Discussion:
clementine: installs non-free plugin at runtime
(too old to reply)
Anthony DeRobertis
2017-11-20 20:04:52 UTC
Permalink
One of several functions of Clementine is to stream audio from cloud
service Spotify. Initially selecting that function triggers a routine
where Clementine (asks for concent and then) downloads and installs a
non-free binary driver.
Policy 2.2.1 states that "None of the packages in the main archive area
require software outside of that area to function."
Clementine should either be moved to contrib, or the Spotify function be
removed.
I suggest this isn't a Policy violation. Clementine functions without
the Spotify plugin; e.g., it'll happily play local music files, or from
any of the non-Spotify streaming sources.

Compare to, for example, all web browsers except lynx (and similar).
They all happily and automatically download and execute non-free code
(JavaScript), without any warning whatsoever. And if you turn off
JavaScript, they lose quite a bit more functionality than Clementine
does (I'd go so far as to say they become fairly useless — quite a bit
of the web doesn't work w/o JavaScript).

Many of them have their own plugin services (at least both Firefox and
Chromium do) that happily install and execute non-free code, again
without any warning (the only warnings they give are about access to
data, browsing history, etc., nothing about freedom).

Further, Debian understands software broadly (including, e.g.,
data—basically, "not hardware"), not just executables. If this bug
report's reading of policy were correct, Clementine would need to
disable most of streaming music services as the music they provide
doesn't follow DFSG. (And even lynx would have to be removed.)

I think it'd be reasonable to make the confirmation dialog explicitly
say that the plugin is not free software. But other than that, which
does not warrant severity: serious, I think this bug should be closed as
not a bug.
Ian Jackson
2017-11-21 12:42:46 UTC
Permalink
Post by Anthony DeRobertis
I think it'd be reasonable to make the confirmation dialog explicitly
say that the plugin is not free software. But other than that, which
does not warrant severity: serious, I think this bug should be closed as
not a bug.
With Debian's current stance on recommending non-free software (ie, we
are, contrary to our principles, happy to do it even if the user has
decided they do not want non-free), I agree with you.


Personally I think it should be a bug if any package in main offers to
download and run non-free software, other than in some kind of
restricted environment[1], if the user does not have the Debian
non-free area enabled.

[1] The distinction I am making is between what might normally be
thought of as programs, and situations where a turing-complete
protocol is used to deliver and display something that the user
inevitably knows is controlled by someone else and which they have
explicitly asked for. For example, the JS in web pages; documents
provided as PostScript files, or whatever.

This rule would distinguish the binary blob Spotify client (forbidden)
from the proprietary music files it downloads (permitted, if there
were a Free client that could do the download).

Ian.
--
Ian Jackson <***@chiark.greenend.org.uk> These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Thomas Pierson
2017-11-30 01:38:26 UTC
Permalink
Hi Jonas and folks,

Clementine does not require or depend on a external software to run
properly. So for me the policy 2.2.1 is respected.

It's only if a user want to connect to a particular external service
that a plugin file is downloaded and used.
But it's the same case for many software like web browser which download
and run proprietary javascripts without any warning.

So unless someone point me a clear justification I will close this bug
as invalid for now.

Regards,

Thomas Pierson
Ben Finney
2017-11-30 06:47:41 UTC
Permalink
Post by Thomas Pierson
Clementine does not require or depend on a external software to run
properly. So for me the policy 2.2.1 is respected.
I agree that, as described, Clementine's normal function as a
general-purpose music player is available without any non-free music
services. So this does not infringe Policy §2.2.1.
Post by Thomas Pierson
It's only if a user want to connect to a particular external service
that a plugin file is downloaded and used.
That is still a problem, IMO. It would be best if the program did not do
that, and instead prompted the user to install the non-free package
providing that plug-in.
Post by Thomas Pierson
But it's the same case for many software like web browser which
download and run proprietary javascripts without any warning.
(Yes, I think a web browser should not download and execute arbitrary
JavaScript either. That one problem remains unaddressed is not a
justification for the same problem elsewhere.)
Post by Thomas Pierson
So unless someone point me a clear justification I will close this bug
as invalid for now.
I agree that, despite the problems remarked on of downloading and
executing unpackaged code to execute on the user's computer, this is not
a dependency for the program performing its normal function. So this
does not appear to be a Policy §2.2.1 violation.
--
\ “If we could change ourselves, the tendencies in the world |
`\ would also change.” —Mohandas K. Gandhi, _Collected Works_, 1913 |
_o__) |
Ben Finney <***@debian.org>
Ian Jackson
2017-11-30 11:30:16 UTC
Permalink
Post by Ben Finney
Post by Thomas Pierson
It's only if a user want to connect to a particular external service
that a plugin file is downloaded and used.
That is still a problem, IMO. It would be best if the program did not do
that, and instead prompted the user to install the non-free package
providing that plug-in.
I agree with Ben that it would be better if the program used a
non-free package from Debian instead. Maybe we could clone this bug
into a wishlist bug for that.
Post by Ben Finney
(Yes, I think a web browser should not download and execute arbitrary
JavaScript either. That one problem remains unaddressed is not a
justification for the same problem elsewhere.)
This is obviously out of scope for the discussion of this bug.

If you want to change Debian's stance about this, you will need to
agitate with ftpmaster, on -project, or -devel, or pass a GR, or
something.

Ian.
Ben Finney
2017-11-30 19:47:27 UTC
Permalink
Post by Ian Jackson
Post by Ben Finney
(Yes, I think a web browser should not download and execute
arbitrary JavaScript either. That one problem remains unaddressed is
not a justification for the same problem elsewhere.)
This is obviously out of scope for the discussion of this bug.
Certainly. I was responding parenthetically to a point that, I agree
with you, was out of scope.
--
\ “I would rather be exposed to the inconveniences attending too |
`\ much liberty than those attending too small a degree of it.” |
_o__) —Thomas Jefferson, 1791-12-23 |
Ben Finney <***@debian.org>
Loading...