From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id 0JXKC22YdGZphgEA62LTzQ:P1 (envelope-from ) for ; Thu, 20 Jun 2024 21:00:29 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e224::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id 0JXKC22YdGZphgEA62LTzQ (envelope-from ) for ; Thu, 20 Jun 2024 23:00:29 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=elenq.tech header.s=soverin1 header.b=a3rrYijX; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1718917228; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature:autocrypt:autocrypt; bh=1/qZoIkguJcNCkwQC600bgttjTo2UTDUl+wJbe3AfIg=; b=DzhQ8gDCcDvITzaGRnmlkRuSVE3e4ZA4UlfrS1Cp36y/Osvy+KE3vTyuHc+n5lgbnLO9FG 81KWsmE1Sn7SYVkLPaCk+xChsh0QGi9UsC/wdMaVs0VitePMg853bTSrzTMIvz2BFsjxmg rJiHeCZTSJD+sZQl1pDdqXNXa59PB82zkmNCqRJtWeWh+tPst197Twd2vRnf5aRG32VnIY 9nJ23Bm6E0xqj0c9VIjFhW98JtcE/NfyyVKPpbPY6qciWOrccVR0BV1Qs5G3FHBFtNVtXK UK9w25j1ShiUGfcsT8En1Zcs6QVbAsmlS/dtlqsn2y9/CwVV/C0v+7M4ezzv8Q== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1718917228; a=rsa-sha256; cv=none; b=L2ksOb4iDB1k6CVdvdGZf3pJoBO+2u4N5Ch0UGRn7hQT+DeYrgMzsJKCLmOHI46nRFSAR9 zcH74fP4AfKGK1y0AQvdrY8G406QNAKCzVtZV0g+aVeKRSxStrr7MMFAJEbxJvQgTmJQgs +tyvj6uDx8zSRpBtSpfDUqpcJTHnbgweIrOFcrvqyuzccL7e4MJh82dMV+PPIjPYuRXCKR 5KpR+0HznZp7uMKB0+UvaadNakcfZRjWeLX+GZliXX9KcV3c9914f7ZlkWB7IS6fVSxCJy Ud+Ip2iqXkKiob3KASTpQ6DQ5edUH25soE94KFhcgOLpIjM68Mvc9HjUcFN76g== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=elenq.tech header.s=soverin1 header.b=a3rrYijX; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id EC0EB6CB2C for ; Thu, 20 Jun 2024 23:00:27 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sKOsw-0003T3-Em; Thu, 20 Jun 2024 16:59:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sKOsu-0003Sn-0S for guix-devel@gnu.org; Thu, 20 Jun 2024 16:59:56 -0400 Received: from dane.soverin.net ([185.233.34.21]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sKOsn-0003Qi-SQ for guix-devel@gnu.org; Thu, 20 Jun 2024 16:59:55 -0400 Received: from smtp.soverin.net (c04smtp-lb01.int.sover.in [10.10.4.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dane.soverin.net (Postfix) with ESMTPS id 4W4tCf0mPszcN; Thu, 20 Jun 2024 20:59:42 +0000 (UTC) Received: from smtp.soverin.net (smtp.soverin.net [10.10.4.99]) by soverin.net (Postfix) with ESMTPSA id 4W4tCd4Ttdz2r; Thu, 20 Jun 2024 20:59:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=elenq.tech; s=soverin1; t=1718917181; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=1/qZoIkguJcNCkwQC600bgttjTo2UTDUl+wJbe3AfIg=; b=a3rrYijXSCJ2m8fn20XOuuFMSswKwdZG0dKsfyAstFV9l85aDCPOh28G8LppDjElMmhtJb wvqsgzMLdDjuzFS3svehNtbKw1XTDog+UXtP9T9HzdewQJf1F3KM1D7Z5ULFnF0lUA7LJQ bf0bDBo5ERYmmY8OFTz8YCPi1QgAzP/f0dB7RPgBwmmu9UUCD/ypgey81nFmhafdxDqtpg L1Xe/hffXcXiDFh01hDG7b6MUiG2ZGasIbEmMsZB94fbKhrEZWB32PYY9VtUa11iwYr8tl prlWwwXPQG6Z38MTk5sbB3hAKdmNhkSwSl4CRBxHrSJhlZZxnaBnwZ05CbgXvg== Message-ID: Date: Thu, 20 Jun 2024 