Potential FSDG issue with debootstrap scripts

  • Open
  • quality assurance status badge
Details
2 participants
  • Denis 'GNUtoo' Carikli
  • Marius Bakke
Owner
unassigned
Submitted by
Denis 'GNUtoo' Carikli
Severity
normal
D
D
Denis 'GNUtoo' Carikli wrote on 21 Aug 2020 06:45
(address . bug-guix@gnu.org)
20200821064527.5cf8d23b@primarylaptop.localdomain
Hi,

I found a potential issue with the debootstrap package and the Guix
blog.

The Free System Distribution Guidelines states that:
Toggle quote (10 lines)
> A free system distribution must not steer users towards obtaining any
> nonfree information for practical use, or encourage them to do so.
> The system should have no repositories for nonfree software and no
> specific recipes for installation of particular nonfree programs. Nor
> should the distribution refer to third-party repositories that are
> not committed to only including free software; even if they only have
> free software today, that may not be true tomorrow. Programs in the
> system should not suggest installing nonfree plugins, documentation,
> and so on.

However after instalation, the debootstrap package contains scripts for
installing many distributions, and most of them are either not FSDG
compliant or have nonfree software in them.

I assume that the Ubuntu repositories are "third-party repositories that
are not committed to only including free software", and they are used
in the debootstrap scripts to install Ubuntu.

After installation I got the following scripts in
~/.guix_profile/share/debootstrap/scripts/:
- aequorea
- amber
- artful
- ascii
- bartholomea
- beowulf
- bionic
- bookworm
- breezy
- bullseye
- buster
- ceres
- chromodoris
- cosmic
- dapper
- dasyatis
- debian-common
- disco
- edgy
- eoan
- etch
- etch-m68k
- feisty
- focal
- gutsy
- hardy
- hoary
- hoary.buildd
- intrepid
- jaunty
- jessie
- jessie-kfreebsd
- kali
- kali-dev
- kali-last-snapshot
- kali-rolling
- karmic
- lenny
- lucid
- maverick
- natty
- oldoldstable
- oldstable
- oneiric
- potato
- precise
- quantal
- raring
- sarge
- sarge.buildd
- sarge.fakechroot
- saucy
- sid
- squeeze
- stable
- stretch
- testing
- trusty
- unstable
- utopic
- vivid
- warty
- warty.buildd
- wheezy
- wily
- woody
- woody.buildd
- xenial
- yakkety
- zesty

The scripts are named after distribution codenames. So here you can see
some ubuntu code names like trusty, xenial, etc (ubuntu contains nonfree
software), or some debian code names like stretch.

Not all scripts are problematic, as amber is the codename of the
main PureOS repository[2].

To fix that, Parabola patches debootstrap to remove the problematic
scripts[3] and also adds support for many FSDG distributions along the
way. It also has a modified manual[4] with examples for Trisquel
instead of Debian.

Something similar could probably be done in debian.scm[5].

In addition the Guix blog post about "Running a Ganeti cluster on
Guix"[6] should probably be reviewed as it contains code to install
Debian buster.

As I understand, Debian may not contain nonfree software but it is not
FSDG compliant, so it could be a good idea to use an FSDG compliant
distributions instead to avoid any issues. In addition if the buster
script is removed, then the code on the blog post won't work anymore.

References:
-----------

Denis.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEeC+d2+Nrp/PU3kkGX138wUF34mMFAl8/UWcACgkQX138wUF3
4mMY5Q//bPHoIi+0BWTG+d0HK2R5mH+uL3OEJyCQBqt/e3jhVd8FypKBNGNENe5F
zQsUbbWlVxj3vDFB7ndtwtgUd2IwSSihAhg9okD+Gm80wA9vWQt8dLFqPuVjroWG
+JZOmp4PM2b59+A2qMHsdQM4vxqgu+qdvhT0kQ7SlFr7RXsBL0R3zJ9Mhw67dGlN
mhX89LYBvpJcnD6KHlH0BQJpK6hwUa7USSh3NMvTsu9BP07aeSkYG16/719PtPEg
95iewUBAgYXYITLmadVsxYdmOOBCmK/ROGthMd1kwOIRiZFXwHnN7dg8hHEjozXp
+WHaylKOKuuuixsfQtMvitX+emdIth7RHIhOv5s7Ntz22dAszKQJwxuy9sgLDkpg
A5JB9Iq4fc7aKg82QAAOzPHixcbjp21ifRSgU8j+XiKmf4Q7OZgic/TvKMFZ/uGa
m+oWPE6VKeh7AJrerQCwXcN7JnL6v7wqTqmMHKYrsBNMdnQi3qZ+lzqfL5TcVH/e
E20khAz10qXD27Csn6CJDl9x/FmlcxOu481FKDyj1n/2C9ebowhUY3qeRr2qZRuM
t68oYboiWKBd9sQ0OGaW8PGY2VhymnWShfAmHLiVFHC/rOvUGYyd4pGXGpCPrbEb
iiwGNSKwm38gcp38iV/xVfRu+7fXSEBmUqWF8MY911gojLp3DHQ=
=lazX
-----END PGP SIGNATURE-----


M
M
Marius Bakke wrote on 26 Aug 2020 22:56
87o8mx6s9c.fsf@gnu.org
Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> writes:

Toggle quote (5 lines)
> Hi,
>
> I found a potential issue with the debootstrap package and the Guix
> blog.

