[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Developing free non-gnu operating systems
|
From: |
Denis 'GNUtoo' Carikli |
|
Subject: |
Re: Developing free non-gnu operating systems |
|
Date: |
Mon, 27 Sep 2021 09:32:23 +0200 |
On Sun, 26 Sep 2021 15:46:00 -0500
quiliro@riseup.net wrote:
> Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> writes:
> > Not really. Guix is a real package manager with code to build
> > software and so on. The idea with Guix is that, even if there are
> > some official repositories of compiled packages, you are free to
> > run your own or use the ones you want, etc.
> >
> > Unlike Guix, ReactOS had nothing to do with the creation of these
> > binaries in the first place, it just had a software that downloaded
> > binaries that contained installers and executed these binaries.
>
> So, Guix audits the freedom of every single commit of each version of
> the source packages that it recommends?
Reading the Guix source code[1] and documentation[2] would probably make
all that more clear:
- The Guix package manager and the packages are developed in a single
git repository[1]. That repository is the official one.
- The installation instructions[2] have instructions to enable (or not
enable) binary repositories.
- The install instructions also have instructions on how to enable
other git repositories for the package definitions[4] but I didn't
have the time to try that yet.
The best way to learn more is probably to try Guix and GuixSD out. Guix
can be installed on top other FSDG distributions.
Parabola even has a guix-installer package, and it can probably be
installed relatively easily on top of most GNU/Linux distributions.
As for audits I don't know how other people do that, but when I
contribute to Parabola I already know what is suspicious and I found
several issues that got fixed that way.
For instance in the past, the fat implementation of Tianocore wasn't
free software, so I looked if we had code derived from Tianocore in
Parabola and we fixed that. Now that's fixed upstream.
Also packages that may bundle firmwares are suspicious. Packages with
potential nonfree dependencies are also suspicious. And so on.
https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines
can also help but I'm not sure how up to date it is and in most cases
software listed there is probably handled already by most FSDG
compliant distributions.
In Parabola I specifically look for things that other people might have
missed or that are new in GNU/Linux.
This is well adapted to Parabola as it reuses various repositories from
Arch Linux, Arch Linux 32, Arch Linux ARM. To handle that it has a
blacklist of nonfree packages that are removed and also replacement
packages for various reasons (freedom fixes, branding, etc) so things
evolves and sometimes things slip through and are fixed.
As for Guix I'm not sure that just reading the commit messages will
tell you about potential issues, you also need to know the context.
And with Guix as I understand if you don't have commit access your
patches are reviewed anyway, so the people sending patches and doing the
review are the ones that need to know this context.
PS: Parabola probably needs more people to help fixing freedom bugs and
other bugs in general as there are a huge number of bugs open and
probably not enough people to fix enough of them.
References:
-----------
[1]https://git.savannah.gnu.org/git/guix.git
[2]https://guix.gnu.org/manual/en/guix.html
[3]https://guix.gnu.org/manual/en/guix.html#Substitute-Server-Authorization
[4]https://guix.gnu.org/manual/en/guix.html#Channels
Denis.
pgpQ8EMdjD7_2.pgp
Description: OpenPGP digital signature