Hello all, > > ok, my point is that dependencies on external data/files are > potentially dangerous. if the maintainer of the upstream site makes > changes (as has been done in the past with foo2zjs), then the package > no longer works as intended. if someone replaces the upstream files > with malicious code, then you have a security issue. both of these > problems are normally considered grave, and for good reason -- hence > this is a grave problem as well. why would you risk exposing users to > these problems if you can take steps now to eliminate them? > > debian main should have no external dependencies (that is what contrib > is for). and maybe the text of the debian policy doesn't make this > 100% clear right now, but it is within its spirit. if it is too easy > to misinterpret the intent, then the wording should be updated for > clarity. > > it is my belief that the getweb script must be removed from the package.
I understand your sentiment, and it is indeed a "grey" area situation. If I take policy literary, I think this package is fine in main, but it is not as simple... In order to get this bug rolling (and lenny released ;-) ), can you all live with me splitting up the package in two packages: 1) foo2zjs: this contains everything, and lives in mains, which Suggests: 2) foo2zjs-contrib: this contains getweb I know a package with just a script is not nice, but it is more in the spirit of the debian policy indeed. thanks, Joost -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]