    hpclj2600n-1.icm (2006)
>    samclp300-0.icm (2007)
>    km2530-jconner-d50.icm (2007)

> Copyright Samsung...
>    CLP-300*cms* (2006)
>    CLP-600*cms* (2006)

> Copyright Lexmark...
>    lexRPCA200.icm (2006)

> PATENTS
>    It is possible that certain products which can be built using the jbig
>    software module might form inventions protected by patent rights in
>    some countries (e.g., by patents about arithmetic coding algorithms
>    owned by IBM and AT&T in the USA). Provision of this software by the
>    author does NOT include any licences for any patents. In those
>    countries where a patent licence is required for certain applications
>    of this software module, you will have to obtain such a licence
>    yourself.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 14 Oct 2008 15:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 14 Oct 2008 15:18:08 GMT) Full text and rfc822 format available.

Message #49 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org, control@bugs.debian.org
Cc: rick.richardson@comcast.net
Subject: Re: Policy on Binary Firmware Fetching in Main (e.g. foo2zjs)
Date: Tue, 14 Oct 2008 11:15:12 -0400
severity 449497 serious
tag 449497 -wontfix
thank you

i am reverting the severity of this bug to serious since the upstream
author has made his opinion clear -- that the package in its current
state is non-free.   hence, the package should either be moved to the
non-free archive, separated into free and non-free parts, or removed
from inclusion in lenny.




Severity set to `serious' from `wishlist' Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 14 Oct 2008 15:18:10 GMT) Full text and rfc822 format available.

Tags removed: wontfix Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Tue, 14 Oct 2008 15:18:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sat, 25 Oct 2008 12:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joost Yervante Damad <andete@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sat, 25 Oct 2008 12:12:02 GMT) Full text and rfc822 format available.

Message #58 received at 449497@bugs.debian.org (full text, mbox):

From: Joost Yervante Damad <andete@debian.org>
To: 449497@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, Steffen Joeris <steffen.joeris@skolelinux.de>, rick.richardson@comcast.net
Subject: foo2zjs: application depends on non-free firmware
Date: Sat, 25 Oct 2008 14:06:47 +0200
Hello,

README.Debian of "foo2zjs" provides the following text:

<cut>
foo2zjs for Debian
---------------

Please understand that I had to delete some files which the author is
still providing, because I got no source code for them.
This is necessary to get the package into Debian main.
If you really need these programs, please freel free to download
them from http://foo2zjs.rkkda.com/foo2zjs.tar.gz on your own risk.
In addition to that I also deleted all  binary files (.e.g. .icm).
(Type "wget http://foo2zjs.rkkda.com/foo2zjs.tar.gz").
Then run the following commands:

tar -xvvzf foo2zjs.tar.gz
cd foo2zjs
make
</cut>

Is this actually needed to make the program work? Then it clearly doesn't 
belong in the main section of Debian, as main is not supposed to depend on 
external stuff.

If the program works fine without this, in my opinion this bug should be 
downgraded again, and marked wontfix, as non of the non-free files (neither 
the firmware files, nor icm profiles, ...) are actually contained in the 
Debian package.

Greetings, Joost Damad




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sat, 25 Oct 2008 12:21:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sat, 25 Oct 2008 12:21:15 GMT) Full text and rfc822 format available.

Message #63 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: control@bugs.debian.org
Cc: 449497@bugs.debian.org
Subject: downgrade
Date: Sat, 25 Oct 2008 23:23:14 +1100
severity 449497 wishlist
tags 449497 wontfix
thx

I am well aware that upstream author dislikes all sorts of distribution and 
does not want them to ship foo2zjs. However, the non-free stuff was stripped 
away from the package, including a lot of the icm files. Please take the 
effort yourself to check it and point us to the exact files.

Cheers
Steffen




Severity set to `wishlist' from `serious' Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Sat, 25 Oct 2008 12:21:16 GMT) Full text and rfc822 format available.

Tags added: wontfix Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Sat, 25 Oct 2008 12:21:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sat, 25 Oct 2008 20:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sat, 25 Oct 2008 20:27:03 GMT) Full text and rfc822 format available.

Message #72 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497 <449497@bugs.debian.org>, control <control@bugs.debian.org>
Cc: rick.richardson@comcast.net
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sat, 25 Oct 2008 16:25:05 -0400
severity 449497 serious
tag 449497 -wishlist
thank you

ok, my point is that dependencies on external data/files are
potentially dangerous.  if the maintainer of the upstream site makes
changes (as has been done in the past with foo2zjs), then the package
no longer works as intended.  if someone replaces the upstream files
with malicious code, then you have a security issue.  both of these
problems are normally considered grave, and for good reason -- hence
this is a grave problem as well.  why would you risk exposing users to
these problems if you can take steps now to eliminate them?

debian main should have no external dependencies (that is what contrib
is for).  and maybe the text of the debian policy doesn't make this
100% clear right now, but it is within its spirit.  if it is too easy
to misinterpret the intent, then the wording should be updated for
clarity.

it is my belief that the getweb script must be removed from the package.




Severity set to `serious' from `wishlist' Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 25 Oct 2008 20:27:04 GMT) Full text and rfc822 format available.

Tags removed: Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 25 Oct 2008 20:27:04 GMT) Full text and rfc822 format available.

Tags removed: wontfix Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sat, 25 Oct 2008 20:33:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 06:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joost Yervante Damad <andete@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 06:45:02 GMT) Full text and rfc822 format available.

Message #83 received at 449497@bugs.debian.org (full text, mbox):

From: Joost Yervante Damad <andete@debian.org>
To: "Michael Gilbert" <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org
Cc: rick.richardson@comcast.net, Steffen Joeris <steffen.joeris@skolelinux.de>
Subject: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 07:38:51 +0100
Hello all,

>
> ok, my point is that dependencies on external data/files are
> potentially dangerous.  if the maintainer of the upstream site makes
> changes (as has been done in the past with foo2zjs), then the package
> no longer works as intended.  if someone replaces the upstream files
> with malicious code, then you have a security issue.  both of these
> problems are normally considered grave, and for good reason -- hence
> this is a grave problem as well.  why would you risk exposing users to
> these problems if you can take steps now to eliminate them?
>
> debian main should have no external dependencies (that is what contrib
> is for).  and maybe the text of the debian policy doesn't make this
> 100% clear right now, but it is within its spirit.  if it is too easy
> to misinterpret the intent, then the wording should be updated for
> clarity.
>
> it is my belief that the getweb script must be removed from the package.

I understand your sentiment, and it is indeed a "grey" area situation. If I 
take policy literary, I think this package is fine in main, but it is not as 
simple...

In order to get this bug rolling (and lenny released ;-) ), can you all live 
with me splitting up the package in two packages:

1) foo2zjs: this contains everything, and lives in mains, which Suggests:
2) foo2zjs-contrib: this contains getweb

I know a package with just a script is not nice, but it is more in the spirit 
of the debian policy indeed.

thanks, Joost




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 07:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 07:03:02 GMT) Full text and rfc822 format available.

Message #88 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Joost Yervante Damad <andete@debian.org>
Cc: "Michael Gilbert" <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 18:03:46 +1100
[Message part 1 (text/plain, inline)]
Hi
> I understand your sentiment, and it is indeed a "grey" area situation. If I
> take policy literary, I think this package is fine in main, but it is not
> as simple...
>
> In order to get this bug rolling (and lenny released ;-) ), can you all
> live with me splitting up the package in two packages:
>
> 1) foo2zjs: this contains everything, and lives in mains, which Suggests:
> 2) foo2zjs-contrib: this contains getweb
>
> I know a package with just a script is not nice, but it is more in the
> spirit of the debian policy indeed.
I would like to hear Michael's word on it, since he was the more active one 
during the last uploads. In fact, I am happy to give up maintainership, as 
this package (and the tiresome discussion around it) is really no fun.

Maybe Michael would like to step in and help out maintaining the package?

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 07:39:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joost Yervante Damad <andete@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 07:39:02 GMT) Full text and rfc822 format available.

Message #93 received at 449497@bugs.debian.org (full text, mbox):

From: Joost Yervante Damad <andete@debian.org>
To: "Michael Gilbert" <michael.s.gilbert@gmail.com>
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, 449497@bugs.debian.org, mkoch@debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 08:20:08 +0100
On Sunday 26 October 2008 08:03:46 Steffen Joeris wrote:
> Hi
>
> > I understand your sentiment, and it is indeed a "grey" area situation. If
> > I take policy literary, I think this package is fine in main, but it is
> > not as simple...
> >
> > In order to get this bug rolling (and lenny released ;-) ), can you all
> > live with me splitting up the package in two packages:
> >
> > 1) foo2zjs: this contains everything, and lives in mains, which Suggests:
> > 2) foo2zjs-contrib: this contains getweb
> >
> > I know a package with just a script is not nice, but it is more in the
> > spirit of the debian policy indeed.
>
> I would like to hear Michael's word on it, since he was the more active one
> during the last uploads. In fact, I am happy to give up maintainership, as
> this package (and the tiresome discussion around it) is really no fun.
>
> Maybe Michael would like to step in and help out maintaining the package?

That would be great. It is indeed not my intention at all to step on your 
toes, I'm just your friendly lenny pusher ;)

Michael, your thoughts?

Joost




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 07:39:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 07:39:04 GMT) Full text and rfc822 format available.

