reassgin 449497 tech-ctte,foo2zjs thanks Dear Technical Committee Members
Currently, there is a dispute about a certain part of the foo2zjs package. Unfortunately, we do not seem to be able to solve it and thus require your assistance. We have tried to get a paragraph together to state the problem, but it seems we ended up with two different paragraphs. The first one is from the maintainer (myself) and the second one belongs to the bug submitter (Michael Gilbert). Could you please pass your judgement on this case? You will find further information in the bugreport and I am sure that the submitter as well as the maintainers are happy to answer any follow-up questions. At the moment, the bug is marked as RC, which might have an impact for the lenny release. Thanks in advance for your time and judgement. Cheers Steffen Maintainer: -------------- The problem is as follows. The submitter sees the inclusion of the getweb script as a violation of the DFSG. The script is provided by upstream to download non-free firmware from his upstream webpage. The package includes documentation in README.Debian and a GUI interface (hannah-foo2zjs) around the getweb script for the user's convenience. Some printers need this non-free firmware to run, others don't. More information can be found in the bugreport. Could we please ask you to settle this dispute? Submitter: -------------- The submitter sees the getweb script's dependencies on external data/files as potentially dangerous. Once the package enters stable, upstream changes (moving/modifying files, etc.) can break functionality -- leading to a package that can no longer be considered "stable." External dependencies also potentially leave users vulnerable to security risks (the upstream site could be spoofed or hijacked and malicious files hosted instead of the legitimate firmware files). Also, the submitter views external dependencies as a possible violation of the spirit of the debian policy, which currently is not explicitly clear on the issue. Section 2.2.1 says "... the packages in main must not require a package outside of main for compilation or execution (thus, the package must not declare a 'Depends', 'Recommends', or 'Build-Depends' relationship on a non-main package)." This makes the policy clear about "packages," but it does not address dependencies on other external non-packaged non-free files. It is the submitter's belief that Debian's policy should be reworded for clarity on situations such as this.
signature.asc
Description: This is a digitally signed message part.
