[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Serious licensing flaws in Guix
|
From: |
Jean Louis |
|
Subject: |
Serious licensing flaws in Guix |
|
Date: |
Sat, 1 May 2021 11:05:27 +0300 |
|
User-agent: |
Mutt/2.0.6 (2021-03-06) |
* Arun Isaac <arunisaac@systemreboot.net> [2021-05-01 09:58]:
>
> > In general, I don't find it easy to find source code for package
> > "hello".
>
> Don't know what you're talking about. It's very easy to get source code
> for a package. For example,
>
> $ guix build -S hello
I have assumed there must be such function.
Yet I don't think that satisfied the licensing requirements. It may
look picky from my side, but licensing is very important, and without
proper application of a license a distribution get into risks.
Distributions are built on foundation of licensing. Licenses have to
be respected thus.
Examples, from GPL3 (but various packages may have different licenses,
which do not apply as here):
,----
| 5. Conveying Modified Source Versions. -- this applies when there
| are patches by Guix, and there are many such packages.
`----
You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified
it, and giving a relevant date.
Example patches for glibc package in /gnu/store:
ag70kyqnm7wkdq2261d9m4im5rnl1d20-glibc-hurd-clock_gettime_monotonic.patch
j5m8zbb066vzbhrvy402s4cg79zgzkfp-glibc-bootstrap-system-2.16.0.patch
lgrlsr3qnxxvic3y472qwybv5wbyabm6-glibc-hidden-visibility-ldconfig.patch
mvq0q2f211bxb4syfxvng9kgdxzkr5f3-glibc-versioned-locpath.patch
pfz4y5i7krlvam2m8lpddmg9vi44rpqh-glibc-boot-2.2.5.patch
qkgnyh78n4y55r0ymaqzbrx842jvsmhw-glibc-hurd-signal-sa-siginfo.patch
rnqkir22908x6z3i1mk4phyvskz15qc4-glibc-supported-locales.patch
s4g72j3kx547bmn2lphcnva4npgi3qp9-glibc-bootstrap-system-2.2.5.patch
svva3cym2n04d2x3bpi4rs6qpnw0m162-glibc-hurd-clock_t_centiseconds.patch
sz5nmndsway8bq7283ihdgvmm3xb14l8-glibc-allow-kernel-2.6.32.patch
v1h2i4i5xmrs9d4c44w5wshv5zyszb8k-glibc-ldd-x86_64.patch
vh29xqy3daavjpi0ikpmqzfczzpbscix-glibc-reinstate-prlimit64-fallback.patch
wm80397r10sj6qckf6987qd2hh842p30-glibc-boot-2.16.0.patch
However, there is no prominent notice stating that it was modified and
the given date. Even if those patches are applied on the fly, there is
no such notice, and it should be there.
We speak here of distribution or conveying, and licensing.
We do not speak of using guix package manager.
When binary package (object code) is placed on a server anywhere, that
is conveying.
,----
| To "convey" a work means any kind of propagation that enables other
| parties to make or receive copies. Mere interaction with a user through
| a computer network, with no transfer of a copy, is not conveying.
`----
When object code is on a public http server, in this case also known
as substitutes, that object code has to comply to licensing
conditions.
Currently it does not.
It only shows the license. It does not show the notice where
corresponding source code can be found.
I am sending this copy of email to Ludovic Courtès for considerations,
though I think he needs support of somebody who can read and
understand the licensing conditions.
This requires re-work of guix package management.
More about it:
,----
| 6. Conveying Non-Source Forms.
`----
You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:
... snip ...
d) Convey the object code by offering access from a designated
place (gratis or for a charge), and offer equivalent access to the
Corresponding Source in the same way through the same place at no
further charge. You need not require recipients to copy the
Corresponding Source along with the object code. If the place to
copy the object code is a network server, the Corresponding Source
may be on a different server (operated by you or a third party)
that supports equivalent copying facilities, provided you maintain
clear directions next to the object code saying where to find the
Corresponding Source. Regardless of what server hosts the
Corresponding Source, you remain obligated to ensure that it is
available for as long as needed to satisfy these requirements.
When a person receives binary package like object code, there is no
offer and no offering in that package.
It may be very difficult for Guix to comply to licenses.
However, I cannot say that is fully free distribution as their
packages are systematically in non-compliance at least to GPL3,
probably GPL2 and maybe AGPL licenses.
Because nobody was thinking of it, Guix missed it, and now they have
hard time complying.
But compliance is important as it acknowledges developers of software.
We speak of license compliance all the time. We cannot be hypocrites
and now say that Guix does not need to comply to licensing.
I understand that there exist continuous integration server, but let
me say frankly, if a user receives object code from Guix continous
server, then the corresponding source code to THAT version of the
object code has to be kept somewhere. I don't think that Guix does
that, but I may be wrong.
,----
| Regardless of what server hosts the Corresponding Source, you remain
| obligated to ensure that it is available for as long as needed to
| satisfy these requirements.
`----
I don't think Guix can do that. There are too many versions of
software constantly being updated. I am not sure in that.
SUMMARY
=======
1. Software modified by Guix with those GPL-related licenses, do not
carry prominent notices stating that they modified it with a date.
2. I may assume, this may be wrong, but I may assume that substitutes
are built software, object code, located on servers. Along with
object code there must be offer to corresponding source code. There
is no such offer in the packages distributes. In other words when a
binary is downloaded, it has to contain such offer as downloading
binary is conveying, publishing it on server for others to receive
it is distributing and conveying, and people should have clear
direction where to get the source code.
There are general instructions however, but licensing applies for
every single individual package, not generally, and there are
different licenses. Each single package has to comply to the
licensing.
It is irrelevant if object code is obtained by using Guix package
manager, because substitutes are on the server and accessible by
let us say "curl" or web browser.
3. For each version of the distributed object code or packages, Guix
need to keep the corresponding code for as long as necessary. Even
after 5 years somebody can come along and say "I want corresponding
source code for version 1.12" -- but Guix maybe updated it to
version 2.41 and does not maybe have any more corresponding source
code for version 1.12
Why do you think that GNU servers are complying to licensing
requirements even after decades of moments of distributions?
Why should Guix be exempted to comply to licensing requirements for
ALL packages they distribute?
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
Sign an open letter in support of Richard M. Stallman
https://stallmansupport.org/
https://rms-support-letter.github.io/