From: Richard Stallman <rms@gnu.org>
To: Gregory Heytings <gregory@heytings.org>
Cc: emacs-devel@gnu.org
Subject: Re: [PROPOSAL] Builder, a build system integration for Emacs
Date: Sun, 28 May 2023 17:48:38 -0400 [thread overview]
Message-ID: <E1q3OFi-0000hj-Jp@fencepost.gnu.org> (raw)
In-Reply-To: <3a315ddd3a25a56c8d6a@heytings.org> (message from Gregory Heytings on Sat, 27 May 2023 00:26:13 +0000)
[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
You've told me a lot of pertinent info about how Cargo works.
Thank you for going to that effort. I think that due to your help
I now understand the issue enough to reach tentative conclusions.
The conclusions say that we have a problem. The reasoning is
explained below.
> > Where does cargo get the list of libraries to consider using?
> >
> The dependencies of a Rust program/library are specified (manually) by the
> author of that program/library, in a (structured) text file. The source
> code of the libraries on which the program/library depends are downloaded
> (by Cargo) from the crates.io registry, and kept in a local cache
> (CARGO_HOME, by default $HOME/.cargo).
I expected it was something like this, but I didn't know.
Now I know. Thanks.
> No, some libraries/programs in the crates.io registry are non-free
I was worried about that.
So if you build a Rust program Foo, its dependencies will cause some libraries
to be loaded from crates.io, and their dependencies will cause other libraries to be loaded from crates.io, and so on recursively. Is that right?
And if any of those libraries specifies a nonfree dependency, that nonfree code
will get compiled into the program Foo -- right?
If so, that puts freedom at risk. It means that any time you build a
Rust program that you have not thoroughly studied, you don't know
whether it will incorporate nonfree software.
Have I made any mistake in this reasoning?
If it is correct so far, I think that implies that the standard
version of Cargo is unacceptable in a free system. With the standard
version of Cargo, all the packages in crates.io are virtually include
in the system distro. If crates.io contains any nonfree package,
then any system distro that includes Cargo virtually includes that
nonfree package, so it is not a free distro.
Our distros must be free -- so I think it follows that our distros
cannot include unmodified Cargo.
Have I made any mistake in this reasoning?
> Since a registry is just a git repository hosted
> online or locally, you can fork the crates.io repository, and then you
> are free to modify it as you see fit, such as filtering out unsuitable
> libraries (e.g., those who transitively depend on any non-libre
> libraries).
Maybe we need to make such a fork of crates.io, delete all nonfree
packages, and modify our version of Cargo to use that.
How do packages get approved for inclusion in crates.io?
There are both freedom issues and security issues.
I think we should move this to gnu-prog-disc.
--
Dr Richard Stallman (https://stallman.org)
Chief GNUisance of the GNU Project (https://gnu.org)
Founder, Free Software Foundation (https://fsf.org)
Internet Hall-of-Famer (https://internethalloffame.org)
next prev parent reply other threads:[~2023-05-28 21:48 UTC|newest]
Thread overview: 101+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-21 10:21 [PROPOSAL] Builder, a build system integration for Emacs BTuin
2023-05-21 12:11 ` Philip Kaludercic
2023-05-21 14:56 ` Augustin Chéneau (BTuin)
2023-05-21 17:24 ` Jim Porter
2023-05-21 19:33 ` Augustin Chéneau (BTuin)
2023-05-21 19:58 ` Jim Porter
2023-05-21 21:36 ` John Yates
2023-05-22 16:35 ` Augustin Chéneau (BTuin)
2023-05-23 0:44 ` Po Lu
2023-05-23 21:10 ` Augustin Chéneau (BTuin)
2023-05-23 21:17 ` Óscar Fuentes
2023-05-24 6:09 ` Dirk-Jan C. Binnema
2023-05-24 21:35 ` Richard Stallman
2023-05-24 23:32 ` Jim Porter
2023-05-25 0:11 ` Gregory Heytings
2023-05-25 4:00 ` tomas
2023-05-25 6:53 ` Gregory Heytings
2023-05-25 7:48 ` Eli Zaretskii
2023-05-25 9:33 ` Gregory Heytings
2023-05-25 11:28 ` Eli Zaretskii
2023-05-25 11:53 ` Gregory Heytings
2023-05-25 13:09 ` Eli Zaretskii
2023-05-25 14:36 ` Gregory Heytings
2023-05-25 16:20 ` Eli Zaretskii
2023-05-25 16:40 ` tomas
2023-05-25 19:23 ` Gregory Heytings
2023-05-26 0:57 ` Po Lu
2023-05-27 0:24 ` Gregory Heytings
2023-05-26 5:57 ` Eli Zaretskii
2023-05-26 21:16 ` Richard Stallman
2023-05-27 0:25 ` Gregory Heytings
2023-05-28 10:20 ` Madhu
2023-05-28 12:38 ` Po Lu
2023-05-29 22:03 ` Gregory Heytings
2023-05-29 22:42 ` Po Lu
2023-05-30 7:26 ` Gregory Heytings
2023-05-30 12:54 ` Po Lu
2023-05-30 15:08 ` Gregory Heytings
2023-05-30 16:50 ` chad
2023-05-31 1:14 ` Po Lu
2023-06-05 1:09 ` Gregory Heytings
2023-06-05 5:29 ` Po Lu
2023-06-05 8:17 ` Gregory Heytings
2023-06-05 9:06 ` Po Lu
2023-06-17 3:34 ` Yilkal Argaw
2023-05-27 14:55 ` Brian Cully via Emacs development discussions.