Message #98 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Joost Yervante Damad <andete@debian.org>
Cc: "Michael Gilbert" <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 18:33:20 +1100
[Message part 1 (text/plain, inline)]
Hi

Sorry for the confusing statement here.
> > > I understand your sentiment, and it is indeed a "grey" area situation.
> > > If I take policy literary, I think this package is fine in main, but it
> > > is not as simple...
> > >
> > > In order to get this bug rolling (and lenny released ;-) ), can you all
> > > live with me splitting up the package in two packages:
> > >
> > > 1) foo2zjs: this contains everything, and lives in mains, which
> > > Suggests: 2) foo2zjs-contrib: this contains getweb
> > >
> > > I know a package with just a script is not nice, but it is more in the
> > > spirit of the debian policy indeed.
> >
> > I would like to hear Michael's word on it, since he was the more active
> > one during the last uploads. In fact, I am happy to give up
> > maintainership, as this package (and the tiresome discussion around it)
> > is really no fun.
This refers to Michael Koch (also maintainer of the package).

> > Maybe Michael would like to step in and help out maintaining the package?
Here I mean the submitter :)

> That would be great. It is indeed not my intention at all to step on your
> toes, I'm just your friendly lenny pusher ;)
I know, it's just a big frustration to deal with this package :/

Thanks for your work on the release and caring about RC bugs.

Cheers
Steffen

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 11:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Capello <luca@pca.it>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 11:15:03 GMT) Full text and rfc822 format available.

Message #103 received at 449497@bugs.debian.org (full text, mbox):

From: Luca Capello <luca@pca.it>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: Joost Yervante Damad <andete@debian.org>, Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 12:12:49 +0100
[Message part 1 (text/plain, inline)]
Hi there!

On Sun, 26 Oct 2008 08:03:46 +0100, Steffen Joeris wrote:
> On Sun, 26 Oct 2008 07:38:51 +0100. Joost Yervante Damad wrote:
>> I understand your sentiment, and it is indeed a "grey" area situation. If I
>> take policy literary, I think this package is fine in main, but it is not
>> as simple...
>>
>> In order to get this bug rolling (and lenny released ;-) ), can you all
>> live with me splitting up the package in two packages:
>>
>> 1) foo2zjs: this contains everything, and lives in mains, which Suggests:
>> 2) foo2zjs-contrib: this contains getweb

I strongly object to a single-script package.

Quickly speaking, I think the situation is similar to the kernel
firwmare issue ATM discussed on d-d (started at [1]): foo2zjs, the
software, seems to be perfectly fine for main, not only because as
Steffen already pointed out some printers can work without the non-free
firmware [2][3].  And despite upstream opinion [4], all the non-free
files have already been stripped out from the package [5].

The only problem remaining for foo2zjs in main is then the getweb
script: this can be broken because upstream changes his website layout,
but this is nothing different than any other simple bug.  If this
happened, then we'll fix it, full stop.

>> I know a package with just a script is not nice, but it is more in the
>> spirit of the debian policy indeed.
>
> I would like to hear Michael's word on it, since he was the more
> active one during the last uploads. In fact, I am happy to give up
> maintainership, as this package (and the tiresome discussion around
> it) is really no fun.
>
> Maybe Michael would like to step in and help out maintaining the
> package?

Since I needed this package and it was broken/not-updated in lenny, I
spent some time on it and already offered to take over maintenance [6],
but no one replied yet.  Again, I volunteer to become part of the Debian
maintainer team.

Thx, bye,
Gismo / Luca

Footnotes: 
[1] http://lists.debian.org/debian-devel/2008/10/msg00368.html
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449497#10
[3] not that I checked with such printers, I'm only in touch with one
    that needs a non-free firmware
      http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449497#44
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449497#63
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#27
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 11:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 11:24:04 GMT) Full text and rfc822 format available.

Message #108 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Luca Capello <luca@pca.it>
Cc: Joost Yervante Damad <andete@debian.org>, Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 22:25:42 +1100
[Message part 1 (text/plain, inline)]
On Sun, 26 Oct 2008 10:12:49 pm Luca Capello wrote:
> Hi there!
>
> On Sun, 26 Oct 2008 08:03:46 +0100, Steffen Joeris wrote:
> > On Sun, 26 Oct 2008 07:38:51 +0100. Joost Yervante Damad wrote:
> >> I understand your sentiment, and it is indeed a "grey" area situation.
> >> If I take policy literary, I think this package is fine in main, but it
> >> is not as simple...
> >>
> >> In order to get this bug rolling (and lenny released ;-) ), can you all
> >> live with me splitting up the package in two packages:
> >>
> >> 1) foo2zjs: this contains everything, and lives in mains, which
> >> Suggests: 2) foo2zjs-contrib: this contains getweb
>
> I strongly object to a single-script package.
>
> Quickly speaking, I think the situation is similar to the kernel
> firwmare issue ATM discussed on d-d (started at [1]): foo2zjs, the
> software, seems to be perfectly fine for main, not only because as
> Steffen already pointed out some printers can work without the non-free
> firmware [2][3].  And despite upstream opinion [4], all the non-free
> files have already been stripped out from the package [5].
>
> The only problem remaining for foo2zjs in main is then the getweb
> script: this can be broken because upstream changes his website layout,
> but this is nothing different than any other simple bug.  If this
> happened, then we'll fix it, full stop.
>
> >> I know a package with just a script is not nice, but it is more in the
> >> spirit of the debian policy indeed.
> >
> > I would like to hear Michael's word on it, since he was the more
> > active one during the last uploads. In fact, I am happy to give up
> > maintainership, as this package (and the tiresome discussion around
> > it) is really no fun.
> >
> > Maybe Michael would like to step in and help out maintaining the
> > package?
>
> Since I needed this package and it was broken/not-updated in lenny, I
> spent some time on it and already offered to take over maintenance [6],
> but no one replied yet.  Again, I volunteer to become part of the Debian
> maintainer team.
Please send me your alioth login and I'll add you to the foo2zjs project on 
alioth.
I do understand that it is problematic to just download some files from some 
upstream homepage. There should be a warning added to the download gui and it 
should then list all the files that where download. This way, the admin is at 
least informed.
Nonetheless, the package in main at the moment is not non-free.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 12:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joost Yervante Damad <andete@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 12:45:03 GMT) Full text and rfc822 format available.

Message #113 received at 449497@bugs.debian.org (full text, mbox):

From: Joost Yervante Damad <andete@debian.org>
To: Luca Capello <luca@pca.it>
Cc: Steffen Joeris <steffen.joeris@skolelinux.de>, Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 13:40:34 +0100
[Message part 1 (text/plain, inline)]
Hi Luca,


> [3] not that I checked with such printers, I'm only in touch with one
>     that needs a non-free firmware
>       http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15

So you don't think that your usage of the package is more "contrib" 
then "main"?

Personally I find it a rather "grey" unclear situation. It seems the package 
can be used without any external files, yet in practice, for a lot of people 
it is only usable with external files..

Since the package is currently lives in main, I personally can live with how 
it is currently... the bug submitter seems to think differently though...

Bottom line is, that dependant on the hardware ,the package as it lives in 
main is usable or NOT.

Yet I think that it fits within the current practice in Debian.

I don't think the purpose of this bug is to change the interpretation of 
Debian policy... as Luca pointed out, people are doing that already heavily 
enough in Debian-Devel ;-)

Maybe we should mark the bug lenny-ignore ;)

Joost
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 13:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 13:06:02 GMT) Full text and rfc822 format available.

Message #118 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: control@bugs.debian.org
Cc: Luca Capello <luca@pca.it>, Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org, Joost Yervante Damad <andete@debian.org>
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Mon, 27 Oct 2008 00:08:03 +1100
[Message part 1 (text/plain, inline)]
severity 449497 important
thanks

On Sun, 26 Oct 2008 11:40:34 pm Joost Yervante Damad wrote:
> Hi Luca,
>
> > [3] not that I checked with such printers, I'm only in touch with one
> >     that needs a non-free firmware
> >       http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15
>
> So you don't think that your usage of the package is more "contrib"
> then "main"?
>
> Personally I find it a rather "grey" unclear situation. It seems the
> package can be used without any external files, yet in practice, for a lot
> of people it is only usable with external files..
>
> Since the package is currently lives in main, I personally can live with
> how it is currently... the bug submitter seems to think differently
> though...
>
> Bottom line is, that dependant on the hardware ,the package as it lives in
> main is usable or NOT.
>
> Yet I think that it fits within the current practice in Debian.
>
> I don't think the purpose of this bug is to change the interpretation of
> Debian policy... as Luca pointed out, people are doing that already heavily
> enough in Debian-Devel ;-)
>
> Maybe we should mark the bug lenny-ignore ;)
I guess it would be up to the release team to set this tag. Anyway, I am still 
not convinced that it is RC. The package works fine for certain printers 
without any firmware. However, some need it, which is clearly stated in the 
README.Debian file. Furthermore, we are offering a GUI program and the 
upstream script to download the firmware for the user's convenience. IMHO 
this does not justify the move to contrib or non-free. Now I am lowering the 
severity of the bug to "important" (althought I'd rather see it as wishlist). 
If people still disagree, please bring it to the attention of the technical 
committee, which can overrule my decision at any time.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Severity set to `important' from `serious' Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Sun, 26 Oct 2008 13:06:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 13:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Capello <luca@pca.it>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 13:27:03 GMT) Full text and rfc822 format available.

