unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
* bug#45450: Guix, third-party repositories and GNU FSDG
@ 2020-12-26 19:13 Adonay Felipe Nogueira via Bug reports for GNU Guix
  2021-02-12 21:22 ` Léo Le Bouter via Bug reports for GNU Guix
  0 siblings, 1 reply; 2+ messages in thread
From: Adonay Felipe Nogueira via Bug reports for GNU Guix @ 2020-12-26 19:13 UTC (permalink / raw)
  To: 45450


[-- Attachment #1.1: Type: text/plain, Size: 4098 bytes --]

Severity: critical

According to the GNU FSDG ([1], emphasis are mine):

> A free system distribution must not steer users towards obtaining any nonfree information for practical use, or encourage them to do so. The system should have no repositories for nonfree software and no specific recipes for installation of particular nonfree programs. *Nor should the distribution refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow.* Programs in the system should not suggest installing nonfree plugins, documentation, and so on.

However, at least on the case of the rust package, in the following example one can see that cargo is also included:

$ guix package --show=rust

> name: rust
> version: 1.46.0
> outputs: out doc cargo
> systems: x86_64-linux i686-linux
> dependencies: bison@3.5.3 cmake-minimal@3.16.5 curl@7.69.1 flex@2.6.4
> + gdb@8.2.1 jemalloc@5.2.1 libssh2@1.9.0 llvm@10.0.0 make@4.2.1 openssl@1.1.1f
> + pkg-config@0.29.2 procps@3.3.16 python2@2.7.17 rust@1.45.2 which@2.21
> location: gnu/packages/rust.scm:105:2
> homepage: https://www.rust-lang.org
> license: ASL 2.0, Expat
> synopsis: Compiler for the Rust programming language  
> description: Rust is a systems programming language that provides memory
> + safety and thread safety guarantees.

In continuation, as can be seen on [2], the installed cargo has it's default repository enabled.

Furthermore, neither [3] nor [4] have expressed commitment to the GNU FSDG.

Here are some suggestions, probably not tested nor researched for viability:

a) make the importer activate a flag of its own in order to use that package. This would render a plain install of the package a version with cargo absent while still having the possibility to do the imports;

b) coordinate with the head of the cargo community (and possibily other free/libre system distributions or free/libre software activism groups) an agreement so that they express commitment to the GNU FSDG on [3] and [4], and of course make them setup a bug/issue/task tag/section for GNU FSDG issues. This must be done together with either (a), (d) or (e);

c) coordinate with other free/libre system distributions or free/libre software activism groups a project to provide a common repository that such groups could refer to by default by patching their copy of cargo. This must be done together with either (a), (d) or (e);

d) find a way to provide cargo but without any repository. This would require a way for the importer to specify the repositories at run-time;

e) despite not being desirable by some people, there is also the possibility of removing cargo.

As a side-note, as the original subject stated, I think we should address this issue in other packages too, if any, and also document the decision on the manual or on guideline.


# References


[1]: https://www.gnu.org/distros/free-system-distribution-guidelines.en.html#license-rules .

[2]: https://lists.gnu.org/archive/html/help-guix/2020-12/msg00231.html .

[3]: https://crates.io/policies .

[4]: https://www.rust-lang.org/policies/code-of-conduct .


-- 
* Ativista do software livre
	* https://libreplanet.org/wiki/User:Adfeno
	* Membro dos grupos avaliadores de
		* Software (Free Software Directory)
		* Distribuições de sistemas (FreedSoftware)
		* Sites (Free JavaScript Action Team)
	* Não sou advogado e não fomento os não livres
* Sempre veja o spam/lixo eletrônico do teu e-mail
	* Ou coloque todos os recebidos na caixa de entrada
* Sempre assino e-mails com OpenPGP
	* Chave pública: vide endereço anterior
	* Qualquer outro pode ser fraude
	* Se não tens OpenPGP, ignore o anexo "signature.asc"
* Ao enviar anexos
	* Docs., planilhas e apresentações: use OpenDocument
	* Outros tipos: vide endereço anterior
* Use protocolos de comunicação federadas
	* Vide endereço anterior
* Mensagens secretas somente via
	* XMPP com OMEMO
	* E-mail criptografado e assinado com OpenPGP


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* bug#45450: Guix, third-party repositories and GNU FSDG
  2020-12-26 19:13 bug#45450: Guix, third-party repositories and GNU FSDG Adonay Felipe Nogueira via Bug reports for GNU Guix
@ 2021-02-12 21:22 ` Léo Le Bouter via Bug reports for GNU Guix
  0 siblings, 0 replies; 2+ messages in thread
From: Léo Le Bouter via Bug reports for GNU Guix @ 2021-02-12 21:22 UTC (permalink / raw)
  To: 45450

[-- Attachment #1: Type: text/plain, Size: 516 bytes --]

Hello!

I have been looking at this, since Cargo has a feature to add third
party repositories already I am thinking we can remove the concept of a
default repository in Cargo by patching it.

Cargo has multiple roles in relation with crates.io - it can search,
install and publish packages. I am thinking we need to strip the search
and install functionality on the currently default repository. Publish
functionality could stay.

I will report back when I have a satisfying patchset for Cargo.

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-02-12 21:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-26 19:13 bug#45450: Guix, third-party repositories and GNU FSDG Adonay Felipe Nogueira via Bug reports for GNU Guix
2021-02-12 21:22 ` Léo Le Bouter via Bug reports for GNU Guix

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).