From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Augusto Stoffel Newsgroups: gmane.emacs.devel Subject: Re: ELPA submission: mathjax.el Date: Sat, 26 Oct 2024 09:57:51 +0200 Message-ID: <87h68zxpmo.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36603"; mail-complaints-to="usenet@ciao.gmane.io" Cc: stefankangas@gmail.com, philipk@posteo.net, emacs-devel@gnu.org To: Richard Stallman Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Oct 26 09:58:45 2024 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1t4bh7-0009Lu-0A for ged-emacs-devel@m.gmane-mx.org; Sat, 26 Oct 2024 09:58:45 +0200 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1t4bgU-00025P-F7; Sat, 26 Oct 2024 03:58:06 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t4bgQ-0001vg-02 for emacs-devel@gnu.org; Sat, 26 Oct 2024 03:58:02 -0400 Original-Received: from mail-ed1-x534.google.com ([2a00:1450:4864:20::534]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t4bgO-00005U-4r; Sat, 26 Oct 2024 03:58:01 -0400 Original-Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-5cb74434bc5so3675652a12.0; Sat, 26 Oct 2024 00:57:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729929477; x=1730534277; darn=gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=VzCwoFxOfNH+tH04/JTUzAOVxx25GRbM5TWaadnTwPM=; b=RY3rAZ0CgxXwRDL5EoT8mviV1uI5eKUJzFdMiTUUGtEdOjFSKj1PBNJL3loWWYqnPW HJpoft0KPeEr/i6ih8Y9tuFlPpaKJ33FUGhF4gAKR2HJeIETjko2uVvaJFRAIAS0meG3 phPxd8YkGowaAwQtSRLSADcF+XheuGRhzZ9SyMdrMUeUrR2Zt8Uzw/IUdSDGsAk72Nmd IuC7xAJjHEQAdbrLOrYGgRb0XS3a2T0gdXnZkIxo694NQl385lK7ubsGjXA2G4JUZmIc aQJCQtzrPaNf9/vq1BUP+gitLm2VuLzkplpbQS/p8wIsHTaz96c0XCpMiRYysrJt+rmO RJ7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729929477; x=1730534277; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VzCwoFxOfNH+tH04/JTUzAOVxx25GRbM5TWaadnTwPM=; b=nH89PLqZRSJ5rMGQ9XSRvPBNpJEBAnAvVJ3xp8dSLBAywfE0DNOddPhcHGXeKXqUg/ Q91ZaeV3Mt+VQBm1iGPuwKuDiTHZH/aDitK2UsiuVn8hXSxva1vvGoJcbgC26jjcEoDH MFP4FNet6SpiN8WNOFLUwX5pM8946vF/AG6cqf8CruJ1K1RnErpEwpS5v74cYY1sd/gM 4TfS7G20Cxo8SeCiB8nEcA6XtXcP0md4z2JgwRhJIP1M1QBwd5nHqyBVhBC+FWDPZmzq N6aRjiSvHeEFwUkL7oZrFhQRGQa4mmfDp3qwnLcKdy1UOn5RhUIDdJZASvVKZC4jzrUq kvbg== X-Forwarded-Encrypted: i=1; AJvYcCXKzeBg0DQAOJ5KkCdJzpVViZKmka1q2znAyO7yx865yAwVLb5azWmUC3ajcUacIe7pLj2a7R90X8NMeg==@gnu.org X-Gm-Message-State: AOJu0Yx90eCzdOUzaQ3aeqT3NO71Rg3CyoDHnHJNO2pzSThkRNTfHNZA q1ifWRwXet7d+W7u181l53fprDhgZRqt1PO9JHRvER63n7Bub5GCZCKgVw== X-Google-Smtp-Source: AGHT+IFDTKwNdCfqha9S6Unp0QH6+l9NtkrBV8ofbZ2MiQxDFnL9BsYBggel4raS4fLvqYCpgaMDFg== X-Received: by 2002:a05:6402:524b:b0:5cb:739d:5416 with SMTP id 4fb4d7f45d1cf-5cbbf943d42mr890825a12.31.1729929476399; Sat, 26 Oct 2024 00:57:56 -0700 (PDT) Original-Received: from ars3 ([2a02:8109:8a87:ff00::d6f6]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5cbb6258683sm1325043a12.20.2024.10.26.00.57.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 26 Oct 2024 00:57:54 -0700 (PDT) Received-SPF: pass client-ip=2a00:1450:4864:20::534; envelope-from=arstoffel@gmail.com; helo=mail-ed1-x534.