GNU bug report logs - #45450
Guix, third-party repositories and GNU FSDG

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Severity: critical; Reported by: Adonay Felipe Nogueira <adfeno@HIDDEN>; dated Sat, 26 Dec 2020 19:15:02 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 45450 <at> debbugs.gnu.org:


Received: (at 45450) by debbugs.gnu.org; 12 Feb 2021 21:22:47 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Feb 12 16:22:47 2021
Received: from localhost ([127.0.0.1]:33133 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lAftm-0005tr-VP
	for submit <at> debbugs.gnu.org; Fri, 12 Feb 2021 16:22:47 -0500
Received: from mail.zaclys.net ([178.33.93.72]:52343)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <lle-bout@HIDDEN>) id 1lAftk-0005tc-3T
 for 45450 <at> debbugs.gnu.org; Fri, 12 Feb 2021 16:22:45 -0500
Received: from [192.168.0.27] (82-64-145-38.subs.proxad.net [82.64.145.38])
 (authenticated bits=0)
 by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 11CLMafM037651
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO)
 for <45450 <at> debbugs.gnu.org>; Fri, 12 Feb 2021 22:22:37 +0100
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 11CLMafM037651
Authentication-Results: mail.zaclys.net;
 dmarc=fail (p=reject dis=none) header.from=zaclys.net
Authentication-Results: mail.zaclys.net;
 spf=fail smtp.mailfrom=lle-bout@HIDDEN
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net;
 s=default; t=1613164957;
 bh=3fVqtb7xzjCAQ3lgrvgcQ8roEFM1VgeWY3Nba/+tnVw=;
 h=Subject:From:To:Date:From;
 b=K0vSz6Wa0lUbjQKZ9dP3zOD1N8BsAPn5pm8XjQ8tHls3K4+jZ0BL1y6j3Yay5e19L
 4Xk1PxM+1GSJhn8NUiPaYGIHvVcEhDRPvlxZ+IZ8PHXhDhnxhZQ9aV7/4/JJUTSVDM
 dTfS4uVmExNkBSCNv5Z4RutqU8iNDv1b9Z17gUqs=
Message-ID: <01bec424a8ce437fde2f624fca190514d130d667.camel@HIDDEN>
Subject: Re: Guix, third-party repositories and GNU FSDG
From: =?ISO-8859-1?Q?L=E9o?= Le Bouter <lle-bout@HIDDEN>
To: 45450 <at> debbugs.gnu.org
Date: Fri, 12 Feb 2021 22:22:27 +0100
Content-Type: multipart/signed; micalg="pgp-sha512";
 protocol="application/pgp-signature"; boundary="=-AL6j/AVfmkXzZHD+FJXR"
User-Agent: Evolution 3.34.2 
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 45450
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)


--=-AL6j/AVfmkXzZHD+FJXR
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hello!

I have been looking at this, since Cargo has a feature to add third
party repositories already I am thinking we can remove the concept of a
default repository in Cargo by patching it.

Cargo has multiple roles in relation with crates.io - it can search,
install and publish packages. I am thinking we need to strip the search
and install functionality on the currently default repository. Publish
functionality could stay.

I will report back when I have a satisfying patchset for Cargo.

L=C3=A9o

--=-AL6j/AVfmkXzZHD+FJXR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmAm8ZMACgkQRaix6GvN
EKatlQ/+Pr2H33IOZw1ytmEByM6fRiSCc8KjuQQb8MDnxtcnuV1vDxPZj5qZutXh
v04gwXbQIvGGaHjaT/iJAeo8qg9bZK7Ag6VupVkigVqEy2u6erHWqC4MOhkLMBE3
MNqYeh3vk2me2QPERGU0OQfkeuKkudpb+0353q5Yy+EwSlZgXiJIhsntF+zbDf0v
ZVtHRjM6ACLsShHrQT4eyIEaw0MutcnYq3gypgyQfay8NEmu2TY1q+o+NkWefRVa
v6QiqzDQD7UWPDn0F+hmq3C6JHIDi8r9I27KFIXQ0Kzi+YLzr/o3r0je+ELTcrbg
ydp7KXdf6mm9ycwMpyTnthBtUADZKO5KXQOFvcHbIWLwQrAUxp59LqW4G1YbLvrM
8LM+zLLjO1Bs9LfoV1Dq8X61ISVrsxOiZsOLD/6j74IXOA7R/HKl7cvbcbjkxn4y
cuLMIxhFQzgN+U/h//FYev1WGRIkdv8CNy8nQVem/1sMslQOy3YvDGNjebJsxmo1
eAEN4Hl3RfXK/oSyNRE6E8mo9PxouET69LJ1GumyiaSx7/j/LXT5+ub4DvE1oqso
PqfcEOZJ2ezIIQKRAjiE+f0ktSrCmvBBPHrKrNKeyYvVfBuf+CdKxSDHht6X9qUY
YO/oKEJbvEcspPRHJfDIsTqmzY+Vsd+5WSKT6rhUew7m5yjk5eY=
=kTff
-----END PGP SIGNATURE-----

