Re: [GNU-linux-libre] Third-Party Package Managers

[Denis 'GNUtoo' Carikli]

On Wed, 2 Aug 2023 21:31:14 -0400
Michael McMahon <michael@fsf.org> wrote:

> Our group of license verifiers is not large enough to verify any of
> the repositories of major third-party package managers in a relevant
> time frame. I think we have to take the uploader's tag at face value
> unless we have additional information that refutes the provided
> information.
> 
> The crowd-sourced system of reporting packages that violate policy
> like the GNU bucks system [1] should suffice.
> 
> [1] https://www.gnu.org/help/gnu-bucks.html

Here I assume that you suggest to have tools that reuse the license
information to filter nonfree software or software that isn't labeled
as free (like where the license is in the code but not in the package
metadata).

One of the points of the FSDG is that freedom issues are bugs that can
be fixed (though that assume people find issues, send patches to fix
them, etc).

Here weather what you proposes works out or not depends a lot on the
various upstream that we don't control and that don't follow the FSDG
(else there would be no issue in the first place).

So that can probably work relatively easily if upstream policies require
precise enough licensing information. The question is what happen if
there is no such policies, or what happens when the license field is
set but with the wrong license field.

For instance if there is a project where most of the code is under
GPLv2 but that also includes nonfree software, can that be fixed? What
if the project itself doesn't want to fix the license? Will the
repository enforces its rules? 

All that probably depend on the policies of the repository, and they
also need to be tried out in practice to know for sure if we can really
fix things.

Another question would be the effectiveness of that in the long run and
how to best collaborate to get better licensing information.

For instance it's possible to somehow automatically detect licenses,
binary files, etc. So it might be possible to somehow validate most of
the licensing information and manually check suspicious software or
software that fails to be categorized by automatic tools.

This is not very far fetched as Guix already has code to generate
package from some of these repositories for instance, and it warns when
the license is not detected (And at the end it's up to the packager to
check everything). It might be possible to plug in more tools to detect
binaries in the source code for instance (like ELF files).

So the question is how to collaborate with all that And here maybe it
would be easier to have projects under which people can participate to
do precisely that. So if upstream welcome initiatives like that that
could work too. 

But not all upstream might like that or may want to invest significant
time in fixing the metadata if a substantial number of issues are found.

Denis.

pgpd_QArJp_PC.pgp
Description: OpenPGP digital signature