2023-05-26 0:54 ` Po Lu
2023-05-26 21:16 ` Richard Stallman
2023-05-27 0:26 ` Gregory Heytings
2023-05-27 2:37 ` Ruijie Yu via Emacs development discussions.
2023-05-28 21:48 ` Richard Stallman [this message]
2023-05-29 22:05 ` Gregory Heytings
2023-05-30 13:01 ` Po Lu
2023-05-30 15:08 ` Gregory Heytings
2023-05-31 1:16 ` Po Lu
2023-06-02 21:38 ` Richard Stallman
2023-06-05 1:10 ` Gregory Heytings
2023-06-05 5:19 ` Po Lu
2023-06-05 8:17 ` Gregory Heytings
2023-06-05 9:00 ` Po Lu
2023-05-31 22:28 ` Richard Stallman
2023-05-30 21:52 ` Richard Stallman
2023-05-28 21:48 ` Richard Stallman
2023-05-25 13:16 ` chad
2023-05-25 19:38 ` Augustin Chéneau (BTuin)
2023-05-26 21:32 ` Richard Stallman
2023-05-27 9:45 ` Yuri Khan
2023-05-28 21:48 ` Richard Stallman
2023-05-29 8:03 ` Yuri Khan
2023-05-30 21:47 ` Richard Stallman
2023-05-25 7:55 ` tomas
2023-05-25 8:44 ` Gregory Heytings
2023-05-25 10:38 ` Po Lu
2023-05-25 11:44 ` Gregory Heytings
2023-05-25 12:02 ` Po Lu
2023-05-25 12:08 ` Gregory Heytings
2023-05-26 0:52 ` Po Lu
2023-05-26 21:16 ` Richard Stallman
2023-05-27 0:26 ` Gregory Heytings
2023-05-28 21:47 ` Richard Stallman
2023-05-29 22:05 ` Gregory Heytings
2023-05-30 13:03 ` Po Lu
2023-05-31 22:29 ` Richard Stallman
2023-05-26 22:59 ` Lynn Winebarger
2023-05-28 21:22 ` Björn Bidar
2023-05-29 22:38 ` Richard Stallman
2023-05-29 22:38 ` Richard Stallman
2023-05-30 4:28 ` tomas
2023-05-25 10:42 ` Po Lu
2023-05-25 19:36 ` Augustin Chéneau (BTuin)
2023-05-22 22:00 ` Richard Stallman
2023-05-23 8:36 ` Philip Kaludercic
2023-05-23 11:18 ` Eli Zaretskii
2023-05-23 12:13 ` Po Lu
2023-05-23 18:46 ` Augustin Chéneau (BTuin)
2023-05-24 6:32 ` Juri Linkov
2023-05-24 20:09 ` Augustin Chéneau (BTuin)
2023-05-24 3:34 ` David Masterson
2023-05-24 10:26 ` Philip Kaludercic
2023-05-28 21:17 ` Björn Bidar
-- strict thread matches above, loose matches on Subject: below --
2023-05-27 7:12 [PROPOSAL] " Payas Relekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1q3OFi-0000hj-Jp@fencepost.gnu.org \
--to=rms@gnu.org \
--cc=emacs-devel@gnu.org \
--cc=gregory@heytings.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.