--=-AL6j/AVfmkXzZHD+FJXR--
Information forwarded to bug-guix@HIDDEN:
bug#45450; Package guix. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 26 Dec 2020 19:14:13 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Dec 26 14:14:13 2020
Received: from localhost ([127.0.0.1]:59917 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1ktF13-0002Bl-5v
	for submit <at> debbugs.gnu.org; Sat, 26 Dec 2020 14:14:13 -0500
Received: from lists.gnu.org ([209.51.188.17]:52604)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <adfeno@HIDDEN>) id 1ktF11-0002BP-V8
 for submit <at> debbugs.gnu.org; Sat, 26 Dec 2020 14:14:12 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39772)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <adfeno@HIDDEN>)
 id 1ktF11-0004W4-Pl
 for bug-guix@HIDDEN; Sat, 26 Dec 2020 14:14:11 -0500
Received: from a.siauliai.hyperbola.info ([2a02:e00:ffe7:6::1]:47218
 helo=smtp.hyperbola.info)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <adfeno@HIDDEN>)
 id 1ktF0y-0004Rh-JT
 for bug-guix@HIDDEN; Sat, 26 Dec 2020 14:14:11 -0500
Received: by smtp.hyperbola.info (OpenSMTPD) with ESMTPSA id 0a2dc21a
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) auth=yes user=adfeno
 for <bug-guix@HIDDEN>; Sat, 26 Dec 2020 19:14:03 +0000 (UTC)
To: bug-guix@HIDDEN
From: Adonay Felipe Nogueira <adfeno@HIDDEN>
Subject: Guix, third-party repositories and GNU FSDG
Message-ID: <84d5c1f2-dbc3-b0ed-cd8a-ad451b591d4c@HIDDEN>
Date: Sat, 26 Dec 2020 16:13:51 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Icedove/68.10.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="XnVwt4afQUTlzLyb2TDE9fVZqHY6Xpqre"
Received-SPF: pass client-ip=2a02:e00:ffe7:6::1;
 envelope-from=adfeno@HIDDEN; helo=smtp.hyperbola.info
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_FAIL=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--XnVwt4afQUTlzLyb2TDE9fVZqHY6Xpqre
Content-Type: multipart/mixed; boundary="6ZfHANgj9xctMCA1EZY9Id6Qp8Odxl6I6"

--6ZfHANgj9xctMCA1EZY9Id6Qp8Odxl6I6
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Severity: critical

According to the GNU FSDG ([1], emphasis are mine):

> A free system distribution must not steer users towards obtaining any n=
onfree information for practical use, or encourage them to do so. The sys=
tem should have no repositories for nonfree software and no specific reci=
pes for installation of particular nonfree programs. *Nor should the dist=
ribution refer to third-party repositories that are not committed to only=
 including free software; even if they only have free software today, tha=
t may not be true tomorrow.* Programs in the system should not suggest in=
stalling nonfree plugins, documentation, and so on.

