From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id aJhJKduSEmAefAAA0tVLHw (envelope-from ) for ; Thu, 28 Jan 2021 10:32:59 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iFsQJduSEmBVcAAAB5/wlQ (envelope-from ) for ; Thu, 28 Jan 2021 10:32:59 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 93CB39403D6 for ; Thu, 28 Jan 2021 10:32:58 +0000 (UTC) Received: from localhost ([::1]:48900 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1l54bg-00072t-4A for larch@yhetil.org; Thu, 28 Jan 2021 05:32:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:49136) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l54bS-00072b-Oy; Thu, 28 Jan 2021 05:32:42 -0500 Received: from siauliai.hyperbola.info ([185.177.150.7]:56122 helo=smtp.hyperbola.info) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l54bQ-00078u-0E; Thu, 28 Jan 2021 05:32:42 -0500 Received: by smtp.hyperbola.info (OpenSMTPD) with ESMTPSA id 636bfed6 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=adfeno; Thu, 28 Jan 2021 10:32:33 +0000 (UTC) Subject: Re: packaging a golang package To: 44178@debbugs.gnu.org References: <87h7nrud2a.fsf@timmydouglas.com> <4bdbc469-ad45-4739-b001-739ad3a60adc@www.fastmail.com> <87a6thtyvm.fsf@timmydouglas.com> <87bldw0ztb.fsf@timmydouglas.com> <20210125204534.ovhvt7rzj7tbqrnt@fjo-extia-HPdeb.example.avalenn.eu> <87wnvymoxe.fsf@gmail.com> Message-ID: Date: Thu, 28 Jan 2021 07:32:18 -0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Icedove/68.10.0 MIME-Version: 1.0 In-Reply-To: <87wnvymoxe.fsf@gmail.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="pksnYJhm5C0ZAbX83w6Eb1HyZkG7SmUoK" Received-SPF: pass client-ip=185.177.150.7; envelope-from=adfeno@hyperbola.info; helo=smtp.hyperbola.info X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, "help-guix@gnu.org" Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" Reply-to: Adonay Felipe Nogueira From: adfeno--- via X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.95 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Migadu-Queue-Id: 93CB39403D6 X-Spam-Score: -4.95 X-Migadu-Scanner: scn1.migadu.com X-TUID: lVQuCAJfDrMC This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --pksnYJhm5C0ZAbX83w6Eb1HyZkG7SmUoK Content-Type: multipart/mixed; boundary="GVXrRkXxLzgutvXuKd4piiGoI2P2OPunu" --GVXrRkXxLzgutvXuKd4piiGoI2P2OPunu Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable If by vendoring we mean bundling and also make users fetch data from plac= es not explicitly committed to the GNU FSDG, then allow me to jump in to = add some important notes. Em 27/01/2021 11:31, Katherine Cox-Buday escreveu: > As a packager for a distribution, I dislike vendoring because of the > reasons you outlined above, _but_ I also dislike building upstream > software with versions of dependencies that weren't approved, tested, > and verified, upstream. It seems to me like that's a recipe for > unstable, maybe even insecure, software. I also agree that this would be problematic, but I fear that if we surren= der to vendoring, we might defeat the purpose of GNU Guix. Besides, since GNU Guix is committed to GNU FSDG, the package maintainers= (or reviewers at least) would *theoretically* be obligated to observe th= e GNU FSDG requirements, otherwise the package is considered buggy, and o= ne of those requirements is to guarantee that all functional/practical da= ta/work are free/libre and that non-functional/non-practical data/works g= rant at least freedom 2 in full (to share and sell unlimited number of co= pies of the original to anyone for any purpose), all this would require a= t least a pass/check on the source files, the same check that is normally= used in the processes of unbundling/unvendoring. So we might as well cut= the path short. > I dislike it, but I also don't think we should try to solve the broader= > class of issues while trying to implement an importer. It should be a > larger discussion within the Guix community across _all_ language > packages about how we might achieve upstream parity while still > maintaining our goals as a distribution, all while not crippling our > infrastructure and people :) I'm OK with the importer approach but, *in my opinion*, I don't think thi= s tackles the true issue described on the 4th paragraph of the =E2=80=9CL= icense Rules=E2=80=9D described on the GNU FSDG ([1]), this is why I open= ed Guix bug #45450 ([2]). If Guix could make at least the suggestion (a) from Guix bug #45450 ([2])= work, I would be amazed, since it would remove the repositories from the= individual Guix recipes that provide the single-language package manager= s. Despite not being a developer focused on the plethora of single-language = package managers out there, and not even being a developer per see, I'm a= lso in favor of coordinating an effort between Guix and other package man= agers, but I think expressed/explicit commitment to the GNU FSDG by those= single-language package managers is a sine qua non for all free/libre sy= stem distributions, including GuixSD, which GNU Guix also maintains. # References [1]: https://www.gnu.org/distros/free-system-distribution-guidelines.html= #license-rules . [2]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D45450#5 . --=20 * Ativista do software livre * https://libreplanet.org/wiki/User:Adfeno * Membro dos grupos avaliadores de * Software (Free Software Directory) * Distribui=C3=A7=C3=B5es de sistemas (FreedSoftware) * Sites (Free JavaScript Action Team) * N=C3=A3o sou advogado e n=C3=A3o fomento os n=C3=A3o livres * Sempre veja o spam/lixo eletr=C3=B4nico do teu e-mail * Ou coloque todos os recebidos na caixa de entrada * Sempre assino e-mails com OpenPGP * Chave p=C3=BAblica: vide endere=C3=A7o anterior * Qualquer outro pode ser fraude * Se n=C3=A3o tens OpenPGP, ignore o anexo "signature.asc" * Ao enviar anexos * Docs., planilhas e apresenta=C3=A7=C3=B5es: use OpenDocument * Outros tipos: vide endere=C3=A7o anterior * Use protocolos de comunica=C3=A7=C3=A3o federadas * Vide endere=C3=A7o anterior * Mensagens secretas somente via * XMPP com OMEMO * E-mail criptografado e assinado com OpenPGP --GVXrRkXxLzgutvXuKd4piiGoI2P2OPunu-- --pksnYJhm5C0ZAbX83w6Eb1HyZkG7SmUoK Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQRlfzovINS9uQH7pZ3I1uFSAe6doQUCYBKSswAKCRDI1uFSAe6d oZd8AP90cIe8mab4YqjDVeZzTy1dLkktDwsAolOnorpBZ/FeowEAx8jMur8q03bF iNBvpAVnG2VAtY+518fs6iBT7G/AMMQ= =Sd5h -----END PGP SIGNATURE----- --pksnYJhm5C0ZAbX83w6Eb1HyZkG7SmUoK--