From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id oPSOHY9wu2KHBgAAbAwnHQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 28 Jun 2022 23:20:15 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id CGGOHI9wu2KHzgAAG6o9tA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 28 Jun 2022 23:20:15 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 4264026F24
	for <larch@yhetil.org>; Tue, 28 Jun 2022 23:20:15 +0200 (CEST)
Received: from localhost ([::1]:48362 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1o6Id4-0007WB-8Y
	for larch@yhetil.org; Tue, 28 Jun 2022 17:20:14 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:41764)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1o6Icg-0007Vp-Ls
 for guix-devel@gnu.org; Tue, 28 Jun 2022 17:19:50 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:39288)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1o6Icg-0000tu-D5
 for guix-devel@gnu.org; Tue, 28 Jun 2022 17:19:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to:
 references; bh=qA/2YzdFWNKyuXKZe0/xuI4SlAE3IHRg8FoVOiF+ciY=; b=dB7+yWwtAHCcJR
 5WwhDYYXhHbHVwUUnvTkXuOtUMZPt9xxbIE6bzcCQuLo9Hqxcu4ChGRqPoH07aLmfoZqE1pmsxOkT
 yHJpPLb3REfse6wMBApQy+a+4IkFPxsoRZatOKeoAd1VeTwqQxoA5VgX76l3v7rRT3QUcm2xW8iEv
 TstC6oNxUFVe8r6mpTQKJuk2gZf8g+qxFB4HF9P+mLOa6h2V5LU8V4NyaTe+PaoctMFO6nO1Nxl3E
 v33ltmuydnnBSCdLNww4uJ5IyhPKB+51/Fg1QH++3Lv+jKNtP+RUnhIGOW7ZH4KTMQyD1vwwCxuip
 kCwvqBLd2Y9S9X1kWvuQ==;
Received: from host-37-191-236-102.lynet.no ([37.191.236.102]:47856
 helo=localhost)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <marius@gnu.org>) id 1o6Icg-00016G-0e
 for guix-devel@gnu.org; Tue, 28 Jun 2022 17:19:50 -0400
From: Marius Bakke <marius@gnu.org>
To: guix-devel@gnu.org
Subject: Non-free data in Poppler test suite
Date: Tue, 28 Jun 2022 23:19:47 +0200
Message-ID: <87k090qydo.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1656451215;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=qA/2YzdFWNKyuXKZe0/xuI4SlAE3IHRg8FoVOiF+ciY=;
	b=Y6bonY7AsUCFkMCdViCpp4BifYJm8NOOBFJCdc7nmYRt2ONhKJnuVzNfYw4eyn08Xix2Hh
	NITDWuo3kARM4Eq5JCxeZCavimIv8+oLpl4s+Cc3semttauMJ5mZFeoO92duyFhAww8TvN
	aaMHNr1qczDlgOyvx4rKZFZnP0OCrN/ftj3faa80d9diVcBAlZNr6VOH/P89Hze+NYpWu0
	0QTmDCQZotAxBxLLLbVdQVZNf1cGX8ojlB7whPU0yrjheXtQozgLRZ33JkwVy3bpDX7PSt
	9yKlUZP8jOOWhOFglFOkB2ektHwQb8b7hIQzTaFdAUSh8cAYyK5cN0QfRhPPSw==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1656451215; a=rsa-sha256; cv=none;
	b=l3EkB/a/SNYD4q4gWDXYjKQqg6VcyOFazlxwbWMfTMm1fBF9cD0S8Jn+ZZZDkKU1xHekHC
	ctO2drFDP9xSx6atDjJO5BHoBwhO3JVC9Vlrgj22SmrZx25lLZCMuUPcVuHC26qj+Cy3am
	N1n+2OXY/+onQ3SM9e/eiMMG7igvofOqnTZ0mGtXkkAlUwNJqQvHqP6+t6whOl8GqGm6Um
	E8re/nV1td/TFwM2dEMdj7oCaFY63mYY/RGYT9XEp7fmqsCDH5G9orn7rQ5AIyDU2zAKZM
	cXTZ4Rv/6WjdywnY+J49QJMkGfOKLzE6F8PiP7tPBYV9HCmXym+stv2AUs6Jqg==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=dB7+yWwt;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -8.36
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=gnu.org header.s=fencepost-gnu-org header.b=dB7+yWwt;
	dmarc=pass (policy=none) header.from=gnu.org;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: 4264026F24
X-Spam-Score: -8.36
X-Migadu-Scanner: scn0.migadu.com
X-TUID: 27+OJpVY4DbI

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello Guix,

I discovered a potential freedom issue with the Poppler test suite.
Specifically it includes a file with the CC BY-NC-ND (non-commercial)
license:

  https://gitlab.freedesktop.org/poppler/test/-/commit/920c89f8f43bdfe8966c=
8e397e7f67f5302e9435

It turns out the repository is filled with PDFs of unknown origins, that
are impossible to audit.

(this issue only exists on the "core-updates" branch)

Normally we'd remove such files with a 'snippet', but these files are
not actually shipped with Poppler itself: they are downloaded separately
and only used for running tests during the build process:

  https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/pdf.scm?h=3D=
core-updates&id=3D8c3e9da13a3c92a7db308db8c0d81cb474ad7799#n226

As such, these files are not accessible to end users of Guix short of
disabling substitutes and grepping the store.

So the million dollar question ... are these files okay to use for Guix?

In my (non-lawyer) opinion, I have faith that Poppler developers would
not distribute files that are not freely redistributable, and that this
counts as "non-functional data" per FSDG guidelines:

  https://www.gnu.org/distros/free-system-distribution-guidelines.html

However, we failed to reach a consensus on #guix[0].  What do others
around here think?  Should we play it safe and disable Poppler tests?
Raise the issue with FSF?  Something else?

[0]: https://logs.guix.gnu.org/guix/2022-06-28.log#195123

=2D-=20
Thanks,
Marius
(And sorry for being gone for so long!  I'm back now, promise.)

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIUEARYKAC0WIQRNTknu3zbaMQ2ddzTocYulkRQQdwUCYrtwcw8cbWFyaXVzQGdu
dS5vcmcACgkQ6HGLpZEUEHcCWwD/X2A2/aPmbmSChtn12y6DFicJ0LA5hbpRgKFe
rps5fPcA/RHBrd7nlGIvFKggEX9gpkS2nZ8uZDHVI4CqrnAhoYYP
=/K7x
-----END PGP SIGNATURE-----
--=-=-=--