Message #125 received at 449497@bugs.debian.org (full text, mbox):

From: Luca Capello <luca@pca.it>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, mkoch@debian.org, Joost Yervante Damad <andete@debian.org>, debian-release@lists.debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 14:25:53 +0100
[Message part 1 (text/plain, inline)]
Hi there!

BTW, Joost, it seems that for the BugSprint [1] you got quite a nasty
     bug, sorry :-D

On Sun, 26 Oct 2008 14:08:03 +0100, Steffen Joeris wrote:
> severity 449497 important

Thanks to Steffen for the downgrade.  To everyone else: please don't
change the severity anymore: while it can be less than important [2],
it's *anyway* not more than that.

> On Sun, 26 Oct 2008 11:40:34 pm Joost Yervante Damad wrote:
>> Hi Luca,
>>
>> > [3] not that I checked with such printers, I'm only in touch with one
>> >     that needs a non-free firmware
>> >       http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=466758#15
>>
>> So you don't think that your usage of the package is more "contrib"
>> then "main"?

No, foo2zjs as it's *in* Debian [3] is OK for main.

>> Personally I find it a rather "grey" unclear situation. It seems the
>> package can be used without any external files, yet in practice, for a lot
>> of people it is only usable with external files..

It doesn't matter how many people needs external files to fully use
foo2zjs: if only one person can use it without, then everything which is
completely DFSG-free *must* be in main.

>> Since the package is currently lives in main, I personally can live with
>> how it is currently... the bug submitter seems to think differently
>> though...
>>
>> Bottom line is, that dependant on the hardware ,the package as it lives in
>> main is usable or NOT.

This is another point, exactly like the firmware issues in the kernel:
the Intel iwl3945 driver is not usable on my ThinkPad X60 [4] without
the non-free firmware, yet the correct place for the driver is main.

>> Maybe we should mark the bug lenny-ignore ;)
>
> I guess it would be up to the release team to set this tag.

I added the d-release mailing list to the cc:.

> Anyway, I am still not convinced that it is RC. The package works fine
> for certain printers without any firmware. However, some need it,
> which is clearly stated in the README.Debian file. Furthermore, we are
> offering a GUI program and the upstream script to download the
> firmware for the user's convenience. IMHO this does not justify the
> move to contrib or non-free.

Fully ACK.

> Now I am lowering the severity of the bug to "important" (althought
> I'd rather see it as wishlist).

Fully ACK also for the latter.

> If people still disagree, please bring it to the attention of the
> technical committee, which can overrule my decision at any time.

With my just-got foo2zjs maintainer hat on, in that case the technical
committee should overrule the decision of two maintainers.  Let's see
what the Release Managers say.

Thx, bye,
Gismo / Luca

Footnotes: 
[1] http://wiki.debian.org/BugSprint
[2] "important: a bug which has a major effect on the usability of a
    package, without rendering it completely unusable to everyone"; this
    is exactly the current situation for foo2zjs
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=yes&bug=449497#63
[4] http://luca.pca.it/projects/ibm/x60_1706-gmg/
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Sun, 26 Oct 2008 22:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Sun, 26 Oct 2008 22:03:05 GMT) Full text and rfc822 format available.

Message #130 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org, control@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: foo2zjs: application depends on non-free firmware
Date: Sun, 26 Oct 2008 17:57:41 -0400
severity 449497 serious
thank you

i don't see how this bug can be considered anything less than serious.
 as i explained in my last message, there are two potential grave
problems: security and breakage.  and even if neither of these
problems exist now, they certainly could arise during the lenny's
lifetime.  in fact, we don't even know if the upstream files are fully
trustworthy right now.  also, someone could spoof the upstream site.
there are a lot of potential problems, which is why software in main
should not have external dependencies.  again, if these issues can be
resolved before the release, then they should -- they should not be
ignored.

also, i believe that by reducing the severity, you are covering up the
importance of this problem -- and those like it.  people in debian
really need to put some thought and consideration into the clarity of
the current policy on issues like this.  you are putting your users at
risk and reducing the reliability of the system.

some have argued that this issue shouldn't be considered a problem
since the majority of the package is dfsg-free.  this is an incorrect
interpretation.  if any part of a package is non-free, then the whole
package should be considered non-free until the offending component is
fully removed.

i am increasing the severity one more time to make sure that this bug
is given appropriate consideration by the release team.  it should be
up to them to mark it lenny-ignore, and if that is their decision, i
will not object.

otherwise, i believe that the only reasonable solution (that can be
completed in time for the release) is to remove getweb and add some
documentation on getting getweb upstream if the user needs it.




Severity set to `serious' from `important' Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 26 Oct 2008 22:03:16 GMT) Full text and rfc822 format available.

Changed Bug title to `foo2zjs: getweb script depends on non-free firmware' from `foo2zjs: application depends on non-free firmware'. Request was from "Michael Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 26 Oct 2008 22:12:02 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Mon, 27 Oct 2008 10:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Mon, 27 Oct 2008 10:00:02 GMT) Full text and rfc822 format available.

Message #139 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: 449497@bugs.debian.org
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: TC proposal for dispute (was: Re: foo2zjs: application depends on non-free firmware)
Date: Mon, 27 Oct 2008 21:01:31 +1100
[Message part 1 (text/plain, inline)]
Hi

I am upset that you again raised the severity without consulting anyone. The 
package as it stands is DFSG free and the getweb script is there for the 
convenience of the users as well as the documentation. Your arguments haven't 
changed my opinion. However, it doesn't look like we are finding an agreement 
on this issue. I have pinged the release team on IRC for a statement, but 
maybe this issue deserves some attention from another body of debian.
Therefore, I suggest we write up a paragraph for the TC following their 
guidelines[0].

My proposal would be:

Dear TC members

Bug #449497 has reported against foo2zjs. The maintainers and the submitter do 
not seem to reach an agreement. The problem is as follows. The submitter sees 
the inclusion of the getweb script as a violation of the DFSG. The script is 
provided by upstream to download non-free firmware from his upstream webpage. 
The package includes documentation in README.Debian and a GUI interface 
(hannah-foo2zjs) around the getweb script for the user's convenience. Some 
printers need this non-free firmware to run, others don't.
More information can be found in the bugreport. Could we please ask you to 
settle this dispute?


Do you concur with this paragraph or would you like to add any adjustments? 
Please keep them as technical as possible. Once we can agree on such a 
paragraph, I am happy to send it to the committee, CC you and keep a copy in 
the BTS.

Cheers
Steffen

[0]: http://www.debian.org/devel/tech-ctte
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Mon, 27 Oct 2008 11:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Capello <luca@pca.it>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Mon, 27 Oct 2008 11:06:05 GMT) Full text and rfc822 format available.

Message #144 received at 449497@bugs.debian.org (full text, mbox):

From: Luca Capello <luca@pca.it>
To: Steffen Joeris <steffen.joeris@skolelinux.de>
Cc: 449497@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>, debian-release@lists.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: TC proposal for dispute
Date: Mon, 27 Oct 2008 12:03:50 +0100
[Message part 1 (text/plain, inline)]
Hi there!

I put back d-release to the cc: list, since we previously asked for
their help on this matter.

On Mon, 27 Oct 2008 11:01:31 +0100, Steffen Joeris wrote:
> I am upset that you again raised the severity without consulting
> anyone.

Which, sadly, went against my specific request to not play the
severity-change game anymore [1].

> The package as it stands is DFSG free and the getweb script is there
> for the convenience of the users as well as the documentation.  Your
> arguments haven't changed my opinion.

FWIW, I completely agree with Steffen here.

> However, it doesn't look like we are finding an agreement on this
> issue. I have pinged the release team on IRC for a statement, but
> maybe this issue deserves some attention from another body of debian.
> Therefore, I suggest we write up a paragraph for the TC following
> their guidelines[0].

Since the TC seems to be the only possible solution, let's go with it.
If it's needed, I can go *again* through the sources, spotting the
copyright owners and licenses for each file Debian ships (I, in purpose,
considered only what Debian includes in its package, which is clearly
marked as $UPSTREAMVERSIONdfsg-$DEBIANVERSION).

> My proposal would be:
>
> Dear TC members
>
> Bug #449497 has reported against foo2zjs. The maintainers and the
> submitter do not seem to reach an agreement.

I would change that underlying that not only the foo2zjs maintainers,
but also other people (including a DD) agree [2].  Moreover, you can
find other DDs opinion on the thread on d-legal [3], which I looked at
quickly since, frankly speaking, things got repeated and repeated again
with no step forward.

> The problem is as follows. The submitter sees the inclusion of the
> getweb script as a violation of the DFSG. The script is provided by
> upstream to download non-free firmware from his upstream webpage.  The
> package includes documentation in README.Debian and a GUI interface
> (hannah-foo2zjs) around the getweb script for the user's
> convenience. Some printers need this non-free firmware to run, others
> don't.  More information can be found in the bugreport. Could we
> please ask you to settle this dispute?

It seems OK to me.

Thx, bye,
Gismo / Luca

Footnotes: 
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449497#125
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=yes&bug=449497#39
[3] http://lists.debian.org/debian-legal/2007/11/msg00103.html
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 28 Oct 2008 04:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 28 Oct 2008 04:00:03 GMT) Full text and rfc822 format available.

