Bug#856139: [pkg-go] Bug#856139: Bug#856139: certspotter: long description advertises commercial service

[Vincent Bernat]

 ❦  7 août 2017 18:12 GMT, "Dr. Bas Wijnen"  :

>> We have all kind of software advertising non-free services. Search for
>> "Google" or "Amazon". The comparison is even unfair as the service
>> advertised here is available as free software (not the case for most
>> services from Amazon and Google we advertise).
>
> If other packages are worse, that means they should be fixed, not that this
> should be allowed.
>
>> Example: [s3cmd]
>
> How is this not in contrib?  This software is useless without the non-free
> service (which is also software, and it is not in main) from Amazon.  Policy
> even mentions as an example for things in contrib: wrapper packages or other
> sorts of free accessories for non-free programs.  That's exactly what
> this is.
>
> I didn't know that this was in main, and I expect most others to not know
> either.  But I don't think they should be.  I wouldn't expect this to be
> controversial, but it seems that it is, given that you suggest they obviously
> belong in main?
>
> To be clear: the sort of software (of this type) I expect in main is like
> mumble: it connects to a server, and you can connect to a commercially hosted
> server if you want to, but you can also run your own server, because it's free
> software.  If the mumble server would not be free, and the only way to use the
> client was to connect to a commercial server, mumble should not be in main.
>
> As I wrote, I expected there to be consensus on this.  Am I incorrect about
> that?

In this case, free S3 implementations exist (like Swift, available
in Debian). However, it is easy to find other packages interacting with
proprietary services without a free implementation. For example, any
package interacting with Google Cloud (golang-google-cloud package).
-- 
Your manuscript is both good and original, but the part that is good is not
original and the part that is original is not good.
-- Samuel Johnson


signature.asc
Description: PGP signature

Bug#856139: certspotter: long description advertises commercial service

[Shengjing Zhu]

On Tue, Aug 8, 2017 at 2:12 AM, Dr. Bas Wijnen  wrote:
>> Example: [s3cmd]
>
> How is this not in contrib?  This software is useless without the non-free
> service (which is also software, and it is not in main) from Amazon.  Policy
> even mentions as an example for things in contrib: wrapper packages or other
> sorts of free accessories for non-free programs.  That's exactly what this is.

Maybe some off topic here.

The description of s3cmd is outdated. It's *not* useless without AWS.
It can be used with self-hosted S3 protocol compatible service, such
as Ceph RGW, minio[1]. Both are free softwares, and Ceph is in our
main archive.

[1] https://github.com/minio/minio


-- 
Best regards,
Shengjing Zhu

Bug#856139: [pkg-go] Bug#856139: certspotter: long description advertises commercial service

[Dr. Bas Wijnen]

On Sun, Aug 06, 2017 at 02:15:17PM +0200, Vincent Bernat wrote:
>  ❦  4 août 2017 20:03 +0200, Jonas Smedegaard  :
> > No, at worst this is misuse of Debian ressources for commercial gain - 
> > i.e. using long description field for advertising a non-free service.
> 
> We have all kind of software advertising non-free services. Search for
> "Google" or "Amazon". The comparison is even unfair as the service
> advertised here is available as free software (not the case for most
> services from Amazon and Google we advertise).

If other packages are worse, that means they should be fixed, not that this
should be allowed.

> Example: [s3cmd]

How is this not in contrib?  This software is useless without the non-free
service (which is also software, and it is not in main) from Amazon.  Policy
even mentions as an example for things in contrib: wrapper packages or other
sorts of free accessories for non-free programs.  That's exactly what this is.

I didn't know that this was in main, and I expect most others to not know
either.  But I don't think they should be.  I wouldn't expect this to be
controversial, but it seems that it is, given that you suggest they obviously
belong in main?