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.devel:324847 Archived-At: On Sat, 26 Oct 2024 at 01:46, Richard Stallman wrote: > [[[ To any NSA and FBI agents reading my email: please consider ]]] > [[[ whether defending the US Constitution against all enemies, ]]] > [[[ foreign or domestic, requires you to follow Snowden's example. ]]] > > > A. If the build environment has Node/npm, all that is needed is to run > > make math2svg.js. > > node.js is a collection of many Javascript programs, right? > Are we sure that they are all free software? Node.js is a JS runtime, so more than just a bunch of JS files. It is the kind of software that touts itself as open source rather than free software, but effectively it is. The license is MIT and it is included in some (perhaps all) GNU/Linux distros listed at https://www.gnu.org/distros/free-distros.html. > npm poses a deeper problem. I could be mistaken here, but ISTR that > it contains lots of packages, some free and some not. If you use > module Foo, and it is free, to link in dependenceies from npm, > checking whether those dependencies are free or not is manual labor. You're right, one has to check they're not using non-free packages. In the case at hand, that makes it my (respectively the ELPA maintainers') burden to check. > If the situation is indeed like that, trying to use npm in the free > world is asking to lose. We shouldn't enable access to it for > ourselves, let alone suggest that someone else do so! > > If the situation is different from that, maybe that makes our situation > better, but could you please explain the actual situation with npm? > > Do you have a list of the modules that mathjax depends on? Sure. The direct dependencies of my package as listed in math2svg/package.json and the transitive dependencies are listed in math2svg/package-lock.json. The number of dependencies is high, but one can also use a program that summarizes the licenses: $ npx license-checker --summary =E2=94=9C=E2=94=80 MIT: 176 =E2=94=9C=E2=94=80 ISC: 29 =E2=94=9C=E2=94=80 BSD-2-Clause: 9 =E2=94=9C=E2=94=80 Apache-2.0: 8 =E2=94=9C=E2=94=80 BSD-3-Clause: 5 =E2=94=9C=E2=94=80 CC-BY-4.0: 1 =E2=94=9C=E2=94=80 (BSD-2-Clause OR MIT OR Apache-2.0): 1 =E2=94=9C=E2=94=80 CC-BY-3.0: 1 =E2=94=9C=E2=94=80 CC0-1.0: 1 =E2=94=9C=E2=94=80 (MIT AND CC-BY-3.0): 1 =E2=94=9C=E2=94=80 0BSD: 1 =E2=94=9C=E2=94=80 (MIT OR CC0-1.0): 1 =E2=94=94=E2=94=80 MIT*: 1 > > B. If the build environment can run containers, I can include a suita= ble > > Dockerfile. > > Container systems in general present the same kind of pitfalls as npm: > they put lots of free modules and lots of nonfree modules into a > bucket and making sure you don't pull out any of the nonfree ones is > your problem. That's correct. But note that when your container declaration starts with FROM docker.io/debian:stable then you know you're just running on an isolated copy of Debian stable. You have access to exactly the same nonfree software you could get in the ELPA build system itself (which runs Debian stable). > I've been told there are important differences between the well-known > container systems in this regard, and I don't remember how Docker > stacks up. MAYBE if we consult a Docker expert we will find it can be > used safely. But we had better study this carefully. > > System distributions include binary packages to speed installation. > We can surely package mathjax this way somehow or other. But we must > release sources with a build recipe too. If we include mathjax > somehoe in Emacs, or in GNU in any way, we _must_ include a way to > build it from source. That includes any special tools it needs. > > If the makefile to compile mathjax uses a container, it had better > include the rules to build that container, manually specifying which > modules to include in the container. Somewhere there must be rules to > rebuild THOSE modules from source. I've just mentioned containers as a hypothetical technical solution, it's not being considered seriously.