From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marius Bakke Subject: Re: FSDG status of chromium Date: Wed, 26 Sep 2018 03:23:51 +0200 Message-ID: <87d0t1kq54.fsf@fastmail.com> References: <20180925092922.20b2a32d@peers.community> <87tvmdl7id.fsf@fastmail.com> <20180925193658.7529612c@peers.community> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:37653) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g4yYa-0008PQ-DM for guix-devel@gnu.org; Tue, 25 Sep 2018 21:24:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g4yYW-00012r-AA for guix-devel@gnu.org; Tue, 25 Sep 2018 21:24:00 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:44839) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1g4yYW-00011V-1s for guix-devel@gnu.org; Tue, 25 Sep 2018 21:23:56 -0400 In-Reply-To: <20180925193658.7529612c@peers.community> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: bill-auger , guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable bill-auger writes: > On Tue, 25 Sep 2018 21:08:42 +0200 Marius wrote: >> Can you elaborate on what exactly the issue is? I am aware that >> Chromium bundles non-free sources >> That leaves "first party" source files. Admittedly I haven't audited >> all of those other than superficial grepping. Do you know whether >> parts of Chromium are considered non-free? > > no - and that is exactly the core problem - AFAIK no person on this > planet knows the definitive answer to that question, including the > upstream developers themselves, as demonstrated by the 10 year old bug > report that was never closed Can you point out which part of the upstream bug that is relevant? https://bugs.chromium.org/p/chromium/issues/detail?id=3D28291 AFAICT it's about bundled software, and in our case there are only 379 files that need auditing. Am I missing something? > On Tue, 25 Sep 2018 21:08:42 +0200 Marius wrote: >> I noticed a number of >> files are missing license information: in those cases I have assumed >> that the top-level "LICENSE" file (BSD-3) applies. > > i dont think that is a reasonable assumption to make - by that logic, > you could assemble any collection of unlicensed or conflictingly > licensed source code projects, heap them all in a tarball with a > single BSD-3 license at the root level, and that would somehow make > everything adequately licensed, simply because none of the files within > contradict that otherwise unfounded assumption - the unfortunately > broad and brief wording of permissive licenses (no more precise > than "this software") encourage that lazy assumption to be made as > applying to "everything in this tarball", probably more often than > people realize All the software bundles (i.e. stuff living below "third_party" directories) appear to be clearly licensed. For first party code, I don't think taking the LICENSE file at face value is unreasonable. > On Tue, 25 Sep 2018 21:08:42 +0200 Marius wrote: >> It seems to me using "Ungoogled-Chromium" remediates Lukes concerns > > yes most people agree that the ungoogled patches would be necessary > but not sufficient for any FSDG compliant build of chromium What else is remaining? > On Tue, 25 Sep 2018 21:08:42 +0200 Marius wrote: >> Andreas Enge writes: >> > So at least it is apparently possible to get a working binary with >> > only free sources.=20=20 >>=20 >> To clarify: the few files flagged by 'checklicenses.py' are as far as >> I can tell all free software. The script just fails to classify them >> 379 files for which it fails to detect license. > > to be clear here, what is truly meant there by: "only free sources" is > "with only sources that have not yet been demonstrated to be non-free" - > that is the key distinction - just because they have not yet been > proven to be non-free, does not make them free - and i have yet to see > anyone make that determination convincingly I don't think there is any doubt on this list about the definition of free software. > On Tue, 25 Sep 2018 21:08:42 +0200 Marius wrote: >> All non-essential "third_party" directories are purged in the same >> manner. I have audited the remaining third_party files and AFAICT >> they are free software. > > adfeno recently did a some preliminary digging into this also[1] - > maybe you and he could compare notes ad/or combine efforts > > [1]: https://directory.fsf.org/wiki/Talk:Chromium Thanks for the link. Adonays findings seem to confirm mine (note that the listed third_party files are not present in the Guix source). > On Tue, 25 Sep 2018 21:36:45 +0200 Cl=C3=A9ment wrote: >> I hope we'll >> make it free at some point, so that it can be integrated into Guix. > > to these i again want to underline the secondary point i hoped to make; > that is if *anyone* can liberate this program, it would allow this > browser and dozens of derivative programs that are currently > blacklisted to be included in guix AND also *any* of the FSDG distros - > what bothers me most about this situation here, is that no one from guix > seems to be "on the same page" sharing information and effort with the > other FSDG distros - i really do encourage you guys to join in on these > conversations that pertain equally across all FSDG distros[2] - if you > have some success liberating chromium, or have determined any of its > dubious licensing concerns, please do make it known on that mailing > list - it would be of great interest to many outside of guix - at the > very least it could lead to the recommended fix for chromium on the > "does not respect the FSDG" list to be changed from "use icecat > instead" to "this browser can be used in freedom if you ...." > > [2]: https://lists.nongnu.org/mailman/listinfo/gnu-linux-libre I have looked at QtWebEngine too and could not find anything suspicious. Their Chromium directory is 1,5 GiB uncompressed compared to 2.2 GiB for the Guix package and 4.5 GiB for the upstream tarball. As far as I can tell, both packages are eligible for free distributions, assuming proper caretaking is in place (Chromium 66 introduced a dependency on 'unrar', for example, but such shenanigans are easily caught with third_party whitelisting). --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAluq36cACgkQoqBt8qM6 VPrlCggAv7Lbkn9DYqUlGPzaQNE2idPfq74k/MeDgbkljUSfadK6RGkD3oeDDWqy 9aB609k7fVdDZ6kl7YjWR3h7eNCFKdFQaDkHDDBo0fas3RLMWoL6gv5gcUjXYUmo hmGwixc0sI9CZ7VnB97QaBG2bNXM44VHkXqskndlWOaP0Hp2dfNWhq81BgA4sKtX i9axL5y2IBy1TdG9RUFZp67gfmwjcYvi+M0EIYlbN/ON7qqfDaV4HIRCXEoCfOoT BXhm+NGb7Yy1BDfAN6Rxfc2bnwIzxGk5dikN8fbbcWBGCzMfova6PtsNbTmCtoA1 +dUBgywJ4Bj+paJktUuUTt/Yu9ga9Q== =Xs0p -----END PGP SIGNATURE----- --=-=-=--