Message #149 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497 <449497@bugs.debian.org>
Cc: debian-release@lists.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: TC proposal for dispute
Date: Mon, 27 Oct 2008 23:57:27 -0400
the paragraph for the technical committee seems like a very good
start.  however, i request the following rewrite of the fourth
sentance:

The submitter sees the getweb script's dependencies on external
data/files as potentially dangerous.  Once the package enters stable,
upstream changes (moving/modifying files, etc.) can break
functionality -- leading to a package that can no longer be considered
"stable."  External dependencies also potentially leave users
vulnerable to security risks (the upstream site could be spoofed or
hijacked and malicious files hosted instead of the legitimate firmware
files).  Also, the submitter views external dependencies as a possible
violation of the spirit of the debian policy, which currently is not
explicitly clear on the issue.  Section 2.2.1 says "... the packages
in main must not require a package outside of main for compilation or
execution (thus, the package must not declare a 'Depends',
'Recommends', or 'Build-Depends' relationship on a non-main package)."
 This makes the policy clear about "packages," but it does not address
dependencies on other external non-packaged non-free files.  It is the
submitter's belief that Debian's policy should be reworded for clarity
on situations such as this.

thank you for your consideration.  i appologize for being difficult,
but i believe that it is better to address the issue now, since the
impending release forces action on the matter.  i am certain that
ignoring the problem will result in no action until the next release
(1.5 years from now).  i am not willing to wait.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 28 Oct 2008 08:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 28 Oct 2008 08:57:06 GMT) Full text and rfc822 format available.

Message #154 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: control@bugs.debian.org, debian-ctte@lists.debian.org
Cc: 449497@bugs.debian.org, steffen.joeris@skolelinux.de, mkoch@debian.org, Luca Capello <luca@pca.it>, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: foo2zjs dispute
Date: Tue, 28 Oct 2008 19:56:08 +1100
[Message part 1 (text/plain, inline)]
reassgin 449497 tech-ctte,foo2zjs
thanks

Dear Technical Committee Members

Currently, there is a dispute about a certain part of the foo2zjs package. 
Unfortunately, we do not seem to be able to solve it and thus require your 
assistance. We have tried to get a paragraph together to state the problem, 
but it seems we ended up with two different paragraphs. The first one is from 
the maintainer (myself) and the second one belongs to the bug submitter 
(Michael Gilbert). Could you please pass your judgement on this case?
You will find further information in the bugreport and I am sure that the 
submitter as well as the maintainers are happy to answer any follow-up 
questions. At the moment, the bug is marked as RC, which might have an impact 
for the lenny release.
Thanks in advance for your time and judgement.

Cheers
Steffen


Maintainer:
--------------

The problem is as follows. The submitter sees the inclusion of the
getweb script as a violation of the DFSG. The script is provided by
upstream to download non-free firmware from his upstream webpage.  The
package includes documentation in README.Debian and a GUI interface
(hannah-foo2zjs) around the getweb script for the user's
convenience. Some printers need this non-free firmware to run, others
don't.  More information can be found in the bugreport. Could we
please ask you to settle this dispute?


Submitter:
--------------

The submitter sees the getweb script's dependencies on external
data/files as potentially dangerous.  Once the package enters stable,
upstream changes (moving/modifying files, etc.) can break
functionality -- leading to a package that can no longer be considered
"stable."  External dependencies also potentially leave users
vulnerable to security risks (the upstream site could be spoofed or
hijacked and malicious files hosted instead of the legitimate firmware
files).  Also, the submitter views external dependencies as a possible
violation of the spirit of the debian policy, which currently is not
explicitly clear on the issue.  Section 2.2.1 says "... the packages
in main must not require a package outside of main for compilation or
execution (thus, the package must not declare a 'Depends',
'Recommends', or 'Build-Depends' relationship on a non-main package)."
 This makes the policy clear about "packages," but it does not address
dependencies on other external non-packaged non-free files.  It is the
submitter's belief that Debian's policy should be reworded for clarity
on situations such as this.
[signature.asc (application/pgp-signature, inline)]

Bug 449497 cloned as bugs 503813, 503814. Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Tue, 28 Oct 2008 09:12:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 28 Oct 2008 13:45:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Giacomo A. Catenazzi" <cate@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 28 Oct 2008 13:45:02 GMT) Full text and rfc822 format available.

Message #161 received at 449497@bugs.debian.org (full text, mbox):

From: "Giacomo A. Catenazzi" <cate@debian.org>
To: debian-ctte@lists.debian.org, steffen.joeris@skolelinux.de, mkoch@debian.org, Luca Capello <luca@pca.it>, michael.s.gilbert@gmail.com, 449497@bugs.debian.org
Subject: Re: foo2zjs dispute
Date: Tue, 28 Oct 2008 14:41:41 +0100
Note: I'm not a CTTE member.

Steffen Joeris wrote:
> Maintainer:
> --------------
> 
> The problem is as follows. The submitter sees the inclusion of the
> getweb script as a violation of the DFSG. The script is provided by
> upstream to download non-free firmware from his upstream webpage.  The
> package includes documentation in README.Debian and a GUI interface
> (hannah-foo2zjs) around the getweb script for the user's
> convenience. Some printers need this non-free firmware to run, others
> don't.  More information can be found in the bugreport. Could we
> please ask you to settle this dispute?
> 
> 
> Submitter:
> --------------
> 
> The submitter sees the getweb script's dependencies on external
> data/files as potentially dangerous.  Once the package enters stable,
> upstream changes (moving/modifying files, etc.) can break
> functionality -- leading to a package that can no longer be considered
> "stable."  External dependencies also potentially leave users
> vulnerable to security risks (the upstream site could be spoofed or
> hijacked and malicious files hosted instead of the legitimate firmware
> files).  Also, the submitter views external dependencies as a possible
> violation of the spirit of the debian policy, which currently is not
> explicitly clear on the issue.  Section 2.2.1 says "... the packages
> in main must not require a package outside of main for compilation or
> execution (thus, the package must not declare a 'Depends',
> 'Recommends', or 'Build-Depends' relationship on a non-main package)."
>  This makes the policy clear about "packages," but it does not address
> dependencies on other external non-packaged non-free files.  It is the
> submitter's belief that Debian's policy should be reworded for clarity
> on situations such as this.

It is not a DFSG violation, because the file are not distributed
by Debian, but I think it violated the policy.

I think Debian should not assume a machine on the net, so I
would interpret "main" in the stricter way.

I don't find an overkill to make a separate package for the
download script. As you will see, maintaining such script
will be complexer and in case of layout change, it don't
requires a updates from most of the package user.

The changing of remote layout is an important problem: the package
could become unusable thus potentially a RC bug, which should not
happens on other bugs in main.
The "contrib" section includes (historically) also the reduced
quality package, so the uninstability of a contrib package could
be temporary accepted.

ciao
	cate




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Fri, 31 Oct 2008 12:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Fri, 31 Oct 2008 12:48:02 GMT) Full text and rfc822 format available.

Message #166 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org, 503813@bugs.debian.org, 503814@bugs.debian.org
Subject: re: foo2zjs: getweb script depends on non-free firmware
Date: Fri, 31 Oct 2008 08:41:25 -0400
i'll go ahead and start the discussion since no one else is running
with it.  this matter is rather urgent since the problem is now being
considered release-critical for lenny.  i see three possible courses
of action:

1.  ignore the problem:  mark the bug wontfix
rationalle:  the firmware fetching stuff is a small component of the
package and the debian policy is not explicitly clear on the matter
cons: leaves vector for possible security attacks and script can
become non-functional (e.g. getweb has been non-functional in over a
year in etch)

2.  fix the problem now:  either remove getweb completely or make a
separate foo2zjs-contrib package with just getweb, and have this ready
for the lenny release
rationalle: since getweb is a security risk and could break, it should
be eliminated
cons: less functionality for user.  some work for the maintainer.

3.  fix the problem later: same as above, but tag lenny-ignore
rationalle:  same as above, but with limited time, this is the least
path of resistance
cons: same as above, but leaves users vulnerable during the lenny time frame.

there is also the matter of whether the policy should be clarified for
this type of situation -- and whether all other cases of fetching
scripts should be tagged release-critical.  i will leave this for
further discussion since it isn't so urgent.

let me again stress that action is URGENT since this is
release-critical for lenny.

regards,
mike




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Fri, 31 Oct 2008 14:12:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luca Capello <luca@pca.it>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Fri, 31 Oct 2008 14:12:02 GMT) Full text and rfc822 format available.

Message #171 received at 449497@bugs.debian.org (full text, mbox):

From: Luca Capello <luca@pca.it>
To: Michael Gilbert <michael.s.gilbert@gmail.com>
Cc: 449497@bugs.debian.org, 503813@bugs.debian.org, 503814@bugs.debian.org, debian-release@lists.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: foo2zjs: getweb script depends on non-free firmware
Date: Fri, 31 Oct 2008 15:09:03 +0100
[Message part 1 (text/plain, inline)]
Hi Michael!

Adding the d-release mailing list to cc:.

On Fri, 31 Oct 2008 13:41:25 +0100, Michael Gilbert wrote:
> i'll go ahead and start the discussion since no one else is running
> with it.  this matter is rather urgent since the problem is now being
> considered release-critical for lenny.
[...]
> let me again stress that action is URGENT since this is
> release-critical for lenny.

Can you please stop dealing with this bug and let the tech-ctte [1] do
their work?

About the urgency and lenny: the bug is marked as serious, which means
that if the tech-ctte does not fix it before lenny (something which I do
not think is going to happen), the Release Team must deal with it.

FYI, other people have already started to work on it, check the thread
on the d-ctte mailing list [2].

