From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id iEBNJvUrd2Z2ZgAAqHPOHw:P1 (envelope-from ) for ; Sat, 22 Jun 2024 19:54:29 +0000 Received: from aspmx1.migadu.com ([2001:41d0:303:e16b::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id iEBNJvUrd2Z2ZgAAqHPOHw (envelope-from ) for ; Sat, 22 Jun 2024 21:54:29 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=elephly.net header.s=zoho header.b=fuXXcO0b; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none; arc=pass ("zohomail.com:s=zohoarc:i=1") ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1719086069; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=zIwWALTtLZr4d+u07NaUJvBnLzk4MltikQkebypRc1w=; b=Oos1wS/Ty11bQKbFDf5ImliuaoWhVwaWbebapS/yDLVvFVq/PS3SksH1b1B2DRW8LoC3RY CV8+4OPFnjH4I6yxH0s4lhmE5Orou5DgeZVkEC2DDyZpD1TzVmOh9GyO1O8mfDko/UPS8G V9AuapobK9A0abf+Pd1RQenJk965GZMKbem88djGTr6QdbEnHktfbOVaqHhAHnMraVdHDL pocbywBnTN3iYdKWI7mJiRE15DemMU2/9z2cBS7DS0HgenPvxCPwg/FrU3JvXV+mz7b7Gg khLVgQW33zbCAD3NbGlrbfWeDnMNyXh4ig+f/RZyZ6o4BSDOV6z+btwNszjMVg== ARC-Authentication-Results: i=2; aspmx1.migadu.com; dkim=pass header.d=elephly.net header.s=zoho header.b=fuXXcO0b; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none; arc=pass ("zohomail.com:s=zohoarc:i=1") ARC-Seal: i=2; s=key1; d=yhetil.org; t=1719086069; a=rsa-sha256; cv=pass; b=iiEyCGuyFwm8IYe6gISC+CKeLFUosxgvuLR8KdaW+L9AUljou8YDXPPzo3kpX/TBaGfUuN FoP5CmpaIRT5BW1NwrGGwKGd2p0zSuRwe7AMAwJ0Ok8nK8hyWYeAwIYSl3hggBxZFZrs3D i8lPZfuc7N6MEhgg82AIxRWdE8Licnin+byaHJLKKTam7nn9T5F8jMiObJpAjau6kPGtfc Zz3uIcg8cf4yejGzWGGycb349i63bftP3oKLTGR0NgKx/vYO/05f2T3iUqhknePFpQt8IV j+otKVyrX8/ESSoNZrQwwUaNBuZUXtDW1hr5TlE2ReJzQwVIy2AFwxAPkHlYNg== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0E30364E91 for ; Sat, 22 Jun 2024 21:54:29 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sL6o3-000354-21; Sat, 22 Jun 2024 15:53:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sL6o0-00034r-RT for guix-devel@gnu.org; Sat, 22 Jun 2024 15:53:48 -0400 Received: from sender4-of-o51.zoho.com ([136.143.188.51]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sL6ny-0003TT-Pw for guix-devel@gnu.org; Sat, 22 Jun 2024 15:53:48 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1719086014; cv=none; d=zohomail.com; s=zohoarc; b=VZEVEK/hKJ3akgu2TAdnqhlayVAuotyxZwsu3uWL2egnSVtH/w3t0mqu3eJSRRxxby7FyoS5Y0txhsZms2n6WkmFjSjPVfw52wf5/TjkcbLp4HUX5Ml6MmSAIkkhWU7T9IfYTrexQCtdVxKcn7UeYBbku0F0m/lSbhOCf+eZZIU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1719086014; h=Content-Type:Cc:Cc:Date:Date:From:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:Subject:To:To:Message-Id:Reply-To; bh=zIwWALTtLZr4d+u07NaUJvBnLzk4MltikQkebypRc1w=; b=DiA1iUQ/KjIiJ7h9RKXJSKsbhof4sdJJkJcmUn+PZfQnMHAjvM6lSTOebznCVQsE50Z7MZWKSZ3CJ8nNCapkjlTVMhqEgOslPenGT1zya3OXmLqzhfYCvNp2g4NN2LrTahMdZnR9sgsbBpa85sOy1di6lTFYGFKf0Qo79pQec6k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1719086014; s=zoho; d=elephly.net; i=rekado@elephly.net; h=From:From:To:To:Cc:Cc:Subject:Subject:In-Reply-To:References:Date:Date:Message-ID:MIME-Version:Content-Type:Message-Id:Reply-To; bh=zIwWALTtLZr4d+u07NaUJvBnLzk4MltikQkebypRc1w=; b=fuXXcO0b1u3QIEPsTdDz6C3NPKiS9eIbr2A0JQjM+7bDmEq3nfUw5WUa7cch6klC TXwMbVxRc86zYlZTicCe81qQ2P0Xd3M1SbEIllPXS2s91DbqppWUL/d+uHCz9DAsvqF Jo4lNsx9vzrDmLgcqpZouIiGmKf5NFUhSgo2OH+E= Received: by mx.zohomail.com with SMTPS id 1719086011533123.74095263567563; Sat, 22 Jun 2024 12:53:31 -0700 (PDT) From: Ricardo Wurmus To: MSavoritias Cc: Richard Sent , Andreas Enge , guix-devel@gnu.org Subject: Re: About SWH, let avoid the wrong discussion In-Reply-To: <20240622174242.7e1a18d5@fannys.me> (MSavoritias's message of "Sat, 22 Jun 2024 17:42:42 +0300") References: <20240618113717.4a6bad2b@fannys.me> <87msnebsfd.fsf@gmail.com> <20240621121213.419da774@fannys.me> <20240621134439.5bc324b4@fannys.me> <87zfrdazzn.fsf@freakingpenguin.com> <20240622174242.7e1a18d5@fannys.me> Date: Sat, 22 Jun 2024 21:53:27 +0200 Message-ID: <87cyo8zrd4.