GNU bug report logs - #42964
Potential FSDG issue with debootstrap scripts

Previous Next

To reply to this bug, email your comments to 42964 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>
To: bug-guix <at> gnu.org
Subject: Potential FSDG issue with debootstrap scripts
Date: Fri, 21 Aug 2020 06:45:27 +0200

[Message part 1 (text/plain, inline)]

Hi,

I found a potential issue with the debootstrap package and the Guix
blog.

The Free System Distribution Guidelines states that:
> A free system distribution must not steer users towards obtaining any
> nonfree information for practical use, or encourage them to do so.
> The system should have no repositories for nonfree software and no
> specific recipes for installation of particular nonfree programs. Nor
> should the distribution refer to third-party repositories that are
> not committed to only including free software; even if they only have
> free software today, that may not be true tomorrow. Programs in the
> system should not suggest installing nonfree plugins, documentation,
> and so on.

However after instalation, the debootstrap package contains scripts for
installing many distributions, and most of them are either not FSDG
compliant or have nonfree software in them.

I assume that the Ubuntu repositories are "third-party repositories that
are not committed to only including free software", and they are used
in the debootstrap scripts to install Ubuntu.

After installation I got the following scripts in
~/.guix_profile/share/debootstrap/scripts/:
- aequorea
- amber
- artful
- ascii
- bartholomea
- beowulf
- bionic
- bookworm
- breezy
- bullseye
- buster
- ceres
- chromodoris
- cosmic
- dapper
- dasyatis
- debian-common
- disco
- edgy
- eoan
- etch
- etch-m68k
- feisty
- focal
- gutsy
- hardy
- hoary
- hoary.buildd
- intrepid
- jaunty
- jessie
- jessie-kfreebsd
- kali
- kali-dev
- kali-last-snapshot
- kali-rolling
- karmic
- lenny
- lucid
- maverick
- natty
- oldoldstable
- oldstable
- oneiric
- potato
- precise
- quantal
- raring
- sarge
- sarge.buildd
- sarge.fakechroot
- saucy
- sid
- squeeze
- stable
- stretch
- testing
- trusty
- unstable
- utopic
- vivid
- warty
- warty.buildd
- wheezy
- wily
- woody
- woody.buildd
- xenial
- yakkety
- zesty

The scripts are named after distribution codenames. So here you can see
some ubuntu code names like trusty, xenial, etc (ubuntu contains nonfree
software), or some debian code names like stretch.

Not all scripts are problematic, as amber is the codename of the
main PureOS repository[2].

To fix that, Parabola patches debootstrap to remove the problematic
scripts[3] and also adds support for many FSDG distributions along the
way. It also has a modified manual[4] with examples for Trisquel
instead of Debian.

Something similar could probably be done in debian.scm[5].

In addition the Guix blog post about "Running a Ganeti cluster on
Guix"[6] should probably be reviewed as it contains code to install
Debian buster.

As I understand, Debian may not contain nonfree software but it is not
FSDG compliant, so it could be a good idea to use an FSDG compliant
distributions instead to avoid any issues. In addition if the buster
script is removed, then the code on the blog post won't work anymore.

References:
-----------
[1]https://www.gnu.org/distros/free-system-distribution-guidelines.html
[2]https://libreplanet.org/wiki/Group:Hardware/FSDG_distributions/PureOS
[3]https://git.parabola.nu/abslibre.git/tree/libre/debootstrap/PKGBUILD#n50
[4]https://git.parabola.nu/abslibre.git/tree/libre/debootstrap/debootstrap.8
[5]https://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/debian.scm#n121
[6]https://guix.gnu.org/en/blog/2020/running-a-ganeti-cluster-on-guix/

Denis.

[Message part 2 (application/pgp-signature, inline)]

Message #8 received at 42964 <at> debbugs.gnu.org (full text, mbox):

From: Marius Bakke <marius <at> gnu.org>
To: Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org>, 42964 <at> debbugs.gnu.org
Subject: Re: bug#42964: Potential FSDG issue with debootstrap scripts
Date: Wed, 26 Aug 2020 22:56:15 +0200

[Message part 1 (text/plain, inline)]

Denis 'GNUtoo' Carikli <GNUtoo <at> cyberdimension.org> writes:

> Hi,
>
> I found a potential issue with the debootstrap package and the Guix
> blog.

Thanks for bringing this to our attention!

> The Free System Distribution Guidelines states that:
>> A free system distribution must not steer users towards obtaining any
>> nonfree information for practical use, or encourage them to do so.
>> The system should have no repositories for nonfree software and no
>> specific recipes for installation of particular nonfree programs. Nor
>> should the distribution refer to third-party repositories that are
>> not committed to only including free software; even if they only have
>> free software today, that may not be true tomorrow. Programs in the
>> system should not suggest installing nonfree plugins, documentation,
>> and so on.
>
> However after instalation, the debootstrap package contains scripts for
> installing many distributions, and most of them are either not FSDG
> compliant or have nonfree software in them.
>
> I assume that the Ubuntu repositories are "third-party repositories that
> are not committed to only including free software", and they are used
> in the debootstrap scripts to install Ubuntu.

Does Ubuntu carry non-free software in the default repos?  If so I agree
that is a problem.

> After installation I got the following scripts in
> ~/.guix_profile/share/debootstrap/scripts/:

[...]

> The scripts are named after distribution codenames. So here you can see
> some ubuntu code names like trusty, xenial, etc (ubuntu contains nonfree
> software), or some debian code names like stretch.

Here you assert that Ubuntu contains non-free software, but previously
you only assumed so.  Did you figure it out along the way?  :-)

> Not all scripts are problematic, as amber is the codename of the
> main PureOS repository[2].

Why is PureOS not problematic?  They have a "non-free" repository
component too:

  https://deb.puri.sm/pureos/pool/non-free/

> To fix that, Parabola patches debootstrap to remove the problematic
> scripts[3] and also adds support for many FSDG distributions along the
> way. It also has a modified manual[4] with examples for Trisquel
> instead of Debian.
>
> Something similar could probably be done in debian.scm[5].

Thanks for the information.  I actually wanted to use Trisquel for the
Ganeti documentation, and was surprised that it was not supported by
debootstrap.

Do you know where to find the Parabola patches?  Any chance they will
upstream the work?

> In addition the Guix blog post about "Running a Ganeti cluster on
> Guix"[6] should probably be reviewed as it contains code to install
> Debian buster.
>
> As I understand, Debian may not contain nonfree software but it is not
> FSDG compliant, so it could be a good idea to use an FSDG compliant
> distributions instead to avoid any issues. In addition if the buster
> script is removed, then the code on the blog post won't work anymore.

AIUI the FSDG does not require that linked package repositories are
committed to the FSDG, only that they are committed to providing only
free software, which Debian is.  What issues do you have in mind?

Note that the Guix manual section on Ganeti also contains references to
Debian and Ubuntu; I agree it would be nice to refer to FSDG-friendly
distributions there instead (but first we need support in debootstrap).

I have slight reservations against changing the blog post without a good
reason: it is fairly disconnected from the Guix software distribution
and has already "made the rounds".  Someone bookmarking it for later
reference might get annoyed that the code is no longer there.  But if
there is consensus among Guix users or a breach of the FSDG I am of
course happy to update it.

Thanks!

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.