- Package:
- clementine
- Source:
- clementine
- Description:
- modern music player and library organizer
- Submitter:
- Jonas Smedegaard
- Date:
- 2017-12-01 00:24:04 UTC
- Severity:
- minor
One of several functions of Clementine is to stream audio from cloud service Spotify. Initially selecting that function triggers a routine where Clementine (asks for concent and then) downloads and installs a non-free binary driver. Policy 2.2.1 states that "None of the packages in the main archive area require software outside of that area to function." Clementine should either be moved to contrib, or the Spotify function be removed. PureOS issue tracker references how Parabola removes the function: https://tracker.pureos.net/T100 https://git.parabola.nu/abslibre.git/tree/libre/clementine/remove-nonfree-artwork-and-spotify.patch - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAlmtrf4ACgkQLHwxRsGg ASHfOQ//dv2mg0X1InuD1dUe8/d9uKMlQUAbXeJxWqOghS0E6LWaekW4aJDprvhj 4f+YTaZJGvCAg3cBjba0XXvdrCuZrmpP5YNURU0F8pVXgcaOWH8TC9OHGDCWNKFp 2qkpGIQ6L6cKic0W92ToPCn15bbGJNw3MP/yDCDrg4rljERg3mzwQKVK1VTeNN47 hoDqyL6PwhcbsK1rUQ7f7dyJbRBw8naVFGTvC5/pZZxqwLE+TcQZ7nFe08EZJVNa +BswrL39vqwduge0W2ZSh5rSAAeXvo82dGb2BaLYYmuZm8z802/Gpv/wfRXQ2eI8 1sN742YHHMz03CalJ7QfjXiPNfcQJxqaVt+N2o3emEfvkdukspRAcFzQVD6yCngH Q0RbNGR8X9cPEvKuNaurxyqwChfupSg0PCEU5twpf40i+j5A/UGMfgzPhhMt2kds mQjwtATP93buyrZS9RASi2xZIajMIkR6lQVqMeS5eH8aUKlqivuXjFV/w8ai43JI 9dhZisg2e6GKmKgeQ54wnSEYtxUiVUiC/JlgKDF2tS7MiCz0DzUdLJIMv/XJFKHA RBww+6ex5U/dI7nGn7mf3krwYLsq7uIHAeBT1CJw1rWuTqInOPSQt4nFClg1304A d2NlL0DMCMgdAsHDKAEvgsuP3OelrwW5nTScniFJ+il2lkJuIgk= =nKTA -----END PGP SIGNATURE-----
Clementine has been removed from Debian testing. Can the package maintainer please comment on if there is a fix ? THe patch that Jonas has mentioned should be good enough to get this bug resolved. BTW Jonas, what about cover arts ? They behave almost the same way. So by that standards, should Cover art also be disabled, not just here but almost for all music players ?
(from Jonas Smedegaard <dr@jones.dk> via the bug): I suggest this isn't a Policy violation. Clementine functions without the Spotify plugin; e.g., it'll happily play local music files, or from any of the non-Spotify streaming sources. Compare to, for example, all web browsers except lynx (and similar). They all happily and automatically download and execute non-free code (JavaScript), without any warning whatsoever. And if you turn off JavaScript, they lose quite a bit more functionality than Clementine does (I'd go so far as to say they become fairly useless — quite a bit of the web doesn't work w/o JavaScript). Many of them have their own plugin services (at least both Firefox and Chromium do) that happily install and execute non-free code, again without any warning (the only warnings they give are about access to data, browsing history, etc., nothing about freedom). Further, Debian understands software broadly (including, e.g., data—basically, "not hardware"), not just executables. If this bug report's reading of policy were correct, Clementine would need to disable most of streaming music services as the music they provide doesn't follow DFSG. (And even lynx would have to be removed.) I think it'd be reasonable to make the confirmation dialog explicitly say that the plugin is not free software. But other than that, which does not warrant severity: serious, I think this bug should be closed as not a bug.