To be clear: the sort of software (of this type) I expect in main is like
mumble: it connects to a server, and you can connect to a commercially hosted
server if you want to, but you can also run your own server, because it's free
software.  If the mumble server would not be free, and the only way to use the
client was to connect to a commercial server, mumble should not be in main.

As I wrote, I expected there to be consensus on this.  Am I incorrect about
that?

Thanks,
Bas


signature.asc
Description: PGP signature

Bug#856139: certspotter: long description advertises commercial service

[Jonas Smedegaard]

Quoting Paul Wise (2017-08-05 09:38:45)
> On Fri, Aug 4, 2017 at 2:03 PM, Jonas Smedegaard wrote:
> 
> > Am I alone in finding it wrong to promote commercial services in long
> > descriptions of packages n Debian main?
> 
> In general, I think we should avoid doing that.
> 
> In this case, the advertisement is also present on the upstream github
> page, via the README, which is also in the Debian package, so removing
> it from the Debian package description will not remove the
> advertisement entirely. Personally I'd prefer to not have it present
> in any of the locations, but leaving it in the README in Debian and
> upstream seems like a reasonable compromise.
> 
> > No, at worst this is misuse of Debian resources for commercial gain -
> > i.e. using long description field for advertising a non-free service.
> 
> I got the impression that Faidon is not involved with SSLMate so this
> and the relevant DMUP clause does not seem to apply in this case.

For the record, I did not mean to imply that Faidon would gain anything.

I apologize for such accidental accusation!

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#856139: [pkg-go] Bug#856139: certspotter: long description advertises commercial service

[Chris Lamb]

Hi,

> We have all kind of software advertising non-free services. Search for
> "Google" or "Amazon".

The important distinction here is not that that we mention services
that commercial (or even non-free), but rather between descriptive and
(quasi-) objective phrases such as:

Cert Spotter is also available as a hosted service

and clauses that are bordering on advertising:

… and requires zero setup 

I am uncomfortable with the latter appearing in long descriptions.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#856139: [pkg-go] Bug#856139: certspotter: long description advertises commercial service

[Vincent Bernat]

 ❦  4 août 2017 20:03 +0200, Jonas Smedegaard  :

> Am I alone in finding it wrong to promote commercial services in long 
> descriptions of packages n Debian main?

I agree with Faidon on this one. Just saying that because the way you
ask the question is more likely to get the opposite answers.

>> At worst, this is "irrelevant" as you put it,
>
> No, at worst this is misuse of Debian ressources for commercial gain - 
> i.e. using long description field for advertising a non-free service.

We have all kind of software advertising non-free services. Search for
"Google" or "Amazon". The comparison is even unfair as the service
advertised here is available as free software (not the case for most
services from Amazon and Google we advertise).

Example:

Description: command-line Amazon S3 client
 Command-line tool to upload, retrieve and manage data in Amazon S3 service
 (http://www.amazon.com/s3/), designed for use in scripts. Features:
  - creating and destroying S3 buckets
  - uploading and downloading files
  - listing remote files
  - removing remote files
  - synchronizing local directories to S3 buckets
  - getting various information about buckets and disk usage
 .
 s3cmd supports both (US and EU) S3 datacentres.
-- 
Make input easy to proofread.
- The Elements of Programming Style (Kernighan & Plauger)


signature.asc
Description: PGP signature

Bug#856139: certspotter: long description advertises commercial service

[Dr. Bas Wijnen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Sat, Aug 05, 2017 at 09:38:45AM -0400, Paul Wise wrote:
> > No, at worst this is misuse of Debian resources for commercial gain -
> > i.e. using long description field for advertising a non-free service.
> 
> I got the impression that Faidon is not involved with SSLMate so this
> and the relevant DMUP clause does not seem to apply in this case.

While perhaps not strictly against the letter of any of our rules, that doesn't
make it any less an advertisement for a non-free service and that certainly is
against the spirit.  Similarly to not adding a Recommends: from a package in
main to one in non-free, we should not recommend non-free services either IMO.
I don't think that is controversial?