However, at least on the case of the rust package, in the following examp=
le one can see that cargo is also included:

$ guix package --show=3Drust

> name: rust
> version: 1.46.0
> outputs: out doc cargo
> systems: x86_64-linux i686-linux
> dependencies: bison@HIDDEN cmake-minimal@HIDDEN curl@HIDDEN flex@HIDDEN
> + gdb@HIDDEN jemalloc@HIDDEN libssh2@HIDDEN llvm@HIDDEN make@HIDDEN openssl=
@1.1.1f
> + pkg-config@HIDDEN procps@HIDDEN python2@HIDDEN rust@HIDDEN which@HIDDEN=

> location: gnu/packages/rust.scm:105:2
> homepage: https://www.rust-lang.org
> license: ASL 2.0, Expat
> synopsis: Compiler for the Rust programming language =20
> description: Rust is a systems programming language that provides memor=
y
> + safety and thread safety guarantees.

In continuation, as can be seen on [2], the installed cargo has it's defa=
ult repository enabled.

Furthermore, neither [3] nor [4] have expressed commitment to the GNU FSD=
G.

Here are some suggestions, probably not tested nor researched for viabili=
ty:

a) make the importer activate a flag of its own in order to use that pack=
age. This would render a plain install of the package a version with carg=
o absent while still having the possibility to do the imports;

b) coordinate with the head of the cargo community (and possibily other f=
ree/libre system distributions or free/libre software activism groups) an=
 agreement so that they express commitment to the GNU FSDG on [3] and [4]=
, and of course make them setup a bug/issue/task tag/section for GNU FSDG=
 issues. This must be done together with either (a), (d) or (e);

c) coordinate with other free/libre system distributions or free/libre so=
ftware activism groups a project to provide a common repository that such=
 groups could refer to by default by patching their copy of cargo. This m=
ust be done together with either (a), (d) or (e);

d) find a way to provide cargo but without any repository. This would req=
uire a way for the importer to specify the repositories at run-time;

e) despite not being desirable by some people, there is also the possibil=
ity of removing cargo.

As a side-note, as the original subject stated, I think we should address=
 this issue in other packages too, if any, and also document the decision=
 on the manual or on guideline.


# References


[1]: https://www.gnu.org/distros/free-system-distribution-guidelines.en.h=
tml#license-rules .

[2]: https://lists.gnu.org/archive/html/help-guix/2020-12/msg00231.html .=


[3]: https://crates.io/policies .

[4]: https://www.rust-lang.org/policies/code-of-conduct .


--=20
* Ativista do software livre
	* https://libreplanet.org/wiki/User:Adfeno
	* Membro dos grupos avaliadores de
		* Software (Free Software Directory)
		* Distribui=C3=A7=C3=B5es de sistemas (FreedSoftware)
		* Sites (Free JavaScript Action Team)
	* N=C3=A3o sou advogado e n=C3=A3o fomento os n=C3=A3o livres
* Sempre veja o spam/lixo eletr=C3=B4nico do teu e-mail
	* Ou coloque todos os recebidos na caixa de entrada
* Sempre assino e-mails com OpenPGP
	* Chave p=C3=BAblica: vide endere=C3=A7o anterior
	* Qualquer outro pode ser fraude
	* Se n=C3=A3o tens OpenPGP, ignore o anexo "signature.asc"
* Ao enviar anexos
	* Docs., planilhas e apresenta=C3=A7=C3=B5es: use OpenDocument
	* Outros tipos: vide endere=C3=A7o anterior
* Use protocolos de comunica=C3=A7=C3=A3o federadas
	* Vide endere=C3=A7o anterior
* Mensagens secretas somente via
	* XMPP com OMEMO
	* E-mail criptografado e assinado com OpenPGP


--6ZfHANgj9xctMCA1EZY9Id6Qp8Odxl6I6--

--XnVwt4afQUTlzLyb2TDE9fVZqHY6Xpqre
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEAREIAB0WIQRlfzovINS9uQH7pZ3I1uFSAe6doQUCX+eLbwAKCRDI1uFSAe6d
of12AP9sSAz1V9+JCOoCYHq7Uq5lg+FH32UCq9s2pwJAMZ29tAEAhNwiwKmaQ7Zn
9r2HALUKfskMZqMVcWrLt+piAlAqQ6k=
=cyk5
-----END PGP SIGNATURE-----

--XnVwt4afQUTlzLyb2TDE9fVZqHY6Xpqre--
Acknowledgement sent to Adonay Felipe Nogueira <adfeno@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#45450; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Fri, 12 Feb 2021 21:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.