[resending just to -submitter, sorry I messed up the address the first time.] (from Jonas Smedegaard <dr@jones.dk> via the bug): I suggest this isn't a Policy violation. Clementine functions without the Spotify plugin; e.g., it'll happily play local music files, or from any of the non-Spotify streaming sources. Compare to, for example, all web browsers except lynx (and similar). They all happily and automatically download and execute non-free code (JavaScript), without any warning whatsoever. And if you turn off JavaScript, they lose quite a bit more functionality than Clementine does (I'd go so far as to say they become fairly useless — quite a bit of the web doesn't work w/o JavaScript). Many of them have their own plugin services (at least both Firefox and Chromium do) that happily install and execute non-free code, again without any warning (the only warnings they give are about access to data, browsing history, etc., nothing about freedom). Further, Debian understands software broadly (including, e.g., data—basically, "not hardware"), not just executables. If this bug report's reading of policy were correct, Clementine would need to disable most of streaming music services as the music they provide doesn't follow DFSG. (And even lynx would have to be removed.) I think it'd be reasonable to make the confirmation dialog explicitly say that the plugin is not free software. But other than that, which does not warrant severity: serious, I think this bug should be closed as not a bug.
Quoting Anthony DeRobertis (2017-11-20 21:08:18) just above this bug is resolved if the Spotify function is removed. None of our geeral-purpose web browsers "require software outside of [the main archive] to function" as general-purpose web browsers. I agree that some web browser addons are problematic too. But the mechanism in the browsers is not specific to non-free code and therefore do not "_require_ software outside [the main archive] to function". Protocols only able to access non-free services would indeed need to be removed, I believe. But protocols able to access either free or non-free resources are fine. Existence of additional DFSG violations is not an argument that this is not a DFSG violation. I disagree. - Jonas
Quoting Anthony DeRobertis (2017-11-20 21:08:18) just above this bug is resolved if the Spotify function is removed. None of our geeral-purpose web browsers "require software outside of [the main archive] to function" as general-purpose web browsers. I agree that some web browser addons are problematic too. But the mechanism in the browsers is not specific to non-free code and therefore do not "_require_ software outside [the main archive] to function". Protocols only able to access non-free services would indeed need to be removed, I believe. But protocols able to access either free or non-free resources are fine. Existence of additional DFSG violations is not an argument that this is not a DFSG violation. I disagree. - Jonas
Anthony DeRobertis writes ("Re: clementine: installs non-free plugin at runtime"):
With Debian's current stance on recommending non-free software (ie, we
are, contrary to our principles, happy to do it even if the user has
decided they do not want non-free), I agree with you.
Personally I think it should be a bug if any package in main offers to
download and run non-free software, other than in some kind of
restricted environment[1], if the user does not have the Debian
non-free area enabled.
[1] The distinction I am making is between what might normally be
thought of as programs, and situations where a turing-complete
protocol is used to deliver and display something that the user
inevitably knows is controlled by someone else and which they have
explicitly asked for. For example, the JS in web pages; documents
provided as PostScript files, or whatever.
This rule would distinguish the binary blob Spotify client (forbidden)
from the proprietary music files it downloads (permitted, if there
were a Free client that could do the download).
Ian.
