Hi,

While I’m not a user of xsnow, I’d like to comment on the issue being
discussed. In addition to what has already been indicated during the
discussion by Salvo Tomaselli, I would like to draw attention to a few
fundamentally important points.

I personally consider this case serious and the bug release-critical.
The main problem is that the xsnow package contains hidden,
intentionally obfuscated behavior that depends on geo/locale conditions.
This functionality is not described in the documentation (man page,
README, etc.) and is not discoverable through typical review methods.
Although the current payload appears “benign,” the implementation
follows a structural pattern associated with malware and undermines the
open-source trust model. The core problem is intentional concealment,
not whether the current payload is harmful in a “typical” sense. The
relevant logic is obfuscated and is not reflected in the documentation
or typical interfaces.

While Debian states that its priorities are its users (#4 Social
Contract), which I would interpret in this case broadly, the observed
behavior of xsnow does not align with that. Moreover, since I wrote
above that I consider such behavior a problem, and since it is
obfuscated (at least, its behavior is not obvious from variable names,
etc.), I would consider it a violation of #3 Social Contract as well,
broadly interpreted. A key point is the precedent: if an obfuscated,
undocumented feature slips through unnoticed once, it can slip through
again—and we cannot know what payload it might contain next time. So,
this case breaks trust.

Also, the issue can be considered in the context of Debian’s Diversity
Statement. While the statement primarily documents development, I
suggest we interpret it more broadly as documenting Debian’s attitude
toward its users. That is, Debian does not discriminate against users
based on their language, geographical place in the world, nationality,
or anything else. Here, however, xsnow treats its users differently
based on their system’s locale.

I’d like to stress that, while the xsnow maintainer and developer
intentionally introduced the discussed behavior, their messages in the
bug report indicate they are willing to cooperate and fix the issue. I
consider that appropriate and worthy of trust.

Moreover, I’m CC’ing the Community Team and Debian Leader because I’d
like them to consider the issue and comment on it. We have Debian
documents and policies that cover Debian members’ behavior regarding
abusing, insulting, and so on. However, we definitely lack documents and
policies concerning (sometimes benign) obfuscated behavior that can
break trust in open source and the Debian community as a whole. I would
suggest we may need to extend the Diversity Statement and/or add a new
policy document, which would, of course, require further discussion.

Regards, Lev

Reply via email to