mICQ author Rüdiger Kuhlmann "trojaned" the mICQ Debian package by adding obfuscated code that made the program refused to run, if the EXTRAVERSION preprocessor variable was undefined at compile and the user was not madkiss. Here is the message about it from Martin Loschwitz, the mICQ package maintainer for Debian. He's the aforementioned madkiss, meaning mICQ was specifically written so the Debian package (which removes the EXTRAVERSION #define) would only work for the guy making and testing the package.

Kuhlmann says it's all cleared up now, as he and Loschwitz came to an agreement, namely that Loschwitz would stop being the mICQ package maintainer for Debian. I'm dubious of Kuhlmann's argument that it was OK, particularly:

In fact, I only added dead code. It was you who #ifdef'd it in--not knowingly, but anyway. So much about it being Debian specific--it isn't. It broke if you munged it, i.e. if you broke it.

All code is dead until you compile it. Even if it were targeted solely at the maintainer as Kuhlmann claims, it broke functionality for users. Kuhlmann claims it's not targeted at Debian users because we can still compile from source, or download his binaries, but the main reason for using Debian as far as I'm concerned is the package system. It remains that whether or not he intended to or believes so, Kuhlmann broke functionality for end users.

But then, look at what Kuhlmann claims, responding to the claim that this change affected Debian's reputation:

There's also the reputation of mICQ at stake. Does Debian improve the reputation of mICQ by shipping an old version of mICQ? Does Debian improve the reputation of mICQ by shipping a version with an extremely annyoing bug that could trivially be fixed, and refusing to fix it several times? Does Debian improve my reputation as an OSS software author by removing my name from the copyright file? Does Debian improve its own reputation by shipping a version of mICQ that because of the last point isn't even legal to distribute, though Debian is so extremely retinent about free vs non-free?

Geez. I can see using an old version (everyone uses old versions of Kit and Stapler, it seems like), but apparently removing EXTRAVERSION in particular was due to Debian packaging rules.

And removing someone from the COPYRIGHT file is inexcusable. What is that about? I certainly wouldn't want to have my name removed from any software I wrote that happened to be in Debian. With all this alleged, the question isn't so much if what Kuhlmann did was OK, but if it was justified.

Hamish Moffatt responds to Kuhlmann:

But how can we trust you given what you have done, given that you seem to have no regard for proper process at all?

Kuhlmann isn't in it to maintain a Debian package, he's just writing mICQ. Of course he doesn't care about Debian's process! That Debian is illegally redistributing his code is entirely Debian's fault. How can you possibly justify dropping a bureaucracy on his head to account for your own illegal act?

The whole imbroglio is a result of Debian being slow to correct a problem with a package, and the author being impatient ("I could have sent a message to debian-devel, that's true. Would anyone have listened to an unknown wannabe developer on it? During Christmas? ... [I]t didn't sound like it would fix everything soon to me, and I was about to release the stuff"). There's plenty of blame to go around.