Hi Jonas and folks, Clementine does not require or depend on a external software to run properly. So for me the policy 2.2.1 is respected. It's only if a user want to connect to a particular external service that a plugin file is downloaded and used. But it's the same case for many software like web browser which download and run proprietary javascripts without any warning. So unless someone point me a clear justification I will close this bug as invalid for now. Regards, Thomas Pierson
Hi Jonas and folks, Clementine does not require or depend on a external software to run properly. So for me the policy 2.2.1 is respected. It's only if a user want to connect to a particular external service that a plugin file is downloaded and used. But it's the same case for many software like web browser which download and run proprietary javascripts without any warning. So unless someone point me a clear justification I will close this bug as invalid for now. Regards, Thomas Pierson
Hi Jonas and folks, Clementine does not require or depend on a external software to run properly. So for me the policy 2.2.1 is respected. It's only if a user want to connect to a particular external service that a plugin file is downloaded and used. But it's the same case for many software like web browser which download and run proprietary javascripts without any warning. So unless someone point me a clear justification I will close this bug as invalid for now. Regards, Thomas Pierson
Thomas Pierson <contact@thomaspierson.fr> writes: I agree that, as described, Clementine's normal function as a general-purpose music player is available without any non-free music services. So this does not infringe Policy §2.2.1. That is still a problem, IMO. It would be best if the program did not do that, and instead prompted the user to install the non-free package providing that plug-in. (Yes, I think a web browser should not download and execute arbitrary JavaScript either. That one problem remains unaddressed is not a justification for the same problem elsewhere.) I agree that, despite the problems remarked on of downloading and executing unpackaged code to execute on the user's computer, this is not a dependency for the program performing its normal function. So this does not appear to be a Policy §2.2.1 violation.
Thomas Pierson <contact@thomaspierson.fr> writes: I agree that, as described, Clementine's normal function as a general-purpose music player is available without any non-free music services. So this does not infringe Policy §2.2.1. That is still a problem, IMO. It would be best if the program did not do that, and instead prompted the user to install the non-free package providing that plug-in. (Yes, I think a web browser should not download and execute arbitrary JavaScript either. That one problem remains unaddressed is not a justification for the same problem elsewhere.) I agree that, despite the problems remarked on of downloading and executing unpackaged code to execute on the user's computer, this is not a dependency for the program performing its normal function. So this does not appear to be a Policy §2.2.1 violation.
Ben Finney writes ("Re: Bug#874295: Not a bug"):
I agree with Ben that it would be better if the program used a
non-free package from Debian instead. Maybe we could clone this bug
into a wishlist bug for that.
This is obviously out of scope for the discussion of this bug.
If you want to change Debian's stance about this, you will need to
agitate with ftpmaster, on -project, or -devel, or pass a GR, or
something.
Ian.
Ben Finney writes ("Re: Bug#874295: Not a bug"):
I agree with Ben that it would be better if the program used a
non-free package from Debian instead. Maybe we could clone this bug
into a wishlist bug for that.
This is obviously out of scope for the discussion of this bug.
If you want to change Debian's stance about this, you will need to
agitate with ftpmaster, on -project, or -devel, or pass a GR, or
something.
Ian.
Hi Ben, Le 30 novembre 2017 07:47:41 GMT+01:00, Ben Finney <bignose@debian.org> a écrit : Actually the program prompt a dialog asking the user if he want to install the extra plugin. But yes maybe it should be more explicit about the non-free nature of the plugin. I will open a new bug about that. Regards, Thomas
Ian Jackson <ijackson@chiark.greenend.org.uk> writes: Certainly. I was responding parenthetically to a point that, I agree with you, was out of scope.
Ian Jackson <ijackson@chiark.greenend.org.uk> writes: Certainly. I was responding parenthetically to a point that, I agree with you, was out of scope.
Control: clone -1 -2 Control: retitle -2 clementine: Third-party plug-ins should be packaged for Debian Control: found -2 clementine/1.3.1+git276-g3485bbe43+dfsg-1 Control: severity -2 minor Control: tags -2 - upstream As discussed in bug#874295, I think there is a separate bug to be resolved here: the program should not download code for execution from a third-party website, when that code can instead be packaged for Debian and installed using the OS package manager. This (new) bug report requests that the program in Debian should not have the behaviour Jonas describes above. Instead, if there are third-party plug-ins to enable Clementine features, those plug-ins should be packaged separately for Debian, and only enabled by installing the Debian package. The license conditions of those third-party packages will determine whether they are in Debian, or in some other archive area. This bug report does not relate to that issue. Instead, this bug report requests the download and execution of third-party code should not happen preferring to have the third-party code packaged and managed by the Debian package manager.