FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-17-2009, 05:13 AM
Don Armstrong
 
Default Post-Lenny discussion on packages with external (potentially non-free) dependencies

On Tue, 17 Feb 2009, Michael S. Gilbert wrote:
> In the following, I recap the core problems at hand (listed in terms of
> importance/relevance) and the arguments on both sides that have been
> developed in the bug report [1].
>
> Summary of the problem: Some packages such as foo2zjs, pciutils,
> ttf-mathematica4.1, etc. have components that download files external
> to the Debian archives (from the internet) at runtime, which is
> problematic in many ways.
>
> 1. Provides a potential avenue for introducing malicious software
> onto users' systems

In the case of foo2zjs and pciutils, the software/data is not
downloaded automatically, but at the specific request of an admin by
running a special script.

It would be ideal if foo2zjs and pciutils had a mechanism to verify
that the files downloaded matched the expected contents by the use of
SHA256, gpg or some other file verification function. Since in neither
case should the downloaded files be executed directly (though I
suppose a specially crafted firmware would be annoying) this doesn't
seem like a serious security problem, but a wishlist bug.

In the case of ttf-mathematica4.1, the md5sum is verified by the
postinst script, so while it may be the case that this should be
changed to a more secure hash algorithm, it's still reasonable.

> 2. Components of the package may stop working in the midst of a
> stable release's lifetime

It is probably reasonable to make these scripts as flexible as
possible to find the proper location, and to allow users to easily
override the location in cases where it's changed. Again, a case where
a wishlist bug with a patch attached would most likely be accepted.
[In the case of ttf-mathematica4.1, since it doesn't fail the install,
and just complains, this isn't too bad.]

> 3. Allows packages in main to depend on external files, violating
> the spirit of the Debian Policy

ttf-mathematica4.1 isn't in main, and foo2zjs and pciutils don't
require a package outside of main for compilation and execution. It's
perfectly ok for packages outside of main to provide additional
functionality to packages in main, since that doesn't form a Depends:
relationship. [Compare and contrast foo2zjs with the linux kernel, for
example.]

> Hence, non-free components (if they are to be supported at all)
> should be included in the non-free archive instead of fetched
> externally.

In order for this to occur, Debian must be able to distribute the
firmware. I'm not sure that this is the case for foo2zjs; it's
certainly not the case for ttf-mathematica4.1, and we already
distribute the pciids for pciutils.

> Argument: This is a hard argument to make, but since main is
> supposed to be 100% free, it only makes sense that all dependencies
> shoud be free as well.

The only thing we require is that the required dependencies, that is,
those things that form a Depends: relationship be free, not that
everything that could possibly enhance the operation of a package be
free. Obviously, the latter is the ideal state, but it's not a
requirement.


Don Armstrong

--
Our days are precious, but we gladly see them going
If in their place we find a thing more precious growing
A rare, exotic plant, our gardener's heart delighting
A child whom we are teaching, a booklet we are writing
-- Frederick Rükert _Wisdom of the Brahmans_
[Hermann Hesse _Glass Bead Game_]

http://www.donarmstrong.com http://rzlab.ucr.edu


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 02-17-2009, 10:05 AM
Josselin Mouette
 
Default Post-Lenny discussion on packages with external (potentially non-free) dependencies

Le mardi 17 fĂ©vrier 2009 Ă* 00:31 -0500, Michael S. Gilbert a Ă©crit :
> 2. Components of the package may stop working in the midst of a
> stable release's lifetime

This is a problem that affects much more than this kind of packages. All
packages relying on an external service are affected. For example, it’s
hard to expect the totem youtube plugin to keep working for the lifetime
of the etch release.

If we find a solution to this kind of issues, it should apply to all
packages in this situation.

--
.'`. Debian 5.0 "Lenny" has been released!
: :' :
`. `' Last night, Darth Vader came down from planet Vulcan and
`- told that if you don't install Lenny, he'd melt your brain.
 

Thread Tools




All times are GMT. The time now is 09:07 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org