Thx, bye,
Gismo / Luca

Footnotes: 
[1] http://www.debian.org/devel/tech-ctte
[2] http://lists.debian.org/debian-ctte/2008/10/msg00000.html
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Fri, 31 Oct 2008 14:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Fri, 31 Oct 2008 14:48:02 GMT) Full text and rfc822 format available.

Message #176 received at 449497@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: Steffen Joeris <steffen.joeris@skolelinux.de>, 449497@bugs.debian.org
Cc: debian-ctte@lists.debian.org, mkoch@debian.org, Luca Capello <luca@pca.it>, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#449497: foo2zjs dispute
Date: Fri, 31 Oct 2008 15:38:14 +0100
# please read it till the end before flame!
# speaking with my TC hat on
severity 449497 important
thanks

* Steffen Joeris (steffen.joeris@skolelinux.de) [081031 14:31]:
> Dear Technical Committee Members
> 
> Currently, there is a dispute about a certain part of the foo2zjs package. 
> Unfortunately, we do not seem to be able to solve it and thus require your 
> assistance. We have tried to get a paragraph together to state the problem, 
> but it seems we ended up with two different paragraphs. The first one is from 
> the maintainer (myself) and the second one belongs to the bug submitter 
> (Michael Gilbert). Could you please pass your judgement on this case?
> You will find further information in the bugreport and I am sure that the 
> submitter as well as the maintainers are happy to answer any follow-up 
> questions. At the moment, the bug is marked as RC, which might have an impact 
> for the lenny release.
> Thanks in advance for your time and judgement.

I think that the proper way to determine the severity of a bug report
is:

1. The submitter sets an initial severity (done)
2. The maintainer(s) decide on the severity (they seem to have decided
that this isn't release critical, lowering the severity to important as
per decision of the maintainers)
3. The release team can review the decision as above and change the
severity if necessary (not done)
4. As last instances, both the tech ctte and the developers together by
an GR could make a decision that changes the severity again and overrule
the appropriate delegates decisions.

(Just to note: Normally anybody can adjust the severity, and that's a
feature. However, if things get more heated, it's vital that we don't
play bts ping-pong, but relax and let the appropriate people make their
decision.)


As the release team who regularly reviews the bug severities didn't do
any decision yet, I think they should decide first before calling up to
the tech ctte. (Also, please note that due to a spelling mistake this
bug didn't get reassigned yet.)


So, how to continue: If someone continues to disagree with the decision
of the maintainers on the bugs severity (as stated above), feel free to
call in the release team to get their (perhaps different from the
maintainers) decision. If someone isn't satisfied with the release teams
decision, the tech ctte can be asked later on. If still not satisfied,
the rules of GRs are written down in the constitution.

However, please DO NOT change the bug severity (except of course by
the maintainers of the package, or the release team, or the tech ctte or
the secretary after an GR, or the owners@bugs).



Cheers,
Andi




Severity set to `important' from `serious' Request was from Andreas Barth <aba@not.so.argh.org> to control@bugs.debian.org. (Fri, 31 Oct 2008 14:48:05 GMT) Full text and rfc822 format available.

Merged 449497 503813. Request was from Steffen Joeris <steffen.joeris@skolelinux.de> to control@bugs.debian.org. (Sat, 01 Nov 2008 03:03:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 04 Nov 2008 04:27:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 04 Nov 2008 04:27:03 GMT) Full text and rfc822 format available.

Message #185 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: debian-release <debian-release@lists.debian.org>, 449497 <449497@bugs.debian.org>, 503814 <503814@bugs.debian.org>, 503813 <503813@bugs.debian.org>, debian-devel@lists.debian.org
Subject: Direction on foo2zjs and web fetching scripts
Date: Mon, 3 Nov 2008 23:25:54 -0500
Dear release team,

Thank you for making a decision on the direction for bug #449497 in
foo2zjs [1].  I believe that this is a reasonable choice for now due
to the impending release.  However, I would really like to see an
honest and consructive conversation on the issue.  I believe that
there are some major security and functionality problems with fetching
scripts, and there should be clear direction from the members of the
debian project on the matter.  I would like to be able to completely
trust main, so it is my hope that developers would do everything in
their power to keep main as clean and safe as possible.  I am just a
user, so I feel powerless to do anything, and my experience dealing
with the foo2zjs maintainers was not exactly constructive [2],[3],[4]
(primarily because of apathy, over-reactiveness, and hyper sensitivity
on their part and perhaps a lack of appreciation for the bug severity
command and control authority [5] on my part).  Where do we go from
here to make sure the issue gets the appropriate level of thought and
consideration that it deserves (after lenny gets released of course)?

Best wishes,
Michael Gilbert

[1] http://lists.debian.org/debian-release/2008/11/msg00106.html
[2] http://bugs.debian.org/449497
[3] http://bugs.debian.org/503813
[4] http://bugs.debian.org/503814
[5]




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 04 Nov 2008 04:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 04 Nov 2008 04:42:02 GMT) Full text and rfc822 format available.

Message #190 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael Gilbert" <michael.s.gilbert@gmail.com>
To: debian-release <debian-release@lists.debian.org>, 449497 <449497@bugs.debian.org>, 503814 <503814@bugs.debian.org>, 503813 <503813@bugs.debian.org>, debian-devel@lists.debian.org
Subject: Direction on foo2zjs and web fetching scripts
Date: Mon, 3 Nov 2008 23:40:22 -0500
Dear release team,

Thank you for making a decision on the direction for bug #449497 in
foo2zjs [1].  I believe that this is a reasonable choice for now due
to the impending release.  However, I would really like to see an
honest and consructive conversation on the issue.  I believe that
there are some major security and functionality problems with fetching
scripts, and there should be clear direction from the members of the
debian project on the matter.  I would like to be able to completely
trust main, so it is my hope that developers would do everything in
their power to keep main as clean and safe as possible.  I am just a
user, so I feel powerless to do anything, and my experience dealing
with this issue through the foo2zjs maintainers was not exactly
constructive [2],[3],[4] (primarily because of over-reactiveness and
hyper sensitivity on their part and perhaps a lack of appreciation for
debian's bug command and control authority [5] on my part -- and of
course some good old misunderstanding and misinterpretation).  Where
do I go from here to make sure the issue gets the appropriate level of
thought and consideration that it deserves (after lenny gets released
of course)?

Best wishes,
Michael Gilbert

[1] http://lists.debian.org/debian-release/2008/11/msg00106.html
[2] http://bugs.debian.org/449497
[3] http://bugs.debian.org/503813
[4] http://bugs.debian.org/503814
[5] http://lists.debian.org/debian-ctte/2008/10/msg00006.html

P.S. Please CC me on any responses since I am not subscribed to these lists.




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 04 Nov 2008 04:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 04 Nov 2008 04:51:02 GMT) Full text and rfc822 format available.

Message #195 received at 449497@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: debian-ctte@lists.debian.org, 449497@bugs.debian.org
Subject: Re: foo2zjs dispute
Date: Mon, 3 Nov 2008 20:45:27 -0800
This bug isn't assigned to the tech ctte, but I'm going to go ahead and
weigh in anyway since the thread is still in my mailbox demanding a
response. :)

Anyway, the release team has now made their decision here, so it would again
be in order to assign this to the TC if the submitter wishes to appeal that
decision as well.

On Tue, Oct 28, 2008 at 02:41:41PM +0100, Giacomo A. Catenazzi wrote:

> Steffen Joeris wrote:
>> Maintainer:
>> --------------

>> The problem is as follows. The submitter sees the inclusion of the
>> getweb script as a violation of the DFSG. The script is provided by
>> upstream to download non-free firmware from his upstream webpage.  The
>> package includes documentation in README.Debian and a GUI interface
>> (hannah-foo2zjs) around the getweb script for the user's
>> convenience. Some printers need this non-free firmware to run, others
>> don't.  More information can be found in the bugreport. Could we
>> please ask you to settle this dispute?

>> Submitter:
>> --------------
>>
>> The submitter sees the getweb script's dependencies on external
>> data/files as potentially dangerous.  Once the package enters stable,
>> upstream changes (moving/modifying files, etc.) can break
>> functionality -- leading to a package that can no longer be considered
>> "stable."  External dependencies also potentially leave users
>> vulnerable to security risks (the upstream site could be spoofed or
>> hijacked and malicious files hosted instead of the legitimate firmware
>> files).  Also, the submitter views external dependencies as a possible
>> violation of the spirit of the debian policy, which currently is not
>> explicitly clear on the issue.  Section 2.2.1 says "... the packages
>> in main must not require a package outside of main for compilation or
>> execution (thus, the package must not declare a 'Depends',
>> 'Recommends', or 'Build-Depends' relationship on a non-main package)."
>>  This makes the policy clear about "packages," but it does not address
>> dependencies on other external non-packaged non-free files.  It is the
>> submitter's belief that Debian's policy should be reworded for clarity
>> on situations such as this.

> It is not a DFSG violation, because the file are not distributed
> by Debian, but I think it violated the policy.

> I think Debian should not assume a machine on the net, so I
> would interpret "main" in the stricter way.

Examining the package directly, here's what I've found:

- getweb is an optional script included in the package that can be used to
  download certain non-free files from the upstream website.
- The script is not run by default from the maintainer scripts when
  installing the package.
- Running the script is not required for the operation of the package in the
  general case: the package has a significant use case in terms of the
  printers it supports which don't require non-free downloads, and probably
  even a majority use case (though I'm personally not sure the latter is a
  distinction that should matter for inclusion in main).
- However, the hannah-foo2zjs in contrast exists only to be a graphical
  firmware downloader; while its description has a disclaimer that "this
  software [...] can potentially install non-free software", the reality
  appears to be that this is the /only/ thing that this package is useful
  for.