22:59:41 +0200 MIME-Version: 1.0 Subject: Re: Next Steps For the Software Heritage Problem Content-Language: en-US, es-ES, eu To: Andreas Enge , Dale Mellor Cc: guix-devel@gnu.org References: <20240618113717.4a6bad2b@fannys.me> <8734pa5mlx.fsf@meson> <077b1a0fdec4d0f30209c28d75dc40811c77a4a9.camel@rdmp.org> <24a0a840a595dfba7c145e5f207fef532ceb16d6.camel@rdmp.org> From: Ekaitz Zarraga Autocrypt: addr=ekaitz@elenq.tech; keydata= xsFNBGViSyIBEADY3g71uW/0CVaVm5/ObqTicQXXJRuh1uafIFiUUZoAp1V3V89b3LZ/m0cL 8YNHxTxsx8sKIMYTGlOvARAMiSpDvkmpf5pLn5T7+VvK90FOv/Pkp1tNNT+tvd0m/7C58+39 s7tN+XppbjVRtFuSXY0aFe8rpivZsKxv+tPUHUnQQszXvwgx0GQl8AX99IE+j75NJmBHFVg2 0geKa7QVymu669ix2+zU8vGoOKf5nIS0qG1m/vrtwR3ZuuyWX9/E/uP95ahX5ETWtjhTDbEm MEaRperwbczBewkdERJ34vRrverqKQA1xHXoPsx4NkLMocORFSSCJsveXcgWlU+pUIOYcKUA ARJjHhoWoUH4LZt5EOb7U17AaYMmATUXPCqq8G3jEXq6i0O1J1obCJGIRG02R9GiGp4zrVuv 2hmyoAmed4xYZAtf9WjcbwiunDkMGIxscdSlfEH/9dt7PGdEvkZ0dNSCTbp4ctMI4jAfobAL LReMSGx1CgPi01J61a/n/SgR66AiRJZCyC1u2V7AK1rBOAYzOU4UoePz+yF1I7crjZWAQVo6 DlmmXW+29l/lh2oK5jOuNEcvI6qi+tPCYxpDhUhZeYgqFU+/xgGlMj/XGvwuIFlpVg9ovFMg 6mxskOCVP9xNEp/qHiHqByYu5NRcITo/z/3BUimdXTT4KSq2cQARAQABzSJFa2FpdHogWmFy cmFnYSA8ZWthaXR6QGVsZW5xLnRlY2g+wsGOBBMBCAA4FiEEg/pnRVjAUpRlfkwZt5lM+Jly CyYFAmViSyICGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQt5lM+JlyCybjZxAAy+YW 3Q22xKoMWJYw03qGCy87WPK+xGWDpKD6TJ77+/IEbldObyQRrKYTTGjQSy6WgaJ0txJMIqeK JyuWuR3bq+Vkh86Byntl25jknOJ+jY1zwPs6HnWFr+hS48FcQh/0D26h57Cqc+6nbKhJcva8 JsInbHTbWPz7wye+xhqY1LfdgVTbCyADESXdmBY30/vP4LzqW81atwYF6X7dN7ko/JvyPPdv VlcspmbP6zNihoApBHdMfJwYscyAsu6tTyL4hMG3zpraeU+S857vZN39gFagRng+uyZG7rfB dHHAFzT1LKOZ4dahavOfA0gS1RZTgtAGsvhUEBn9vKxlB4efZuKhwMtgQEskRFD6JIF1DYCj pLgn5x/y3oI6rn35R46VDhLfohcUWpvzplu6LBft8ZNr+UgoVYc6qBezyDlxk0FmhGI7DEoh gfUxljTALXjSdUGEw2mvp/Mcrz+ffemWpG4+Zq0UXR8sZaHpv+PqmFLFFSQCOCRTYbMKzZBn y03wym3y0tGtunDGm5pR7NEPqUO9QbZdKyTy4ftRkSfTpiPCF8+KKYDT8HimSrusmtTfR4R1 nBJ4lNBYgTdOyJYFbHdF0Jxo9r0t+K2e+6hX6bK79o6aC+/LtzkoYgjCWvAEopO0ras/XQYM S7/bCzeDIhXX5RqmMIp5XN+oBP2roZDOwU0EZWJLIgEQAMIgPDpJY9aOhFiFICx58XMM28An yUPdN39t0A8VkUbsvKXH6eNqUZj/Q3yNcZrknAT1vinv9FN/4uCUnsaqEKp+mRAYgzmNfeJk SWuMzmA04fcISIBz3sJUR0w/59tWi8QxlNn7IR6McAA3lHDXC+KYh9ZfhaOARfan1M6Ppy6g YltUQGSSPXU807inmQZh8GFTi8iUza7vGuBEnaNRGhmhR+blMwHSqVWN4gD81e8dSAEi3zNR sLoBXneHUqTcJMHvsT5cOk7cGMoVAWIffA2EKWfrgda57Qw+w+0OPqWEfKoXwnyt35Tl+Lxl 7MAaAG9R5760yhgkf3LmnBNP3m6StZ8Fv09Gdn5cGSbVnoofHDkg4PQDTD6aGz9af3SnGVg9 nb1Zm1XbqtnYwG9JvQhcjgWAHwrPLkHAcvKtfYWNe4wiirMjXMXxADY08g33SEchPJR2r4pg wttJS4kHUJ2IQUmSH/43RO5PkftWsCucYGeaG1aPr+GAkeKIS1M3OZGuqhd800mltpiH73eL XrUPF8fgngC+SGMrHXLfzuhaRxPNYUbsdF+wRkvjRSO4tCmSVpgfPsHu5emoZgix1iiTO7GF do7L6n1Ay3oF4Witoxc0Gcbu7ltYlZHGmDnsVTVALartsJV2muSXpWcjQiXyC0gUkIkUD/3P jtgVxK8xABEBAAHCwXYEGAEIACAWIQSD+mdFWMBSlGV+TBm3mUz4mXILJgUCZWJLIgIbDAAK CRC3mUz4mXILJrIaD/9CXGckwRCojuRzP0r6+8/RvNDc03CSe2W17WrSaoYgiRb+h5asI/AL yqw+QRgwXZpt0i9hNiDCe/baD62mufIyjKFjHoAWSYJuZ5VK3vWnro6GaxWULYt1+c4c4Lz2 