Serious licensing flaws in Guix

[Jean Louis]

* Arun Isaac <arunisaac@systemreboot.net> [2021-05-01 09:58]:
> 
> > In general, I don't find it easy to find source code for package
> > "hello".
> 
> Don't know what you're talking about. It's very easy to get source code
> for a package. For example,
> 
> $ guix build -S hello

I have assumed there must be such function.

Yet I don't think that satisfied the licensing requirements. It may
look picky from my side, but licensing is very important, and without
proper application of a license a distribution get into risks.

Distributions are built on foundation of licensing. Licenses have to
be respected thus.

Examples, from GPL3 (but various packages may have different licenses,
which do not apply as here):

,----
|   5. Conveying Modified Source Versions. -- this applies when there
|   are patches by Guix, and there are many such packages.
`----

  You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:

    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.

Example patches for glibc package in /gnu/store:

ag70kyqnm7wkdq2261d9m4im5rnl1d20-glibc-hurd-clock_gettime_monotonic.patch
j5m8zbb066vzbhrvy402s4cg79zgzkfp-glibc-bootstrap-system-2.16.0.patch
lgrlsr3qnxxvic3y472qwybv5wbyabm6-glibc-hidden-visibility-ldconfig.patch
mvq0q2f211bxb4syfxvng9kgdxzkr5f3-glibc-versioned-locpath.patch
pfz4y5i7krlvam2m8lpddmg9vi44rpqh-glibc-boot-2.2.5.patch
qkgnyh78n4y55r0ymaqzbrx842jvsmhw-glibc-hurd-signal-sa-siginfo.patch
rnqkir22908x6z3i1mk4phyvskz15qc4-glibc-supported-locales.patch
s4g72j3kx547bmn2lphcnva4npgi3qp9-glibc-bootstrap-system-2.2.5.patch
svva3cym2n04d2x3bpi4rs6qpnw0m162-glibc-hurd-clock_t_centiseconds.patch
sz5nmndsway8bq7283ihdgvmm3xb14l8-glibc-allow-kernel-2.6.32.patch
v1h2i4i5xmrs9d4c44w5wshv5zyszb8k-glibc-ldd-x86_64.patch
vh29xqy3daavjpi0ikpmqzfczzpbscix-glibc-reinstate-prlimit64-fallback.patch
wm80397r10sj6qckf6987qd2hh842p30-glibc-boot-2.16.0.patch

However, there is no prominent notice stating that it was modified and
the given date. Even if those patches are applied on the fly, there is
no such notice, and it should be there.

We speak here of distribution or conveying, and licensing.

We do not speak of using guix package manager.

When binary package (object code) is placed on a server anywhere, that
is conveying.

,----
| To "convey" a work means any kind of propagation that enables other
| parties to make or receive copies.  Mere interaction with a user through
| a computer network, with no transfer of a copy, is not conveying.
`----

When object code is on a public http server, in this case also known
as substitutes, that object code has to comply to licensing
conditions.

Currently it does not.

It only shows the license. It does not show the notice where
corresponding source code can be found.

I am sending this copy of email to Ludovic Courtès for considerations,
though I think he needs support of somebody who can read and
understand the licensing conditions.

This requires re-work of guix package management.

More about it:

,----
|   6. Conveying Non-Source Forms.
`----

  You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:

... snip ...

    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.

When a person receives binary package like object code, there is no
offer and no offering in that package.

It may be very difficult for Guix to comply to licenses.

However, I cannot say that is fully free distribution as their
packages are systematically in non-compliance at least to GPL3,
probably GPL2 and maybe AGPL licenses.

Because nobody was thinking of it, Guix missed it, and now they have
hard time complying.

But compliance is important as it acknowledges developers of software.

We speak of license compliance all the time. We cannot be hypocrites
and now say that Guix does not need to comply to licensing.

I understand that there exist continuous integration server, but let
me say frankly, if a user receives object code from Guix continous
server, then the corresponding source code to THAT version of the
object code has to be kept somewhere. I don't think that Guix does
that, but I may be wrong.

,----
| Regardless of what server hosts the Corresponding Source, you remain
| obligated to ensure that it is available for as long as needed to
| satisfy these requirements.
`----

I don't think Guix can do that. There are too many versions of
software constantly being updated. I am not sure in that.

SUMMARY
=======

1. Software modified by Guix with those GPL-related licenses, do not
   carry prominent notices stating that they modified it with a date.

2. I may assume, this may be wrong, but I may assume that substitutes
   are built software, object code, located on servers. Along with
   object code there must be offer to corresponding source code. There
   is no such offer in the packages distributes. In other words when a
   binary is downloaded, it has to contain such offer as downloading
   binary is conveying, publishing it on server for others to receive
   it is distributing and conveying, and people should have clear
   direction where to get the source code. 

   There are general instructions however, but licensing applies for
   every single individual package, not generally, and there are
   different licenses. Each single package has to comply to the
   licensing.

   It is irrelevant if object code is obtained by using Guix package
   manager, because substitutes are on the server and accessible by
   let us say "curl" or web browser.

3. For each version of the distributed object code or packages, Guix
   need to keep the corresponding code for as long as necessary. Even
   after 5 years somebody can come along and say "I want corresponding
   source code for version 1.12" -- but Guix maybe updated it to
   version 2.41 and does not maybe have any more corresponding source
   code for version 1.12

   Why do you think that GNU servers are complying to licensing
   requirements even after decades of moments of distributions?

   Why should Guix be exempted to comply to licensing requirements for
   ALL packages they distribute?

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

Sign an open letter in support of Richard M. Stallman
https://stallmansupport.org/
https://rms-support-letter.github.io/