I would make an exception for source files from upstream.  If they want to
advertise a non-free service, they can do that.  For Debian, IMO we should
remove such advertisements as part of packaging the software.  That means it
should not be in the binary package at all.

> In this case, the advertisement is also present on the upstream github
> page, via the README, which is also in the Debian package, so removing
> it from the Debian package description will not remove the
> advertisement entirely. Personally I'd prefer to not have it present
> in any of the locations, but leaving it in the README in Debian and
> upstream seems like a reasonable compromise.

Agreed; I would remove it from the program itself or its upstream-written
manpage if it would have been there (and of course it should definitely not be
in a manpage created by a maintainer), and while removing it from the source
(or its documentation) would be nice, I think it's acceptable to leave it
there.

Then again, it's similar to having non-free software in a release tarball, and
we do repackage the source for that.  So perhaps that would be the preferred
way to handle it.

Thanks,
Bas
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJZhr4gAAoJEJzRfVgHwHE6jTwQAJGgJL0vKRlcGj70YhjoDDrR
/pQiDALVRq0wiQqx+9MNy0px2OeA89TgTtfvm6fh+ibSI+9cC/+FO8GruqGPrxjK
NKgyUVUvVNqvSupIzEpbnLQE1QVzi31dvYVzir+lLjJB8sN4oUbNOtTjUWlO4rhT
XH8ixzLADqT3VWC30TPUoE8UJ+Nf82eHF67h/4sEwrZWMZgfVfqPR3qTAF0AZsnS
ezOtkHl8a3E/QlxOGeMZJ/g2zLVlcRnXU7svEAWdhuSZUT7D9t9I3m5KGwwE1ZLj
Kzmlly59DdhyWkqsvWdpifo97avQXlIna4MJeGZW9U8JRdw0V0taWxv1oZ1auprA
Cm3hWi/X8DTtvUwOVqEW4aarvvC26dk1uyIz7Z+qHqKF5amir7HxfG81cGNiryyz
bBjp6MJAYnnfUeYnn1ZM4qlnJFPNqYSUgoZ/S0uLtOwZGTjaBQsqwewPWKr5pON9
hlG+at1u6wcxTfYJ3guzhB04bp4cISL5Ze3WZwXH3nmTPJi5Rnd7dXaQvkwdzziJ
DVcGjZqb3G1LQKABpWmwCxGEXiEgfjki/DmlSDaonX0SUN1lvtfsQ9COcp7kczU1
gb+jcJCR3uerLHvNnmKT8RowQe7j4AHpFGDJuPKid1B+fdYqpNO8/yqE7kScpI97
82ed9JaRCIbFYfXoL+YT
=YnvG
-END PGP SIGNATURE-

Bug#856139: certspotter: long description advertises commercial service

[Paul Wise]

On Fri, Aug 4, 2017 at 2:03 PM, Jonas Smedegaard wrote:

> Am I alone in finding it wrong to promote commercial services in long
> descriptions of packages n Debian main?

In general, I think we should avoid doing that.

In this case, the advertisement is also present on the upstream github
page, via the README, which is also in the Debian package, so removing
it from the Debian package description will not remove the
advertisement entirely. Personally I'd prefer to not have it present
in any of the locations, but leaving it in the README in Debian and
upstream seems like a reasonable compromise.

> No, at worst this is misuse of Debian resources for commercial gain -
> i.e. using long description field for advertising a non-free service.

I got the impression that Faidon is not involved with SSLMate so this
and the relevant DMUP clause does not seem to apply in this case.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Bug#856139: certspotter: long description advertises commercial service

[Jonas Smedegaard]

Dear fellow Debian developers,

Am I alone in finding it wrong to promote commercial services in long 
descriptions of packages n Debian main?


