First of all, a clarification: This post (like most in this thread) is primarily about Debian's philosophy, not about certspotter (but I do talk about that at the end as well). For this reason, I'm not CC'ing the bug.
On Fri, Aug 11, 2017 at 05:26:58PM -0400, Faidon Liambotis wrote: > On Fri, Aug 11, 2017 at 08:03:09AM -0400, Wouter Verhelst wrote: > > If a free software implementation of the remote service exists that a > > package can work with, then it can remain in main. If not, it cannot. > > There are no free software server-side implementation of e.g. the ICQ > protocol, as far as I know, but multiple client-side implementations in > main. That is a bug as far as I'm concerned; a client designed purely (or mostly) for such a non-free service should not be in main. > For that matter, there is no free software server-side implementation of > QUIC, so I guess by that rule, Chromium should be in contrib as well. No. The question is not "is there non-free software that the program can work with?" That would be much too broad, and it would make anything that touches the network non-free. Instead, the question is "is non-free software required for major functionality of the program?" With an ICQ client, it is. With a web browser, it's not. Also note that the reason we split our free packages between main and contrib is a service to our users: those who do not want to depend on non-free software can disable contrib. Not showing an ICQ client to those users is a service to them, not a burden: it's what they ask for when putting only main in their sources.list. Now if an upstream or a maintainer gets upset about software being moved from main to contrib, that is a sign that they (like Debian) would prefer to live in a world where all software is free. Because of that, they don't want to support non-free software, which means (if all dependencies are packaged) that their software should be in main. So when people tell them "your software belongs in contrib", especially if the reason is that it requires non-free software (as opposed to non-packaged software), it hurts their pride. I think that is a good thing: it should be an incentive for them to get rid of the dependency. However, I've seen on multiple occasions that the response is to deny the problem and to push for keeping the software in main anyway, claiming something to the effect of "it's more important for our users that they have access to this software than it is to have a completely free system". That is a disservice to our users. While for many users this is true, those users will have contrib (and probably non-free) enabled in their sources.list. So moving the package to contrib doesn't change anything for them. The only people who see a difference are the ones who asked not to see this kind of software, and they will no longer see it. That is a great outcome, not something to get upset about. > As for certspotter [...] It has become clear a while ago (to me anyway) that certspotter belongs in main. From the start, the bug report was about the description, not about the program itself and thus the fix would be to change that, not to move the package to contrib. I agree with the bug that descriptions of Debian packages (even those in non-free) should not advertise non-free software or services. If there is a free option (and there must be for it to be in main) that should be mentioned as the recommended way to use the program. If there also is a non-free option, it can be mentioned as an alternative, especially if many users are expected to know about it. If it is unknown to most users, I think it should be left out. > the conversation has derailed quite a bit [...] Not cool. Actually, that is "cool". Jonas made the larger community aware of the issue, which means we can discuss it. On our mailing lists, the tangents this went to are not off-topic. Perhaps the bug should be removed from the Cc, but that's a minor issue. > - People called SSLMate "non-free" and objected to the certspotter > description pointing to it. No, pointing does not need to be a problem. Recommending it (in effect advertising for it) is. > - I don't have any personal or business connection to SSLMate or > certspotter, other than using the software and maintaining the > package. I haven't communicated with my upstream about this issue > either and my comment on the bug report are just my views. I just want > to be fair to a nice upstream, who has graciously released part of > their business as free (as in speech and as in beer) software, for > anyone to use instead of using their service. I agree that it is unfortunate that people get so upset over discussions like this one, and I appreciate that you keep it away from upstream, so they are not bothered with it; this has nothing to do with them. Thanks, Bas
Description: PGP signature