Debian is huge. It's long past the point that non-free could support its own organization.
When I created the original Debian Social Contract, non-free wouldn't have been self-supporting. But we've had this hypocracy about non-free since then. Non-free is not officially part of Debian, but is maintained as part of Debian, using all of the same facilities and within the same organization. Debian can now afford to be 100% Free Software and no exceptions, and can put non-free somewhere else with people who care
Wouldn't a script whose only fuction is to point apt to non-free repositories, hence facilitating the installation of non-free software, preclude Debian from being "100% Free Software?" Is the script any more "free" than free packages that depend on non-free software to run?
Some time before non-free disappears from Debian's mirrors, we'd make some base package require a package containing an installation script that looks to see if the user is presently using the non-free repository. So, everyone who runs an upgrade would get this package, and it's script would run. If the user is using the non-free repository, the user gets a note that it's moving, and is asked if he'd like to reset his apt choices to the new location of non-free or to do without non-free from then on, in which case we'd present the list of packages that would be lost from the system.
Debian isn't about taking choice s away from people. But that doesn't mean that Debian can't make it's own choices and ask people to find what they want elsewhere.
I think it makes sense; I think that's actually something that makes Debian kind of cool; is that you can give your system its own (your) personality by modifying the sources.list file.
I don't think I really understood the possibilites until I discovered apt-get.org. It's a great concept, that you can "tune in" to the types of software that you want/need, and it doesn't all necessarily have to come from the official Debian servers.
This might give Debian users more choices, actually.
I was thinking about the multiplication of debian mirrors lately and the security implication of having a mirror rooted by some evil doers...
How is it actually managed? I had this crazy idea that goes something like this:
When you first install debian, you do it from a safe source (let's say a CD like OpenBSD or a mirror you _really_ trust). All the packages come with the public key of the maintainer and all package are signed by the package maintainer. Therefore, if someone roots a mirror and change a packa
I had this crazy idea that goes something like this:
Not crazy; in progress. The debian-keyring package contains all the maintainers' public keys, packages are already signed, and I believe dpkg has already been modified to have the ability to verify the signatures. The whole thing will be turned on Real Soon Now; I think it's supposed to be in place for the release of Sarge.
Therefore, if someone roots a mirror and change a package you'll get a message like SSH would give:
the key for package "bla"
The keyring package has a maintainer, who signs it with his key, whose public half is in the keyring. Bootstrapping the whole system is a bit of an issue for the security-paranoid, but once you get past that, it should work fine.
Well if Debian DOES remove non-free I hope someone will set up a rouge server someplace to hold all non-free debian packages that developers choose to package. There are SOME non free packages that I will run (such as SETI@HOME) because they are usefull, or interresting and I can agree with the providers reasons for not releasing source. And SOME packages are only considered non free because of political bullshit anyway.
Keep the number of passes in a compiler to a minimum.
-- D. Gries
Non-Free Needs Its Own Organization (Score:5, Interesting)
When I created the original Debian Social Contract, non-free wouldn't have been self-supporting. But we've had this hypocracy about non-free since then. Non-free is not officially part of Debian, but is maintained as part of Debian, using all of the same facilities and within the same organization. Debian can now afford to be 100% Free Software and no exceptions, and can put non-free somewhere else with people who care
Re:Non-Free Needs Its Own Organization (Score:3, Interesting)
Wouldn't a script whose only fuction is to point apt to non-free repositories, hence facilitating the installation of non-free software, preclude Debian from being "100% Free Software?" Is the script any more "free" than free packages that depend on non-free software to run?
Re:Non-Free Needs Its Own Organization (Score:5, Interesting)
Some time before non-free disappears from Debian's mirrors, we'd make some base package require a package containing an installation script that looks to see if the user is presently using the non-free repository. So, everyone who runs an upgrade would get this package, and it's script would run. If the user is using the non-free repository, the user gets a note that it's moving, and is asked if he'd like to reset his apt choices to the new location of non-free or to do without non-free from then on, in which case we'd present the list of packages that would be lost from the system.
Debian isn't about taking choice s away from people. But that doesn't mean that Debian can't make it's own choices and ask people to find what they want elsewhere.
Bruce
Re:Non-Free Needs Its Own Organization (Score:2)
Sounds like a good use for the VRMS [debian.org] package.
Re:Non-Free Needs Its Own Organization (Score:3, Informative)
I don't think I really understood the possibilites until I discovered apt-get.org. It's a great concept, that you can "tune in" to the types of software that you want/need, and it doesn't all necessarily have to come from the official Debian servers.
This might give Debian users more choices, actually.
On a totally unrelated topic... (Score:2)
How is it actually managed?
I had this crazy idea that goes something like this:
When you first install debian, you do it from a safe source (let's say a CD like OpenBSD or a mirror you _really_ trust). All the packages come with the public key of the maintainer and all package are signed by the package maintainer.
Therefore, if someone roots a mirror and change a packa
Re:On a totally unrelated topic... (Score:2)
I had this crazy idea that goes something like this:
Not crazy; in progress. The debian-keyring package contains all the maintainers' public keys, packages are already signed, and I believe dpkg has already been modified to have the ability to verify the signatures. The whole thing will be turned on Real Soon Now; I think it's supposed to be in place for the release of Sarge.
Therefore, if someone roots a mirror and change a package you'll get a message like SSH would give: the key for package "bla"
Re:On a totally unrelated topic... (Score:2)
But how will the keyring package be signed/verified?
Re:On a totally unrelated topic... (Score:2)
Re:Non-Free Needs Its Own Organization (Score:2)