Quoting Faidon Liambotis (2017-08-04 13:57:10)
> On Sat, Feb 25, 2017 at 03:53:13PM +0100, Jonas Smedegaard wrote:
> > Long description includes a paragraph starting with the following:
> > 
> > > Cert Spotter is also available as a hosted service by SSLMate that
> > > requires zero setup [...]
> > 
> > That paragraph is irrelevant for this package - please drop it.
[...]
> At worst, this is "irrelevant" as you put it,

No, at worst this is misuse of Debian ressources for commercial gain - 
i.e. using long description field for advertising a non-free service.

 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#856139: certspotter: long description advertises commercial service

[Jonas Smedegaard]

Quoting Faidon Liambotis (2017-08-04 13:57:10)
> On Sat, Feb 25, 2017 at 03:53:13PM +0100, Jonas Smedegaard wrote:
>> Long description includes a paragraph starting with the following:
>>
>>> Cert Spotter is also available as a hosted service by SSLMate that 
>>> requires zero setup [...]
>>
>> That paragraph is irrelevant for this package - please drop it.
> 
> This is a tricky case indeed and I can see both sides of this.
> 
> I lean towards keeping it though, for the following reasons:
> 
> - It is somewhat relevant to the package: it's useful to know that one
>   can instead use a hosted version of the software, which by the way 
>   is free for up to 5 domains, without going through the trouble of 
>   setting it up.
> 
> - If one has more domains than that, they can either switch to
>   certspotter, or they can pay for the commercial service, and in 
>   doing so, pay the bills for the author of this software. The author 
>   essentially open-sourced the software that powers his small 
>   business, and I see nothing wrong with him profiting from it.
> 
> - It is part of the original description of the author. Me explicitly
>   going against their wishes and removing that harmless sentence could 
>   be seen as offensive and antagonizing them.
>   
> At worst, this is "irrelevant" as you put it, but it's just an extra 
> sentence. At best, it's somewhat helpful to users, and potentially 
> helpful to us maintaining a good relationship with our upstream and 
> them profiting a tiny bit from producing free software.

I agree the sentence helps upstream get food on the table.

I understand how someon in need of computing tools might go elsewhere 
than Debian for satisfying their needs.  But I fail to recognize how any 
of above is helpful for *our* users - whom by definition use Debian!

Package descriptions is not a billboard for advertisements.


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private


signature.asc
Description: signature

Bug#856139: certspotter: long description advertises commercial service

[Faidon Liambotis]

On Sat, Feb 25, 2017 at 03:53:13PM +0100, Jonas Smedegaard wrote:
> Long description includes a paragraph starting with the following:
> 
> > Cert Spotter is also available as a hosted service by SSLMate that
> > requires zero setup [...]
> 
> That paragraph is irrelevant for this package - please drop it.

This is a tricky case indeed and I can see both sides of this.

I lean towards keeping it though, for the following reasons:

- It is somewhat relevant to the package: it's useful to know that one
  can instead use a hosted version of the software, which by the way is
  free for up to 5 domains, without going through the trouble of setting
  it up.

- If one has more domains than that, they can either switch to
  certspotter, or they can pay for the commercial service, and in doing
  so, pay the bills for the author of this software. The author
  essentially open-sourced the software that powers his small business,
  and I see nothing wrong with him profiting from it.

- It is part of the original description of the author. Me explicitly
  going against their wishes and removing that harmless sentence could
  be seen as offensive and antagonizing them.
  
At worst, this is "irrelevant" as you put it, but it's just an extra
sentence. At best, it's somewhat helpful to users, and potentially
helpful to us maintaining a good relationship with our upstream and them
profiting a tiny bit from producing free software.

Regards,
Faidon

Bug#856139: certspotter: long description advertises commercial service

[Jonas Smedegaard]

Package: certspotter
Version: 0.3-1
Severity: normal

Long description includes a paragraph starting with the following:

> Cert Spotter is also available as a hosted service by SSLMate that
> requires zero setup [...]

That paragraph is irrelevant for this package - please drop it.

 - Jonas