Guix, third-party repositories and GNU FSDG

OpenSubmitted by Adonay Felipe Nogueira.
Details
2 participants
  • Adonay Felipe Nogueira
  • Léo Le Bouter
Owner
unassigned
Severity
critical
A
A
Adonay Felipe Nogueira wrote on 26 Dec 2020 20:13
(address . bug-guix@gnu.org)
84d5c1f2-dbc3-b0ed-cd8a-ad451b591d4c@hyperbola.info
Severity: critical

According to the GNU FSDG ([1], emphasis are mine):

Toggle quote (2 lines)
> A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so. The system should have no repositories for nonfree software and no specific recipes for installation of particular nonfree programs. *Nor should the distribution refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow.* Programs in the system should not suggest installing nonfree plugins, documentation, and so on.

However, at least on the case of the rust package, in the following example one can see that cargo is also included:

$ guix package --show=rust

Toggle quote (14 lines)
> name: rust
> version: 1.46.0
> outputs: out doc cargo
> systems: x86_64-linux i686-linux
> dependencies: bison@3.5.3 cmake-minimal@3.16.5 curl@7.69.1 flex@2.6.4
> + gdb@8.2.1 jemalloc@5.2.1 libssh2@1.9.0 llvm@10.0.0 make@4.2.1 openssl@1.1.1f
> + pkg-config@0.29.2 procps@3.3.16 python2@2.7.17 rust@1.45.2 which@2.21
> location: gnu/packages/rust.scm:105:2
> homepage: https://www.rust-lang.org
> license: ASL 2.0, Expat
> synopsis: Compiler for the Rust programming language
> description: Rust is a systems programming language that provides memory
> + safety and thread safety guarantees.

In continuation, as can be seen on [2], the installed cargo has it's default repository enabled.

Furthermore, neither [3] nor [4] have expressed commitment to the GNU FSDG.

Here are some suggestions, probably not tested nor researched for viability:

a) make the importer activate a flag of its own in order to use that package. This would render a plain install of the package a version with cargo absent while still having the possibility to do the imports;

b) coordinate with the head of the cargo community (and possibily other free/libre system distributions or free/libre software activism groups) an agreement so that they express commitment to the GNU FSDG on [3] and [4], and of course make them setup a bug/issue/task tag/section for GNU FSDG issues. This must be done together with either (a), (d) or (e);

c) coordinate with other free/libre system distributions or free/libre software activism groups a project to provide a common repository that such groups could refer to by default by patching their copy of cargo. This must be done together with either (a), (d) or (e);

d) find a way to provide cargo but without any repository. This would require a way for the importer to specify the repositories at run-time;

e) despite not being desirable by some people, there is also the possibility of removing cargo.

As a side-note, as the original subject stated, I think we should address this issue in other packages too, if any, and also document the decision on the manual or on guideline.


# References







--
* Ativista do software livre
* Membro dos grupos avaliadores de
* Software (Free Software Directory)
* Distribuições de sistemas (FreedSoftware)
* Sites (Free JavaScript Action Team)
* Não sou advogado e não fomento os não livres
* Sempre veja o spam/lixo eletrônico do teu e-mail
* Ou coloque todos os recebidos na caixa de entrada
* Sempre assino e-mails com OpenPGP
* Chave pública: vide endereço anterior
* Qualquer outro pode ser fraude
* Se não tens OpenPGP, ignore o anexo "signature.asc"
* Ao enviar anexos
* Docs., planilhas e apresentações: use OpenDocument
* Outros tipos: vide endereço anterior
* Use protocolos de comunicação federadas
* Vide endereço anterior
* Mensagens secretas somente via
* XMPP com OMEMO
* E-mail criptografado e assinado com OpenPGP
Attachment: signature.asc
L
L
Léo Le Bouter wrote on 12 Feb 2021 22:22
(address . 45450@debbugs.gnu.org)
01bec424a8ce437fde2f624fca190514d130d667.camel@zaclys.net
Hello!

I have been looking at this, since Cargo has a feature to add third
party repositories already I am thinking we can remove the concept of a
default repository in Cargo by patching it.

Cargo has multiple roles in relation with crates.io - it can search,
install and publish packages. I am thinking we need to strip the search
and install functionality on the currently default repository. Publish
functionality could stay.

I will report back when I have a satisfying patchset for Cargo.

Léo
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmAm8ZMACgkQRaix6GvN
EKatlQ/+Pr2H33IOZw1ytmEByM6fRiSCc8KjuQQb8MDnxtcnuV1vDxPZj5qZutXh
v04gwXbQIvGGaHjaT/iJAeo8qg9bZK7Ag6VupVkigVqEy2u6erHWqC4MOhkLMBE3
MNqYeh3vk2me2QPERGU0OQfkeuKkudpb+0353q5Yy+EwSlZgXiJIhsntF+zbDf0v
ZVtHRjM6ACLsShHrQT4eyIEaw0MutcnYq3gypgyQfay8NEmu2TY1q+o+NkWefRVa
v6QiqzDQD7UWPDn0F+hmq3C6JHIDi8r9I27KFIXQ0Kzi+YLzr/o3r0je+ELTcrbg
ydp7KXdf6mm9ycwMpyTnthBtUADZKO5KXQOFvcHbIWLwQrAUxp59LqW4G1YbLvrM
8LM+zLLjO1Bs9LfoV1Dq8X61ISVrsxOiZsOLD/6j74IXOA7R/HKl7cvbcbjkxn4y
cuLMIxhFQzgN+U/h//FYev1WGRIkdv8CNy8nQVem/1sMslQOy3YvDGNjebJsxmo1
eAEN4Hl3RfXK/oSyNRE6E8mo9PxouET69LJ1GumyiaSx7/j/LXT5+ub4DvE1oqso
PqfcEOZJ2ezIIQKRAjiE+f0ktSrCmvBBPHrKrNKeyYvVfBuf+CdKxSDHht6X9qUY
YO/oKEJbvEcspPRHJfDIsTqmzY+Vsd+5WSKT6rhUew7m5yjk5eY=
=kTff
-----END PGP SIGNATURE-----


?