Phil Morrell <deb...@emorrp1.name> writes: > On Thu, Sep 08, 2022 at 11:55:43AM +0200, Jonathan Carter (highvoltage) wrote:
>> bug fixes and security updates depend entirely on their upstream developers > This is definitely not *universally true*, think of e.g. GFDL invariants > or packages that are "merely" non-commercial. Debian package maintainers > can make absolutely any technical improvements they wish to these > packages, the only thing they can't do is change the license to be > DFSG-free. There's probably less motivation to work on non-free > software, and there may not even be any remaining upstream, but I assume > you were primarily thinking of non-free-firmware when drafting this > phrase. Yeah, I think this wording is not quite 100% correct. I think what Jonathan is getting at is that we do not provide security support for non-free software as a matter of policy, in the sense that the security team doesn't support it (at least that's my recollection). But the package maintainers often do provide some level of support. I think we may need a slightly different wording of this that makes it clear that these packages receive a lower level of support and are therefore on average somewhat riskier to use. >> We encourage software vendors who make use of non-free packages to >> carefully read the licenses of these packages to determine whether they >> can distribute it on their media or products. > I deliberately removed mention of software vendors and their media as > our Social Contract wouldn't bind them anyway. #5 should be relevant for > all our users, third party redistributors are just a subset. We probably do need to say something about how you need to review the licenses for non-free software before using or distributing it. This is true for users as well. > It'd be nice having a fourth sentence that is a bit more negatively > worded to put people off non-free where feasible. How about: > We encourage careful review of the licensing for your use-case and > how they put limits on our packaging efforts. > Disclaimer: I'm not a DD (yet) so cannot formally propose any of this > and please take with a lump of salt. I like the first part of that. I'm not sure anyone needs to care that much about the impact on packaging. I see what you're trying to get at, but I think it's a bit indirect. How about: We encourage careful review of the licensing of these packages before use or redistribution, since the guarantees of the Debian Free Software Guidelines do not apply to them. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>