Guix, third-party repositories and GNU FSDG

  • Open
  • quality assurance status badge
2 participants
  • Adonay Felipe Nogueira
  • Léo Le Bouter
Submitted by
Adonay Felipe Nogueira
Adonay Felipe Nogueira wrote on 26 Dec 2020 20:13
(address .
Severity: critical

According to the GNU FSDG ([1], emphasis are mine):

Toggle quote (2 lines)
> A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so. The system should have no repositories for nonfree software and no specific recipes for installation of particular nonfree programs. *Nor should the distribution refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow.* Programs in the system should not suggest installing nonfree plugins, documentation, and so on.

However, at least on the case of the rust package, in the following example one can see that cargo is also included:

$ guix package --show=rust

Toggle quote (14 lines)
> name: rust
> version: 1.46.0
> outputs: out doc cargo
> systems: x86_64-linux i686-linux
> dependencies: bison@3.5.3 cmake-minimal@3.16.5 curl@7.69.1 flex@2.6.4
> + gdb@8.2.1 jemalloc@5.2.1 libssh2@1.9.0 llvm@10.0.0 make@4.2.1 openssl@1.1.1f
> + pkg-config@0.29.2 procps@3.3.16 python2@2.7.17 rust@1.45.2 which@2.21
> location: gnu/packages/rust.scm:105:2
> homepage:
> license: ASL 2.0, Expat
> synopsis: Compiler for the Rust programming language
> description: Rust is a systems programming language that provides memory
> + safety and thread safety guarantees.

In continuation, as can be seen on [2], the installed cargo has it's default repository enabled.

Furthermore, neither [3] nor [4] have expressed commitment to the GNU FSDG.

Here are some suggestions, probably not tested nor researched for viability:

a) make the importer activate a flag of its own in order to use that package. This would render a plain install of the package a version with cargo absent while still having the possibility to do the imports;

b) coordinate with the head of the cargo community (and possibily other free/libre system distributions or free/libre software activism groups) an agreement so that they express commitment to the GNU FSDG on [3] and [4], and of course make them setup a bug/issue/task tag/section for GNU FSDG issues. This must be done together with either (a), (d) or (e);

c) coordinate with other free/libre system distributions or free/libre software activism groups a project to provide a common repository that such groups could refer to by default by patching their copy of cargo. This must be done together with either (a), (d) or (e);

d) find a way to provide cargo but without any repository. This would require a way for the importer to specify the repositories at run-time;

e) despite not being desirable by some people, there is also the possibility of removing cargo.

As a side-note, as the original subject stated, I think we should address this issue in other packages too, if any, and also document the decision on the manual or on guideline.

# References

* Ativista do software livre
* Membro dos grupos avaliadores de
* Software (Free Software Directory)
* Distribuições de sistemas (FreedSoftware)
* Sites (Free JavaScript Action Team)
* Não sou advogado e não fomento os não livres
* Sempre veja o spam/lixo eletrônico do teu e-mail
* Ou coloque todos os recebidos na caixa de entrada
* Sempre assino e-mails com OpenPGP
* Chave pública: vide endereço anterior
* Qualquer outro pode ser fraude
* Se não tens OpenPGP, ignore o anexo "signature.asc"
* Ao enviar anexos
* Docs., planilhas e apresentações: use OpenDocument
* Outros tipos: vide endereço anterior
* Use protocolos de comunicação federadas
* Vide endereço anterior
* Mensagens secretas somente via
* E-mail criptografado e assinado com OpenPGP
Attachment: signature.asc
Léo Le Bouter wrote on 12 Feb 2021 22:22
(address .

I have been looking at this, since Cargo has a feature to add third
party repositories already I am thinking we can remove the concept of a
default repository in Cargo by patching it.

Cargo has multiple roles in relation with - it can search,
install and publish packages. I am thinking we need to strip the search
and install functionality on the currently default repository. Publish
functionality could stay.

I will report back when I have a satisfying patchset for Cargo.