Bug#355064: gnome shouldn't depend on rhythmbox

Loïc Minier lool at dooz.org
Fri Mar 3 11:36:47 UTC 2006 

        Hi,

On Fri, Mar 03, 2006, Michael Stone wrote:
> You really seem to have some sort of tunnel vision.

 Don't be insulting.  You didn't make any effort to encompass my vision,
 I made some and gave you some points.  I explained why I felt this way.
 You simply dismiss these points because no-one has a MacOSX on your
 network.  I can tell you I saw plenty of advertized services at FOSDEM,
 I see some at home from my MacOSX, I saw some at my office...  This is
 nowhere near your point of view of a small set of privileged people
 which you never saw, this is what I would call a mass-market
 technology.

>                                                     IMO, most people 
> won't wonder why they didn't get rhythmbox because they won't care.  
> Those that do can simply install it.

 I think you're confusing gnome and gnome-desktop-environment.

 People wanting the GNOME desktop, and only that should install
 gnome-desktop-environment.  gnome is a much wider set, pulling stuff
 like evolution, or gnome-office.

> Well, you don't like the idea of changing the package. Fine. But now you 
> both won't change the package *and* insist that it *must* be installed 
> by default for anyone who wants a gnome desktop?

 Again, you seem to miss the point of gnome versus
 gnome-desktop-environment.

> >You don't want to stop GNOME to want features as simple as
> >file-sharing.
> I expect that someone should have to turn that on. You're suggesting 
> gnome take a step *backward* from a security perspective while the 
> industry is moving in the other direction. 

 Right, someone turns that on, exactly like someone must explicitely
 turn on sharing of his music in Rhythmbox.  But browsing of remote
 shares is enabled by default.

 Do you consider Apple part of "the industry"?

> >It's quite natural for people to get a webserver when they install a
> >webapp such as phppgadmin, yet apache2 does not only listen on lo by
> >default, 
> And phppgadmin doesn't get installed by default when you say you want a 
> desktop system, does it? (A better policy for handling *all* daemons is 
> actually a good thing long term, but holding the line for desktops is a 
> least a step in the right direction.)

 Neither does rhythmbox if you select gnome-desktop-environment.

 You completely ignore my proposals, which were to help you offer the
 security-oriented distro you want, without choping away the
 feature-encompassing GNOME I want.

 I talked of this with a lot of people at FOSDEM, they were all
 developers and all understood what it meant to have a port open.  Some
 of them suggested the solutions I proposed to you (and that you didn't
 even bother to comment on), but all of them thought it was completely
 ok to have avahi pulled in this way.

 If you have a technical problem with the way deps are layered and the
 fact that avahi-daemon listen on the network from your security
 perspective, and I can't agree from a functional perspective, let's
 take the problem the next step (since evidently you wanted to bypass me
 by bringing that at the GNOME team scope), that is the TC.

 If you wish for this resolution, I can do the job of giving a short
 summary of the discussion with pointers to deb-sec and this bug for
 references, and open the discussion with the tech-ctte.
   If you don't, please state so and propose a reasonnable course of
 actions (hint: consensual), where I get some of the functionalities I
 want, and you get some of the security you want.

   Cheers,

-- 
Loïc Minier <lool at dooz.org>

More information about the Pkg-gnome-maintainers mailing list