d1nSK6j8F3CxYo7BFk6afOusjYfh+0HywThcYY+x+K5Z+4SdJejDLiL5AzJn2W5Gt/ViK5nI wl7uRQpayMc9zmI8ytUT2NJxovq1/fT9nB8VPwlbJTE9zvIqfqHh9o9Apx5o8yTaSCyGUyu9 8h/klqxFy4HAPJJu/3JkiMaCI45ZdCqRR1LIwhtmW2lb73r0rP/0S1cKi+ehA4oQvwiUw7zh XXw7mqzSAJ0SWT92Vy2G8Z8qqgwxwfQcdFZAyJAL1rgEPQljNT91Vgbc6DCUka2XW5BqyhEB eS0n1gK0hYXbM9FKegRsZxlmRAXa4KGXCwr4BNK6k+zkKPitezjbtcLgcKSHa8/HyHNkW7xH R+MN16x2elQPmQ2d0Ien1HgsK98+3prlUGwZIVCqa1ddSoW0llU3JzGsKrMAiYbWg/rOXFil RJbuhjflaLBVmfI8VlRQRocP+WEH0lsUWrtjVaGcBj1/YnIoT+zT6fPSXwPsrBvAWEjfl8HH e1F4cYb+ugPDwUTd1s2Uj2tF0/fhCHPy9sXyx/EIL3gqyBw9M2Rz9A== In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spampanel-Class: ham Received-SPF: pass client-ip=185.233.34.21; envelope-from=ekaitz@elenq.tech; helo=dane.soverin.net X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Flow: FLOW_IN X-Migadu-Country: US X-Migadu-Queue-Id: EC0EB6CB2C X-Migadu-Scanner: mx12.migadu.com X-Migadu-Spam-Score: -9.25 X-Spam-Score: -9.25 X-TUID: ZeV/CMzCifaF Hi, On 2024-06-20 22:54, Andreas Enge wrote: > Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor: >> I'm sure guix lint tried to push my code out to them the last time I tried. > > Ah indeed, there is this in guix/lint.scm: > > (define (check-archival package) > "Check whether PACKAGE's source code is archived on Software Heritage. If > it's not, and if its source code is a VCS snapshot, then send a \"save\" > request to Software Heritage. > > It potentially calls this: > (define (save-package-source package) > "Attempt to save the source of PACKAGE on SWH. Return a list of warnings." > > Which calls this from swh.scm: > (define* (save-origin url #:optional (type "git")) > "Request URL to be saved." > (call (swh-url "/api/1/origin/save" type "url" url) json->save-reply > http-post*)) > > So it does not push code, but a URL from which the code can be downloaded. > Thus it requires the code to be available from the Internet; local code > is "safe" from SWH. > > Now I do not know what will happen if you save your code as a git > repository at a hidden URL. For instance, does SWH check the license? > I would hope so. > > There is documentation of this feature here: > https://archive.softwareheritage.org/api/1/origin/save/doc/ > which says this: > Depending of the provided origin url, the save request can either be: > - immediately accepted, for well known code hosting providers like for instance GitHub or GitLab > - rejected, in case the url is blacklisted by Software Heritage > - put in pending state until a manual check is done in order to determine if it can be loaded or not > > So I suppose that if you submit a hidden, but publicly available URL > pointing to non-free code, the request will be "put in pending state", > manually checked and rejected, and maybe the URL added to the blacklist. > > Andreas > > For this specific case we could add some flag to the command line like `--do-not-archive` or something like that. WDYT?