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.51; envelope-from=rekado@elephly.net; helo=sender4-of-o51.zoho.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Queue-Id: 0E30364E91 X-Migadu-Scanner: mx13.migadu.com X-Migadu-Spam-Score: -10.25 X-Spam-Score: -10.25 X-TUID: bcCXGuB4jOvw MSavoritias writes: >> To clarify. I am specifically opposed to a change in official Guix >> packages that allows for this statement: >> >> "Do not upload automatically to software heritage, and no one else can >> either." > > Let me put this more clear Richard, the statement above that archiving should be off by default means: > > - Guix respects the consent of the person using guix lint and their expectations. (that lint actually lints) > - Respects their privacy > - Respects their autonomy. User autonomy is not curtailed by informing an aligned service's crawler that an update has occurred. You have a first class option to disable whatever checks you don't want to run. That's autonomy. Since time immemorial "guix lint" has done more than strictly checking that code is formatted correctly. "guix lint" is a contributor's tool. Its features encode values that "we" want to preserve as new packages are added. The intended purpose of "guix lint" is to encourage "high quality" packages. We arrived at this meaning of "high quality" (as approximated by the workings of "guix lint") through years of collective work on packages. Since we've seen source code disappear, which negates Guix reproducibility guarantees by robbing users of Guix of their practical freedoms to the software, the modules of "guix lint" include discouraging the use of volatile URLs (like generated tarballs), suggesting the use of mirrors, and relatedly notifies SWH that the Guix software collection is about to change to increase your chances of getting identical source code years from now. All that because software freedom is void without source code. Here is a list of other checks that talk to the internet: --8<---------------cut here---------------start------------->8--- - home-page: Validate home-page URLs - source: Validate source URLs ... - cve: Check the Common Vulnerabilities and Exposures (CVE) database - refresh: Check the package for new upstream releases - archival: Ensure source code archival on Software Heritage --8<---------------cut here---------------end--------------->8--- Are these all privacy leaks? Are they in opposition of the goals of "guix lint"? In opposition to the goals of those who use "guix lint"? If so: why? > Now if you want to disagree that people should have privacy or > expectations then I fear we are becoming the next Google. This is jumping the shark, and I think it is a statement that is (unintentionally?) rather insulting to those of us who have been contributing to Guix for a long time and have spent many excess calories wringing their brains to make sure Guix is not your average tech bro project. It is disappointing to see the levity with which statements of this severity are dropped here. The Guix community that I choose to remember was less prone to making inflammatory statements when disagreements became apparent. -- Ricardo