tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: misguided ImageMagick polixy.xml settings regarding PS/PDF and ignorance about other problematic coders

1) about the proposed patch

I see your point about PS creation not being problematic.  I'm not sure
if everyone agrees -- the question is if there is some other
not-thought-of problem.

Generally pkgsrc tries to follow upstream, unless that's not a good
idea, and I did not absorb from your message:

  Is imagemagick still maintained upstream?

  Does upstream have an opinion?   If we still need to patch, have you
  or someone filed a bug upstream?

  Is there a norm among other packaging systems about what to do
  (demonstrating some sort of consensus that upstream's choices should
  be overridden)

  Is this still an issue with current ghostscript?  The link in the
  patch says it's fixed in 9.24.  But arguably this has turned into
  "ghostcript will always be too scary to run on untrusted input" and
  it's now about avoiding bugs we don't know about.  Is that correct?

2) about other policy changes

  Has this been filed upstream?  response?

  consensus of other distributions?

3) Ghostscript AGPL

  While AGPL is unquestionably a Free Software license, the board of TNF
  decided that it should not be in DEFAULT_ACCEPTABLE because enough
  people are concerned that this will somehow lead to unexpected
  obligations by people typing "pkg_add".  (Whether or not these
  concerns are well founded is not the point; the point is that enough
  people had them.  Also, this is not about copyleft vs permissive at
  all; it's about triggering distribution obligations from making a
  service available over a network.)  Also it was said that some
  companies prohibit AGPL software, and some felt that pkgsrc should
  accomodate that practice in its defaults (rather than expecting
  entities with polices to have a plan to follow their policies), to
  avoid a "pkgsrc is not allowed" backlash.  (It was never clear to me
  if e.g. Debian is banned in such places.)  However, I do not think it
  is all that useful at the present time to try to revisit this.

  print/ghostcript-gpl (last GPL version) is egregiously out of date
  (9.06).  In my view no one should use it.

  print/ghostcript defaults to ghostscript-agpl becuase that is what
  ghostscript means these days, and because ghostscript-gpl is not
  maintained and is unsafe.  The existence of the GPL version was an
  accomodation to people that don't want to use the maintained version.
  That made more sense the first few months that the license became AGPL
  than it does now.

  So yes, this leads to programs that use ghostscript failing to build
  unless you choose to put AGPL in ACCEPTABLE_LICENSES.  There are other
  cases in pkgsrch (or were) where programs that have Free licenses
  depend on things that aren't in DEFAULT_ACCEPTABLE.  That's just how
  it is, and people have to deal.

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index