1) about the proposed patch I see your point about PS creation not being problematic. I'm not sure if everyone agrees -- the question is if there is some other not-thought-of problem. Generally pkgsrc tries to follow upstream, unless that's not a good idea, and I did not absorb from your message: Is imagemagick still maintained upstream? Does upstream have an opinion? If we still need to patch, have you or someone filed a bug upstream? Is there a norm among other packaging systems about what to do (demonstrating some sort of consensus that upstream's choices should be overridden) Is this still an issue with current ghostscript? The link in the patch says it's fixed in 9.24. But arguably this has turned into "ghostcript will always be too scary to run on untrusted input" and it's now about avoiding bugs we don't know about. Is that correct? 2) about other policy changes Has this been filed upstream? response? consensus of other distributions? 3) Ghostscript AGPL While AGPL is unquestionably a Free Software license, the board of TNF decided that it should not be in DEFAULT_ACCEPTABLE because enough people are concerned that this will somehow lead to unexpected obligations by people typing "pkg_add". (Whether or not these concerns are well founded is not the point; the point is that enough people had them. Also, this is not about copyleft vs permissive at all; it's about triggering distribution obligations from making a service available over a network.) Also it was said that some companies prohibit AGPL software, and some felt that pkgsrc should accomodate that practice in its defaults (rather than expecting entities with polices to have a plan to follow their policies), to avoid a "pkgsrc is not allowed" backlash. (It was never clear to me if e.g. Debian is banned in such places.) However, I do not think it is all that useful at the present time to try to revisit this. print/ghostcript-gpl (last GPL version) is egregiously out of date (9.06). In my view no one should use it. print/ghostcript defaults to ghostscript-agpl becuase that is what ghostscript means these days, and because ghostscript-gpl is not maintained and is unsafe. The existence of the GPL version was an accomodation to people that don't want to use the maintained version. That made more sense the first few months that the license became AGPL than it does now. So yes, this leads to programs that use ghostscript failing to build unless you choose to put AGPL in ACCEPTABLE_LICENSES. There are other cases in pkgsrch (or were) where programs that have Free licenses depend on things that aren't in DEFAULT_ACCEPTABLE. That's just how it is, and people have to deal.
Attachment:
signature.asc
Description: PGP signature