So I think the presence of the getweb script in the package is not an RC
bug, and perhaps not a bug at all.  There are other packages in the archive
that also optionally support pulling in data from websites, including
pciutils (/usr/bin/update-pciids), and while there are probably ways to
improve this, I don't see any reason it should be treated as
release-critical.

(In the specific case of foo2zjs, one way the script could be improved is to
not install these downloaded files under /usr/share/foo2zjs, since this
leaves files behind in /usr/share not owned by any package and not cleaned
up when foo2zjs is removed; I think the download location should be either
/var/lib or /usr/local/share.)

As for hannah-foo2zjs, I think this is a more significant problem.  AFAICS
the contents of this package aren't even part of the upstream foo2zjs
source, yet it's built from the Debian foo2zjs package, and creates a
package that is only useful for downloading non-free firmware.  I think it's
clear that the maintainers should split this into its own source package -
which should be trivial since the contents are entirely under
debian/hannah-package/ to begin with - and move it to contrib.  And I think
this aspect /does/ warrant being treated as RC, although it's not the issue
that was originally raised by the submitter.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org




Forcibly Merged 449497 503813 503814. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Tue, 04 Nov 2008 05:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 04 Nov 2008 07:09:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 04 Nov 2008 07:09:06 GMT) Full text and rfc822 format available.

Message #202 received at 449497@bugs.debian.org (full text, mbox):

From: Steffen Joeris <steffen.joeris@skolelinux.de>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org
Cc: debian-release@lists.debian.org, debian-devel@lists.debian.org
Subject: Re: [Foo2zjs-maintainer] Bug#449497: Direction on foo2zjs and web fetching scripts
Date: Tue, 4 Nov 2008 18:11:07 +1100
[Message part 1 (text/plain, inline)]
On Tue, 4 Nov 2008 03:40:22 pm Michael Gilbert wrote:
> Dear release team,
>
> Thank you for making a decision on the direction for bug #449497 in
> foo2zjs [1].  I believe that this is a reasonable choice for now due
> to the impending release.  However, I would really like to see an
> honest and consructive conversation on the issue.  I believe that
> there are some major security and functionality problems with fetching
> scripts, and there should be clear direction from the members of the
> debian project on the matter.  I would like to be able to completely
> trust main, so it is my hope that developers would do everything in
> their power to keep main as clean and safe as possible.  I am just a
> user, so I feel powerless to do anything, and my experience dealing
> with this issue through the foo2zjs maintainers was not exactly
> constructive [2],[3],[4] (primarily because of over-reactiveness and
> hyper sensitivity on their part and perhaps a lack of appreciation for
> debian's bug command and control authority [5] on my part -- and of
> course some good old misunderstanding and misinterpretation).  Where
> do I go from here to make sure the issue gets the appropriate level of
> thought and consideration that it deserves (after lenny gets released
> of course)?
>
> Best wishes,
> Michael Gilbert
>
> [1] http://lists.debian.org/debian-release/2008/11/msg00106.html
> [2] http://bugs.debian.org/449497
> [3] http://bugs.debian.org/503813
> [4] http://bugs.debian.org/503814
> [5] http://lists.debian.org/debian-ctte/2008/10/msg00006.html
Please let me just say two things. First we are not over-sensitive or 
anything, but we took your ideas into consideration and even asked for 
advice. I think we were pretty sensible in that manner, so please stop 
stating otherwise.
Furthermore, the script is not automatically called and users know what they 
are doing (or at least they should), when they call it. Maybe we could even 
add an additional warning, which I would definitely be open to.
Now to your "security concerns". Since this script explicitely downloads stuff 
from an author's webpage (and it is stated like that), the user knows the 
risk. Are you proposing to call this a security issue? Then packages like 
iceweasel are also affected and many others ...
We can talk about putting the script somwhere else or do $whatever with it 
after the release, but not for lenny. So please stop the noise and get back 
to us about it after the release. I promise that I'll do my best to find a 
solution that suits everyone. But right now you create more work for other 
people, including me, which I could spend on security related work.
Thanks in advance.

Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 04 Nov 2008 12:18:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Barth <aba@not.so.argh.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 04 Nov 2008 12:18:05 GMT) Full text and rfc822 format available.

Message #207 received at 449497@bugs.debian.org (full text, mbox):

From: Andreas Barth <aba@not.so.argh.org>
To: debian-ctte@lists.debian.org, 449497@bugs.debian.org
Subject: Re: foo2zjs dispute
Date: Tue, 4 Nov 2008 13:05:31 +0100
* Steve Langasek (vorlon@debian.org) [081104 05:36]:
> This bug isn't assigned to the tech ctte, but I'm going to go ahead and
> weigh in anyway since the thread is still in my mailbox demanding a
> response. :)
> 
> Anyway, the release team has now made their decision here, so it would again
> be in order to assign this to the TC if the submitter wishes to appeal that
> decision as well.

Yes, I think we should now wait for the submitter to appeal or not.



Cheers,
Andi




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 17 Feb 2009 05:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 17 Feb 2009 05:33:02 GMT) Full text and rfc822 format available.

Message #212 received at 449497@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org, debian-devel@lists.debian.org
Cc: vorlon@debian.org, cate@debian.org, aba@not.so.argh.org, mkoch@debian.org
Subject: Post-Lenny discussion on packages with external (potentially non-free) dependencies
Date: Tue, 17 Feb 2009 00:31:04 -0500
Dear All,

First of all, congratulations on getting the Lenny release out the
door!  I understand that it was a lot of work, and you're probably
looking forward to at least somewhat of a break.  So I don't want
to treat this problem with too much urgency (yet), but I would like to
get a dialog going as people find the time to weigh in with their
opinions.

In the following, I recap the core problems at hand (listed in terms of
importance/relevance) and the arguments on both sides that have been
developed in the bug report [1].

Summary of the problem: Some packages such as foo2zjs, pciutils,
ttf-mathematica4.1, etc. have components that download files external
to the Debian archives (from the internet) at runtime, which is
problematic in many ways.

1.  Provides a potential avenue for introducing malicious software onto
users' systems

Argument: Since the standard checks and balances (digital signing of
packages by developers) is circumvented by fetching files from an
unreliable source, it is possible for an attacker to either hijack or
spoof the upstream site to introduce malicious software onto users'
systems.  This may seem obscure, for example, for foo2zjs's printer
firmwares, but the getweb script does provide an update mechanism, so
the attacker could use that to introduce his malicious code.
Regardless of how obscure an attack vector may be, I just don't think
that it is worth the risk to allow it to remain open.

Rebuttal: "Since this script explicitely downloads stuff from an
author's webpage (and it is stated like that), the user knows the risk.
Are you proposing to call this a security issue? Then packages like
iceweasel are also affected and many others ..."

Response: The user may not, and likely does not, fully appreciate the
risk. I'm sure that most users trust that the Debian developer has
considered and appropriately mitigated the risk for them, or more
likely, they do not consider risk at all.  They just use their
computer.  Iceweasel is not a very good analogy because it is
generally not run as root and is not permitted to execute downloaded
files without a smart (chmod'ing) user involved.

2.  Components of the package may stop working in the midst of a
stable release's lifetime

Argument: Since the location and composition of external files is
outside of the package maintainer's control, upstream changes can break
stable scripts.

Rebuttal: This is a simple bug.  If it happens, "we'll fix it, full
stop."

Response: This may be a permissable fix for a stable point release,
but it leaves the system potentially broken for an indeterminant
amount of time (e.g. foo2zjs's getweb in etch was broken for over a
year) between those releases (depending on when the break happens).
This also depends on users' willingness to report bugs in stable.  This
usually doesn't happen because people know that stable is stable and
doesn't get changed.  It may also be possible to address this problem
via maintainence in volatile, but do they want to take on more
responsibility?

3.  Allows packages in main to depend on external files, violating the
spirit of the Debian Policy

Argument:  Section 2.2.1 of the Debian Policy Manual states that
"...packages in main must not require a package outside of main for
compilation or execution...," and section 2.2.2 states that "[e]xamples
of packages which would be included in contrib are free packages which
require contrib, non-free packages or packages which are not in our
archive at all for compilation or execution, ..."  This seems to make
it very clear that external dependencies are unacceptable in terms of
"packages," but does not make clear the policy on general data and
files.  However, given an honest attempt at interpretation, it would
seem that the same conclusion shoud apply equally to general files as
well as packages.

Rebuttal 1: This is a grey area of Debian Policy, and a litteral
interpretation of the manual says that the current behavior is OK.

Response 1: We shouldn't make judgements based solely on the wording as
written, but instead based on the original intent of the author (as
an aside, this is why the judicial branch's role in the government is
so complicated and controvercial). Just because the writer chose to use
the term "package" does not mean that they did not intend to cover all
files in general.

Rebuttal 2: Objection to single script packages (maintainers do not
want to maintain separate packages in contrib that contain only these
externally depending scripts). 

Response 2: Decisions should not be made based on potential
inconveniences or work load.  Besides, it is not that difficult to build
and maintain additional binary packages.  The offending scripts can
remain within the original the source packages.

