[GNU-linux-libre] Violations of GPL in GuixSD packaging design

[Jean Louis]

I am really fan of GuixSD and I consider it future of computing. Today I
have tried to find the source code for packages, but I could not find it
in such way to conform to GPL 2 license. I did not verify other versions
of licenses.

I woke up, and realized, that each package description contains direct
link to the original source code, like from the author of software or
from other, third party websites. But they miss to provide the modified
corresponding source codes.

There are some important matters that have to be implemented basically
as fast as possible, to conform to GPL 2 and other GPL versions. And if
GPL is in fact violated, by the design of guix packaging, then maybe
also other licenses have to be reviewed if they are also disrespected in
similar manner.

The GPL2 license is here:
http://www.gnu.org/licenses/gpl-2.0.html

Let us take one example of packages that violate the GPL2 license:

## Pulseaudio

Package: pulseaudio, licensed under GPL2+, there are patches for it in
gnu/packages/patches, for example following patches:
pulseaudio-fix-mult-test.patch
pulseaudio-longer-test-timeout.patch

As with my understanding the substitute on hydra server is like
binary. When user makes: guix package -i pulseaudio, the substitute is
downloaded from hydra server. The substitute is the patched or modified
version.

In accordance with the GPL2+, here are violations:

- the above mentioned patches applied, violate GPL, by the section 2 (a)
  "You must cause the modified files to carry prominent notices stating
  that you changed the files and the date of any change." -- because
  packages are built on the fly on hydra, so the date of change is
  probably modified each time at time of building or modifiying the
  package. Further there are no prominent notices, as there is no source
  code to it!

- it is in violation of section 3. as none of the points (a), (b), (c)
  are satisfied, because the substitute that is copied and distributed
  is not accompanied with the corresponding source code, neither it is
  accompanied with the written offers to provide source code, valid for
  at least three years.

- the substitute for the package (binary) is not accompanied with the
  GPL2 license, as GPL2+ license requires it in the section 1. " You may
  copy and distribute verbatim copies of the Program's source code as
  you receive it, in any medium, provided that you conspicuously and
  appropriately publish on each copy an appropriate copyright notice and
  disclaimer of warranty; keep intact all the notices that refer to this
  License and to the absence of any warranty; and give any other
  recipients of the Program a copy of this License along with the
  Program."

  And when there is binary distribution (Section 3), such binary
  distribution (substitute distribution) must be done under terms of
  Sections 1 and 2, which means that with the program, there must be
  License as well, which is not in the package. It is not in my system,
  I have searched for license in
  /gnu/store/f455aa8rar4a50z7bpl8qmc5ffhqv5zd-pulseaudio-8.0/bin/pulseaudio

  A simple reference to GPL in the man page is not a license.

I do not want to provide other examples, as it seems it was by design
forgotten to comply to the GPL 2 license.

SUMMARY OF VIOLATIONS:
----------------------

1. FORGETTING TO INCLUDE THE LICENSE:

In violation of the section 1. of the GPL2, the distribution of
substitutes do not make sure to give with the program the copy of the
License. This is also the case with the pacakge aria2 and I can only
assume by indications that this maybe the case with many other GPL2
packages in GuixSD.

2. MODIFICATIONS NOT APPROPRIATELY APPLIED

In violation of the section 2, (a) modified files do not carry prominent
notices, and WHO changed the files. If the files were changed by Hydra,
that shall be explained in such modifications IMHO. It cannot be said
that files were changed on Hydra server by the author of the patch. Such
author may not have any relations to GuixSD. So who is changing it?
There must be prominent notice on that, and the exact date of
change. One cannot just fake dates and say that day of change is the day
when patch was made by some author. The day of change is the exact date
when it was changed on Hydra.

This should also apply to all the patches that GuixSD is doing on
packages automatically.

3. DISTRIBUTION OF OBJECT OR EXECUTABLE CODE WITHOUT SOURCE CODES

In violation of the section 3. of the license GPL2, (others I did not
review), the substitutes are offered from Hydra in object or executable
form, without accompanying complete corresponding source code. I could
not find it here:
http://hydra.gnu.org/job/gnu/core-updates/pulseaudio-6.0.x86_64-linux

I have asked on IRC chat #guix but nobody could give me a single link to
the modified source code on Hydra. It was not that easy.


EXCUSES FOR THE ABOVE VIOLATIONS ARE FOLLOWING:

- that each user, can, by using commands, such as: guix build --source
  packagename, receive the package from the distribution's servers,
  patch it by programmatical way, and receive the corresponding source
  code in that manner.

- however, the same could be said for the License, one could distribute
  the program, without the License, and give to users script to run to
  receive the License. This is still contrary to what GPL2 requires, it
  requires that License is distributed with the program, and user need
  not run any script to get it. Further, how is distributor to assume at
  all that user "must have Internet" to receive the license. If user
  received object code, he shall get the license along with the object
  code. He maybe have no further access to Internet. License shall be
  there.

FOLLOWING TESTS I HAVE DONE TO VERIFY IF THERE IS CORRESPONDING SOURCE
CODE:

For the package: nvi, I have done following:

guix build --source nvi

And I could see that package was distributed from Internet location:
https://mirror.hydra.gnu.org/nar/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz

I have downloaded the package by using wget. The MD5SUM of the package
was:
406b0ec7f6af1923437561a40d3148f4
lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz

After that I have asked guix package manager to show me the
corresponding source code:

guix build --source nvi
/gnu/store/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz

And the MD5SUM of that package:
/gnu/store/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz is:
3b158f28ba27e4f1449bd429805abe12
/gnu/store/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz

which tells me that the corresponding source code WAS NOT ACCOMPANIED
with the object/executable form on Hydra server (distribution's
servers).

The corresponding source code is rather created, constructed, patched or
generated on the user's computer.

When an object code/executable form, named substitute is available at
Hydra server, there must be available the corresponding source code too,
or otherwise offers to provide it in the future (for 3 years) or at
option 3. (c) in the GPL2.

One cannot just assume or force anyone to use Guix command to receive
the corresponding source code (even though this is convenient for Guix
users).

Please read GPL2, http://www.gnu.org/licenses/gpl-2.0.html, sections 1,
2, 3, 4 -- and I hope that this matter is improved or solved.

I speak of general design in Guix packaging. That means that many many
packages are affected by my assumptions above.

Jean Louis