Hi, While I’m not a user of xsnow, I’d like to comment on the issue being discussed. In addition to what has already been indicated during the discussion by Salvo Tomaselli, I would like to draw attention to a few fundamentally important points.
I personally consider this case serious and the bug release-critical. The main problem is that the xsnow package contains hidden, intentionally obfuscated behavior that depends on geo/locale conditions. This functionality is not described in the documentation (man page, README, etc.) and is not discoverable through typical review methods. Although the current payload appears “benign,” the implementation follows a structural pattern associated with malware and undermines the open-source trust model. The core problem is intentional concealment, not whether the current payload is harmful in a “typical” sense. The relevant logic is obfuscated and is not reflected in the documentation or typical interfaces. While Debian states that its priorities are its users (#4 Social Contract), which I would interpret in this case broadly, the observed behavior of xsnow does not align with that. Moreover, since I wrote above that I consider such behavior a problem, and since it is obfuscated (at least, its behavior is not obvious from variable names, etc.), I would consider it a violation of #3 Social Contract as well, broadly interpreted. A key point is the precedent: if an obfuscated, undocumented feature slips through unnoticed once, it can slip through again—and we cannot know what payload it might contain next time. So, this case breaks trust. Also, the issue can be considered in the context of Debian’s Diversity Statement. While the statement primarily documents development, I suggest we interpret it more broadly as documenting Debian’s attitude toward its users. That is, Debian does not discriminate against users based on their language, geographical place in the world, nationality, or anything else. Here, however, xsnow treats its users differently based on their system’s locale. I’d like to stress that, while the xsnow maintainer and developer intentionally introduced the discussed behavior, their messages in the bug report indicate they are willing to cooperate and fix the issue. I consider that appropriate and worthy of trust. Moreover, I’m CC’ing the Community Team and Debian Leader because I’d like them to consider the issue and comment on it. We have Debian documents and policies that cover Debian members’ behavior regarding abusing, insulting, and so on. However, we definitely lack documents and policies concerning (sometimes benign) obfuscated behavior that can break trust in open source and the Debian community as a whole. I would suggest we may need to extend the Diversity Statement and/or add a new policy document, which would, of course, require further discussion. Regards, Lev

