Re: Next Steps For the Software Heritage Problem

[Andreas Enge]

Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor:
> I'm sure guix lint tried to push my code out to them the last time I tried.

Ah indeed, there is this in guix/lint.scm:

(define (check-archival package)
  "Check whether PACKAGE's source code is archived on Software Heritage.  If
it's not, and if its source code is a VCS snapshot, then send a \"save\"
request to Software Heritage.

It potentially calls this:
(define (save-package-source package)
  "Attempt to save the source of PACKAGE on SWH.  Return a list of warnings."

Which calls this from swh.scm:
(define* (save-origin url #:optional (type "git"))
  "Request URL to be saved."
  (call (swh-url "/api/1/origin/save" type "url" url) json->save-reply
        http-post*))

So it does not push code, but a URL from which the code can be downloaded.
Thus it requires the code to be available from the Internet; local code
is "safe" from SWH.

Now I do not know what will happen if you save your code as a git
repository at a hidden URL. For instance, does SWH check the license?
I would hope so.

There is documentation of this feature here:
   https://archive.softwareheritage.org/api/1/origin/save/doc/
which says this:
Depending of the provided origin url, the save request can either be:
- immediately accepted, for well known code hosting providers like for instance 
GitHub or GitLab
- rejected, in case the url is blacklisted by Software Heritage
- put in pending state until a manual check is done in order to determine if it 
can be loaded or not

So I suppose that if you submit a hidden, but publicly available URL
pointing to non-free code, the request will be "put in pending state",
manually checked and rejected, and maybe the URL added to the blacklist.

Andreas