Re: [GNU-linux-libre] Docker

[Denis 'GNUtoo' Carikli]

On Tue, 20 Jun 2023 04:19:47 -0400
bill-auger <bill-auger@peers.community> wrote:
> all could be addressed by the approach denis chose for docker, which
> is the least user-friendly option
The approach I took for docker is one of the least invasive approaches
as it still enables all existing use cases.

As I'm a complete beginner to go (the programming language), I didn't
manage to patch docker in the way I wanted.

My original intent was to enable 'docker pull
docker.io/pureos/byzantium' instead of requiring to use
'docker pull registry-1.docker.io/pureos/byzantium' but I failed to do
that so help is more than welcome on that front.

> As for packaging docker images inside distributions, 
> be to curate libre-only repositories for each package manager, and
> hard-code that URL, so that the user needs not to define one (but
> then the user would be unable to define any other alternative, such
> as the package manager's standard repo)
Either I don't understand you or I don't understand how to do that
without too much work.

First defining an URL is not a bad idea: Not using a full URL creates
some problem anyway as it will try to download images from a default
URL first. This can create security issues for instance, or
incompatibilities if people change the default URL. 

For instance if a user wants the official Pureos image on docker hub
and does 'docker pull pureos/byzantium', and that the default repository
has changed, it will download that image from the default repository
instead, which might have a different image made by different people.

So the best solution here is probably to make sure people use the full
URL (like docker.io/pureos/byzantium). This might be needed for
compatibility anyway with other tools like podman where users can
change the default repository.

Then I've tried exactly what you seem to suggest: packaging docker
images inside Parabola, but:
(1) It turned out not to respect the distribution policy (packages
    were built as root, had different rules, etc). Maybe there are
    better tools to build docker images than the ones I used that would
    solve technical issues, but remains that all the FSDG compliant
    distributions do not have the same policies (Parabola doesn't have
    an exception for non-free non-functional data like game images,
    and some other FSDG compliant distributions have this exception as
    the FSDG permits it).

(2) The docker images are not reusable by people using distributions
    that use a different package manager. And even if the package
    manager is the same, the packages might not build on other
    distributions than Parabola. They are also not reusable outside of
    FSDG distributions.

So I think that this approach is not wrong but it would require to
duplicate the effort many times to reach something usable. And it also
fits a different use case as it doesn't provide any drop-in replacement
for 'docker pull docker.io/pureos/byzantium', but it could provide way
more guarantees than a docker registry that isn't 100% operated by the
distribution it packages.

In addition to that we have a packaging issue: right now Parabola can
create docker images for Parabola (I've not tested that yet), Trisquel,
PureOS, and Guix[1], but other FSDG compliant distributions either
don't have any tool to create docker images, or can (for Guix, PureOS
and Trisquel) only create docker images of their distribution (Trisquel
can create a Trisquel docker image but not a PureOS image).

And work to enable Guix, PureOS and Trisquel can be done but it takes
time (it took a bit of work spanning many years with Parabola) and some
upstream project like debootstrap[2] are not very responsive with
merging patches, so that is blocking a bit that work right now.

If patches to add Trisquel in debootstrap are merged, we would still
need to package Trisquel repositories keyring in Guix, PureOS and
debuerotype in Guix (that looks complicated to do).

So I think that if someone manages to create a docker repository
(that's called a registry in docker jargon) and enable only FSDG
compliant images there and reserve some space for official FSDG
distributions, it might be a better start as we would have something
working right now.

In addition it's not incompatible with the plan you suggested, as
distributions could also package images that they also publish in that
docker registry. And that would probably be the easiest way to do it as
it would make the maintenance easier. The difference is that each
distribution would only need to package itself and not all other
distributions as well.

So far I only found how to run a repository but not how to secure it
properly. Note that I'm also pretty new to docker, so I don't
already know these things and I've to do research, read
documentation, try things etc. So if people already have the experience
that I lack here it could help a lot too.

References:
-----------
[1]https://libreplanet.org/wiki/Group:Software/FSDG_distributions/CrossDistroBootstrap
[2]https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030960

Denis.

pgpNpFH5_GmAL.pgp
Description: OpenPGP digital signature