4.  Parts of the package work as intended only under certain
circumstances

Argument: Since an internet connection is not guaranteed on the user's
end, the program does not work as intended when the net is either down
or unavailable.  For example, a user with a printer supported by
foo2zjs's getweb will not be able to make that printer work if they use
their machine as a standalone.  As much of Debian as possible should be
fully functional even when standalone.  Hence, non-free components (if
they are to be supported at all) should be included in the non-free
archive instead of fetched externally.

Rebuttal: None yet.

5.  Allows packages in main to potentially depend on non-free files

Argument:  This is a hard argument to make, but since main is supposed
to be 100% free, it only makes sense that all dependencies shoud be
free as well.

Rebuttal 1: In the case of foo2zjs, the script is provided for
convenience for the user, it is not run as part of the maintainer
scripts, and the user can choose to not run it.

Response 1: This is a reasonable argument, but with 100% free software
as the goal for main and with decisions about non-free documentation
and firmware, doesn't it feel a bit like giving up when you're close
to the finish line?  Scripts like this just seem to fit better under
contrib.

Rebuttal 2: "It doesn't matter how many people needs external files to
fully use foo2zjs: if only one person can use it without, then
everything which is completely DFSG-free *must* be in main.  This is
another point, exactly like the firmware issues in the kernel: the
Intel iwl3945 driver is not usable on my ThinkPad X60 [4] without the
non-free firmware, yet the correct place for the driver is main."

Response 2: The number of users is irrelevent to whether components
should be considered free or not.  Also, the permission for non-free
firmware to remain in main was a temporary compromise in order to get
the release out in a timely manner.  Now that Lenny is done, decisions
should be made based on long-term goals, rather than short-term
compromises.

Rebuttal 3: 
    - getweb is an optional script included in the package that
    can be used to download certain non-free files from the upstream
    website.
    - The script is not run by default from the maintainer scripts when
    installing the package.
    - Running the script is not required for the operation of the
    package in the general case: the package has a significant use case
    in terms of the printers it supports which don't require non-free
    downloads, and probably even a majority use case (though I'm
    personally not sure the latter is a distinction that should matter
    for inclusion in main). 

Response 3: These are all very good points, but why include a script
whose sole purpose is to fetch non-free files in main?  That doesn't
seem like the right thing to do in the "free" archive.  It seems much
more appropriate for contrib.  vrms won't realize that you've got
non-free after you've run getweb even though you do.

Rebuttal 4: From debian-legal [2]: "It's commonly accepted that a
package can still be in main if only some part of it depends on non-main
software, and in this case there is not even such a dependency."

Response 4: This practice seems to violate the spirit of Debian's
Social Contract ("Debian will remain 100% free" in main), and I hope
that developers are not systemically ignoring such violations for
convenience.

Looking forward to a constructive conversation.

Best wishes,
Mike

[1] http://bugs.debian.org/449497
[2] http://lists.debian.org/debian-legal/2007/11/msg00103.html




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 17 Feb 2009 06:18:02 GMT) Full text and rfc822 format available.

Message #215 received at 449497@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: 449497@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Post-Lenny discussion on packages with external (potentially non-free) dependencies
Date: Mon, 16 Feb 2009 22:13:49 -0800
On Tue, 17 Feb 2009, Michael S. Gilbert wrote:
> In the following, I recap the core problems at hand (listed in terms of
> importance/relevance) and the arguments on both sides that have been
> developed in the bug report [1].
> 
> Summary of the problem: Some packages such as foo2zjs, pciutils,
> ttf-mathematica4.1, etc. have components that download files external
> to the Debian archives (from the internet) at runtime, which is
> problematic in many ways.
> 
> 1. Provides a potential avenue for introducing malicious software
> onto users' systems

In the case of foo2zjs and pciutils, the software/data is not
downloaded automatically, but at the specific request of an admin by
running a special script.

It would be ideal if foo2zjs and pciutils had a mechanism to verify
that the files downloaded matched the expected contents by the use of
SHA256, gpg or some other file verification function. Since in neither
case should the downloaded files be executed directly (though I
suppose a specially crafted firmware would be annoying) this doesn't
seem like a serious security problem, but a wishlist bug.

In the case of ttf-mathematica4.1, the md5sum is verified by the
postinst script, so while it may be the case that this should be
changed to a more secure hash algorithm, it's still reasonable.

> 2. Components of the package may stop working in the midst of a
> stable release's lifetime

It is probably reasonable to make these scripts as flexible as
possible to find the proper location, and to allow users to easily
override the location in cases where it's changed. Again, a case where
a wishlist bug with a patch attached would most likely be accepted.
[In the case of ttf-mathematica4.1, since it doesn't fail the install,
and just complains, this isn't too bad.]
 
> 3. Allows packages in main to depend on external files, violating
> the spirit of the Debian Policy

ttf-mathematica4.1 isn't in main, and foo2zjs and pciutils don't
require a package outside of main for compilation and execution. It's
perfectly ok for packages outside of main to provide additional
functionality to packages in main, since that doesn't form a Depends:
relationship. [Compare and contrast foo2zjs with the linux kernel, for
example.]

> Hence, non-free components (if they are to be supported at all)
> should be included in the non-free archive instead of fetched
> externally.

In order for this to occur, Debian must be able to distribute the
firmware. I'm not sure that this is the case for foo2zjs; it's
certainly not the case for ttf-mathematica4.1, and we already
distribute the pciids for pciutils.

> Argument: This is a hard argument to make, but since main is
> supposed to be 100% free, it only makes sense that all dependencies
> shoud be free as well.

The only thing we require is that the required dependencies, that is,
those things that form a Depends: relationship be free, not that
everything that could possibly enhance the operation of a package be
free. Obviously, the latter is the ideal state, but it's not a
requirement.
 

Don Armstrong

-- 
Our days are precious, but we gladly see them going
If in their place we find a thing more precious growing
A rare, exotic plant, our gardener's heart delighting
A child whom we are teaching, a booklet we are writing
 -- Frederick R√ľkert _Wisdom of the Brahmans_ 
 [Hermann Hesse _Glass Bead Game_]

http://www.donarmstrong.com              http://rzlab.ucr.edu




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 17 Feb 2009 06:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Luk Claes <luk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 17 Feb 2009 06:48:02 GMT) Full text and rfc822 format available.

Message #220 received at 449497@bugs.debian.org (full text, mbox):

From: Luk Claes <luk@debian.org>
To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Cc: 449497@bugs.debian.org, debian-devel@lists.debian.org, vorlon@debian.org, cate@debian.org, aba@not.so.argh.org, mkoch@debian.org
Subject: Re: Post-Lenny discussion on packages with external (potentially non-free) dependencies
Date: Tue, 17 Feb 2009 07:47:47 +0100
Michael S. Gilbert wrote:

> Summary of the problem: Some packages such as foo2zjs, pciutils,
> ttf-mathematica4.1, etc. have components that download files external
> to the Debian archives (from the internet) at runtime, which is
> problematic in many ways.

If possible, the to be downloaded data should be packaged so most of
below problems are solved or mitigated.

> 1.  Provides a potential avenue for introducing malicious software onto
> users' systems

Well, input validation is very common for web applications. The
validation can consist of verifying the structure or a checksum etc, but
should always be present IMHO.

> 2.  Components of the package may stop working in the midst of a
> stable release's lifetime
> 
> Argument: Since the location and composition of external files is
> outside of the package maintainer's control, upstream changes can break
> stable scripts.

If possible the package should self adjust to or give the user the
opportunity to influence the location of the external files. Sometimes
it's possible to fallback to a location under the maintainer's control
so the package will continure to work.

If that's not possible, the package should not be included in the stable
release itself IMHO and people are encouraged to discuss the inclusion
in the volatile archive.

> 3.  Allows packages in main to depend on external files, violating the
> spirit of the Debian Policy

Like Don explained it could be a convenience script, in that case the
package is not really depending on the external files.

Not packaging external files because it would be too small packages is
not an argument IMHO as it could get included in the package itself in
that case or similar things can be packaged together.

> 4.  Parts of the package work as intended only under certain
> circumstances
> 
> Argument: Since an internet connection is not guaranteed on the user's
> end, the program does not work as intended when the net is either down
> or unavailable.  For example, a user with a printer supported by
> foo2zjs's getweb will not be able to make that printer work if they use
> their machine as a standalone.  As much of Debian as possible should be
> fully functional even when standalone.  Hence, non-free components (if
> they are to be supported at all) should be included in the non-free
> archive instead of fetched externally.
> 
> Rebuttal: None yet.

Well yes, depending on an internet connection should be avoided if possible.

> 5.  Allows packages in main to potentially depend on non-free files

If the functioning of the package needs the non-free files, it is not
just a convenience script, and I would put the package in contrib.

Cheers

Luk




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Tue, 17 Feb 2009 09:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Giacomo A. Catenazzi" <cate@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Tue, 17 Feb 2009 09:18:02 GMT) Full text and rfc822 format available.

Message #225 received at 449497@bugs.debian.org (full text, mbox):

From: "Giacomo A. Catenazzi" <cate@debian.org>
To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Cc: 449497@bugs.debian.org, debian-devel@lists.debian.org, vorlon@debian.org, aba@not.so.argh.org, mkoch@debian.org
Subject: Re: Post-Lenny discussion on packages with external (potentially non-free) dependencies
Date: Tue, 17 Feb 2009 10:15:36 +0100
Michael S. Gilbert wrote:
> Dear All,
> 
> First of all, congratulations on getting the Lenny release out the
> door!  I understand that it was a lot of work, and you're probably
> looking forward to at least somewhat of a break.  So I don't want
> to treat this problem with too much urgency (yet), but I would like to
> get a dialog going as people find the time to weigh in with their
> opinions.

