Ian Jackson wrote: > Over the years, d-legal has discussed a number of packages which > automatically download non-free software, under some circumstances. > > The obvious example is web browsers with extension repositories > containing both free and non-free software. > > We have also recently discussed a media downloader/player which, when > fed a particular kind of url, will offer to automatically download a > proprietary binary-only protocol module to access the specified > proprietary web service.
Another good example is language package-managers, such as pip, npm, and cargo. > We have generally put software like this in main, because it asks the > user first, and can be used perfectly well without the proprietary > parts. But the overall result is that a user who wants to use Free > software can be steered by Debian into installing and using non-free > software, sometimes unwittingly, > > I would like to establish a way to prevent this. (There are even > whole Debian derivatives who have as one of their primary goals, > preventing this. We should aim for most of the changes necessary for > such derivatives to be in Debian proper, so the derivative can be > little more than a change to the default configuration.) I think this makes sense, but there's a further distinction we should draw that I didn't see in your mail. Here's roughly what I'd love to see: - Packages in main must never automatically download or install non-free or contrib software without user interaction. (For instance, if you launch a browser and it auto-downloads and installs a proprietary plugin in the background, that should be a bug of severity serious.) - Packages in main must not point the user to specific non-free or contrib software and recommend its installation, unless the user has previously opted into receiving such recommendations. Such an opt-in may be combined with questions regarding Debian's non-free repository. (For instance, "you should download and install this specific proprietary codec" should be a bug of severity serious. That said, we need to find a way to make this requirement not compromise usability by requiring the user to manually determine what they need) - Packages in main may provide a mechanism for the user to download and install other software (e.g. extensions) from a collection of such software. If they do, that mechanism should (note: not "must", and this should not change to become stricter in the future) either require that all software in the collection be Free Software, *or* make it easy for the user to determine the license of the software they're installing. - Packages should (note: not "must" yet, but we should change this to "must" in the future) perform appropriate cryptographic integrity verification of downloaded software from an appropriate chain of trust, or should obtain such software from packages in the Debian repository that already include such verification. - For the sake of avoiding ambiguity, an interpreter for file formats or network protocols that include software, such as scripts, may consider the user browsing to a site or opening a file as "user interaction" for the purposes of processing the software embedded or referenced by that site or file. However, this does not extend to automatically downloading or installing separate non-free software to interpret such sites or files, such as non-free codecs or plugins; that must still require explicit user interaction. How does that sound?
