From: "Ludovic Courtès" <ludo@gnu.org>
To: adfeno--- via <help-guix@gnu.org>
Cc: guix-devel@gnu.org, 44178@debbugs.gnu.org,
Adonay Felipe Nogueira <adfeno@hyperbola.info>
Subject: Re: packaging a golang package
Date: Thu, 28 Jan 2021 17:03:22 +0100 [thread overview]
Message-ID: <87mtwtkq0l.fsf@gnu.org> (raw)
In-Reply-To: <bf7bc90e-17b0-7393-ce02-b38a12d0ab48@hyperbola.info> (adfeno's message of "Thu, 28 Jan 2021 07:32:18 -0300")
Hi,
adfeno--- via <help-guix@gnu.org> skribis:
> If by vendoring we mean bundling and also make users fetch data from places not explicitly committed to the GNU FSDG, then allow me to jump in to add some important notes.
>
> Em 27/01/2021 11:31, Katherine Cox-Buday escreveu:
>> As a packager for a distribution, I dislike vendoring because of the
>> reasons you outlined above, _but_ I also dislike building upstream
>> software with versions of dependencies that weren't approved, tested,
>> and verified, upstream. It seems to me like that's a recipe for
>> unstable, maybe even insecure, software.
>
> I also agree that this would be problematic, but I fear that if we surrender to vendoring, we might defeat the purpose of GNU Guix.
I sympathize with that feeling.
It’s definitely a hard problem. Even Debian, which has been a
lighthouse for many on these matters, recently gave up:
https://lwn.net/Articles/843313/
I think both Katherine’s concerns and yours are valid.
IMO, the importer should be able to import things recursively and assume
we’re not going to bundle anything. It’d be up to the packager, then,
to opt out and selectively use bundled copies of dependencies, if and
when that appears necessary.
> I'm OK with the importer approach but, *in my opinion*, I don't think this tackles the true issue described on the 4th paragraph of the “License Rules” described on the GNU FSDG ([1]), this is why I opened Guix bug #45450 ([2]).
IMO, ‘guix import’ does not “steer users towards obtaining any nonfree
information” any more than wget does. It’s a tool for packagers that
returns a package definition or template thereof, and it’s up to the
packager to decide what to do with it.
Thanks,
Ludo’.
next prev parent reply other threads:[~2021-01-28 16:03 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-08 7:01 packaging a golang package Timmy Douglas
2021-01-08 18:33 ` raingloom
2021-01-08 19:01 ` Leo Famulari
2021-01-10 0:32 ` Timmy Douglas
2021-01-11 6:09 ` Timmy Douglas
2021-01-17 13:31 ` Helio Machado
2021-01-25 7:18 ` Timmy Douglas
2021-01-25 20:49 ` Francois.JOULAUD--- via
2021-01-25 23:38 ` Helio Machado
2021-01-27 14:31 ` Katherine Cox-Buday
2021-01-28 8:18 ` Timmy Douglas
2021-01-28 10:32 ` adfeno--- via
2021-01-28 16:03 ` Ludovic Courtès [this message]
2021-01-28 21:10 ` adfeno--- via
-- strict thread matches above, loose matches on Subject: below --
2021-01-20 3:27 jgart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87mtwtkq0l.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=44178@debbugs.gnu.org \
--cc=adfeno@hyperbola.info \
--cc=guix-devel@gnu.org \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).