(...) [removing the long mail: too long to quote, too interesting
to extract the best parts.

my case (microcode.ctl):
- the package is in contrib and not in main
- I download only ascii file, converted to binary and feed
  to the kernel device only at loading time, so difficult to exploit
- intel microcode is crypted, thus it is difficult to modify
- user had the possibility to download the microcode manually
  and to put in the right position
- no microcode no worrying: the computer work normally
  (but on new processors on a new family, with usually needs
  a lot of updates, but usually these are developer machine, not
  production machines.)
- but with problem on distribution format. Intel (I think wrongly)
  changed the format (instead of a compressed file, it did a
  compressed tar of the file) thus breaking debian and ubuntu.
- but with last versions, Intel changed (again) the microcode license
  (I think because of us [or better because of Ubuntu :'( ] ),
  so now microcode is distributed by a non-free package.
  The script to download microcode from intel side is only
  a convenience script.
  I could live (and I think also our user) fine, if I remove the
  script from postinst (BTW it was called after asking confirmation
  via debconf)
- the microcode now could be installed also by the kernel firmware
  infrastructure, so I still had to decide a proper procedure with
  Intel and RedHat, and to debian firmware. After this the package
  will be a legacy only package.


BTW: I still have the non-free.* domains, if Debian need it.

ciao
	cate




Blocking bugs of 517957 added: 449497, 503813, and 503814 Request was from Luca Capello <luca@pca.it> to control@bugs.debian.org. (Tue, 03 Mar 2009 18:33:06 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Wed, 19 Aug 2009 20:15:16 GMT) Full text and rfc822 format available.

Reply sent to Michael Koch <konqueror@gmx.de>:
You have taken responsibility. (Mon, 31 Aug 2009 15:18:17 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 31 Aug 2009 15:18:17 GMT) Full text and rfc822 format available.

Message #234 received at 449497-close@bugs.debian.org (full text, mbox):

From: Michael Koch <konqueror@gmx.de>
To: 449497-close@bugs.debian.org
Subject: Bug#449497: fixed in hannah-foo2zjs 1:1
Date: Mon, 31 Aug 2009 14:55:57 +0000
Source: hannah-foo2zjs
Source-Version: 1:1

We believe that the bug you reported is fixed in the latest version of
hannah-foo2zjs, which is due to be installed in the Debian FTP archive:

hannah-foo2zjs_1.dsc
  to pool/contrib/h/hannah-foo2zjs/hannah-foo2zjs_1.dsc
hannah-foo2zjs_1.tar.gz
  to pool/contrib/h/hannah-foo2zjs/hannah-foo2zjs_1.tar.gz
hannah-foo2zjs_1_amd64.deb
  to pool/contrib/h/hannah-foo2zjs/hannah-foo2zjs_1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 449497@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Koch <konqueror@gmx.de> (supplier of updated hannah-foo2zjs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 19 Aug 2009 21:21:46 +0200
Source: hannah-foo2zjs
Binary: hannah-foo2zjs
Architecture: source amd64
Version: 1:1
Distribution: unstable
Urgency: low
Maintainer: Michael Koch <konqueror@gmx.de>
Changed-By: Michael Koch <konqueror@gmx.de>
Description: 
 hannah-foo2zjs - Graphical firmware downloader for the foo2zjs package
Closes: 449497 503813 503814
Changes: 
 hannah-foo2zjs (1:1) unstable; urgency=low
 .
   * Initial release. Separated out from foo2zjs package.
     (Closes: #449497, #503813, #503814).
Checksums-Sha1: 
 e13b3bac28d7048c7d9ac3a186f89d75a5b698c7 723 hannah-foo2zjs_1.dsc
 706072249c851d19fa01812ca2d9394196871dba 26359 hannah-foo2zjs_1.tar.gz
 fae9cf1cea2fa7738994df54ec913ea70a431dbb 18294 hannah-foo2zjs_1_amd64.deb
Checksums-Sha256: 
 b63610615df468f06af2470746f278a4fb9d67dbde2bd38818ff417d7cf773af 723 hannah-foo2zjs_1.dsc
 9e8916343b8ccb15af350e2f3f1d1da3411fca020acc9c19420221dda27d37d4 26359 hannah-foo2zjs_1.tar.gz
 05de623e61c4899d659e559eb5512eaa86ffdce5f8e9d28e209d3eb77c1fbe1e 18294 hannah-foo2zjs_1_amd64.deb
Files: 
 637e09207ac39c15570d0822bf856e61 723 contrib/text optional hannah-foo2zjs_1.dsc
 3c33c49828cbd64b6bde10a944d2b9c1 26359 contrib/text optional hannah-foo2zjs_1.tar.gz
 173f9a05a4f3077661a3898c2a135882 18294 contrib/text optional hannah-foo2zjs_1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkqMUa8ACgkQWSOgCCdjSDvWcQCfVJ3+sbqDaiZiOqK3GnB1Bg61
ol4AnRQDWNX0Kp94ElbNZIrZZhTX1VPB
=eYus
-----END PGP SIGNATURE-----





Reply sent to Michael Koch <konqueror@gmx.de>:
You have taken responsibility. (Mon, 31 Aug 2009 15:18:19 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 31 Aug 2009 15:18:19 GMT) Full text and rfc822 format available.

Reply sent to Michael Koch <konqueror@gmx.de>:
You have taken responsibility. (Mon, 31 Aug 2009 15:18:20 GMT) Full text and rfc822 format available.

Notification sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Bug acknowledged by developer. (Mon, 31 Aug 2009 15:18:20 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Wed, 21 Oct 2009 22:24:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Wed, 21 Oct 2009 22:24:07 GMT) Full text and rfc822 format available.

Message #249 received at 449497@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org, CONTROL@BUGS.debian.org
Subject: Re: Bug#449497 closed by Michael Koch (Bug#449497: fixed in hannah-foo2zjs 1:1)
Date: Wed, 21 Oct 2009 17:56:40 -0400
reopen 449497
thanks

On Mon, 31 Aug 2009 15:18:17 +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the foo2zjs package:
> 
> #449497: foo2zjs: getweb script depends on non-free firmware

the getweb script is still present in foo2zjs in main, so this hasn't
been fully addressed yet.

mike




Bug No longer marked as fixed in versions hannah-foo2zjs/1:1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Oct 2009 22:24:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Fri, 23 Oct 2009 06:39:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Koch <konqueror@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Fri, 23 Oct 2009 06:39:07 GMT) Full text and rfc822 format available.

Message #256 received at 449497@bugs.debian.org (full text, mbox):

From: Michael Koch <konqueror@gmx.de>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 449497@bugs.debian.org, 503813@bugs.debian.org, 503814@bugs.debian.org
Cc: Debian BTS control <control@bugs.debian.org>
Subject: Re: [Foo2zjs-maintainer] Bug#449497: closed by Michael Koch (Bug#449497: fixed in hannah-foo2zjs 1:1)
Date: Fri, 23 Oct 2009 08:21:58 +0200
close 449497
close 503813
close 503814
thanks

On Wed, Oct 21, 2009 at 05:56:40PM -0400, Michael Gilbert wrote:
> On Mon, 31 Aug 2009 15:18:17 +0000, Debian Bug Tracking System wrote:
> > This is an automatic notification regarding your Bug report
> > which was filed against the foo2zjs package:
> > 
> > #449497: foo2zjs: getweb script depends on non-free firmware
> 
> the getweb script is still present in foo2zjs in main, so this hasn't
> been fully addressed yet.

Please don't play bug ping-pong and reopen bugs which are closed just
because you like to do so. We have implemented the solution that was
recommended by the (former) release team. If you disagree please talk
with the (current) release team and get a decision from them that says
that we need to change packaging. Before that we will always re-close
these three bugs. You can reach the release team at

	debian-release@lists.debian.org


Cheers,
Michael




Bug closed, send any further explanations to Michael Gilbert <michael.s.gilbert@gmail.com> Request was from Michael Koch <konqueror@gmx.de> to control@bugs.debian.org. (Fri, 23 Oct 2009 06:39:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>:
Bug#449497; Package foo2zjs. (Fri, 23 Oct 2009 15:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian Foo2zjs Maintainers <foo2zjs-maintainer@lists.alioth.debian.org>. (Fri, 23 Oct 2009 15:15:05 GMT) Full text and rfc822 format available.

Message #263 received at 449497@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 449497@bugs.debian.org
Subject: Re: Bug#503814: [Foo2zjs-maintainer] Bug#449497: closed by Michael Koch (Bug#449497: fixed in hannah-foo2zjs 1:1)
Date: Fri, 23 Oct 2009 11:11:40 -0400
On Fri, 23 Oct 2009 08:21:58 +0200, Michael Koch wrote:
> Please don't play bug ping-pong and reopen bugs which are closed just
> because you like to do so. 

this isn't ping pong...i haven't touched the bug in over 8
months...that would be one crazy long game.

> We have implemented the solution that was
> recommended by the (former) release team. If you disagree please talk
> with the (current) release team and get a decision from them that says
> that we need to change packaging.

it still seems like there is no concrete direction from within the
project on these problems.  i will renew the discussion with the release
team as you suggest.

mike




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 21 Nov 2009 07:29:21 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 18:37:23 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.