Thanks for bringing this to our attention!

Toggle quote (19 lines)
> The Free System Distribution Guidelines states that:
>> A free system distribution must not steer users towards obtaining any
>> nonfree information for practical use, or encourage them to do so.
>> The system should have no repositories for nonfree software and no
>> specific recipes for installation of particular nonfree programs. Nor
>> should the distribution refer to third-party repositories that are
>> not committed to only including free software; even if they only have
>> free software today, that may not be true tomorrow. Programs in the
>> system should not suggest installing nonfree plugins, documentation,
>> and so on.
>
> However after instalation, the debootstrap package contains scripts for
> installing many distributions, and most of them are either not FSDG
> compliant or have nonfree software in them.
>
> I assume that the Ubuntu repositories are "third-party repositories that
> are not committed to only including free software", and they are used
> in the debootstrap scripts to install Ubuntu.

Does Ubuntu carry non-free software in the default repos? If so I agree
that is a problem.

Toggle quote (3 lines)
> After installation I got the following scripts in
> ~/.guix_profile/share/debootstrap/scripts/:

[...]

Toggle quote (4 lines)
> The scripts are named after distribution codenames. So here you can see
> some ubuntu code names like trusty, xenial, etc (ubuntu contains nonfree
> software), or some debian code names like stretch.

Here you assert that Ubuntu contains non-free software, but previously
you only assumed so. Did you figure it out along the way? :-)

Toggle quote (3 lines)
> Not all scripts are problematic, as amber is the codename of the
> main PureOS repository[2].

Why is PureOS not problematic? They have a "non-free" repository
component too:


Toggle quote (7 lines)
> To fix that, Parabola patches debootstrap to remove the problematic
> scripts[3] and also adds support for many FSDG distributions along the
> way. It also has a modified manual[4] with examples for Trisquel
> instead of Debian.
>
> Something similar could probably be done in debian.scm[5].

Thanks for the information. I actually wanted to use Trisquel for the
Ganeti documentation, and was surprised that it was not supported by
debootstrap.

Do you know where to find the Parabola patches? Any chance they will
upstream the work?

Toggle quote (9 lines)
> In addition the Guix blog post about "Running a Ganeti cluster on
> Guix"[6] should probably be reviewed as it contains code to install
> Debian buster.
>
> As I understand, Debian may not contain nonfree software but it is not
> FSDG compliant, so it could be a good idea to use an FSDG compliant
> distributions instead to avoid any issues. In addition if the buster
> script is removed, then the code on the blog post won't work anymore.

AIUI the FSDG does not require that linked package repositories are
committed to the FSDG, only that they are committed to providing only
free software, which Debian is. What issues do you have in mind?

Note that the Guix manual section on Ganeti also contains references to
Debian and Ubuntu; I agree it would be nice to refer to FSDG-friendly
distributions there instead (but first we need support in debootstrap).

I have slight reservations against changing the blog post without a good
reason: it is fairly disconnected from the Guix software distribution
and has already "made the rounds". Someone bookmarking it for later
reference might get annoyed that the code is no longer there. But if
there is consensus among Guix users or a breach of the FSDG I am of
course happy to update it.

Thanks!
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAl9GzG8ACgkQoqBt8qM6
VPrWsQgAwmGSlt/xlOFS+MWpsrGRL1Wf/ulYw8iQEFMhwNLe1rO0+khrmu2ohGyX
j9CGD3rD7An1K08fl1mhR+KauNbeyUnsLMthaKblIrVj/J8rm/3FqqRXHjKkJnOH
NcQy0RjUOP4MLWPG/VsM1A+IJsxUqvNYj7crImwis3g07LAEaH3l0V58fOu+jMbu
S2vInhkwOTXfph+Bt7Y5XEgi9jqcEqCQg9H1RB4Q9WnExSpcEktvy6ykM4j4dq2B
kK7oFewi20MbgSqGTf/QD5axny5ILmMHOmzvZtWWxypt0KG2pMaEyijZOFBzuXPp
+RBQH0G69HjiijquLbl1u9A76J12qg==
=jmBl
-----END PGP SIGNATURE-----

?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 42964@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 42964
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch