Re: [GNU-linux-libre] Good practices for removing nonfree code found in source code.

[Denis 'GNUtoo' Carikli]

On Wed, 6 Oct 2021 17:35:43 +0300
Jean Louis <bugs@gnu.support> wrote:
> My idea is that software directory and similar projects should provide
> digital, parsable database of software with their authors and original
> servers of software distributions, then all distributions could access
> such centralized database and choose by category and other tags and
> facts, which software they wish to include in their
> distribution. Information should be there which provides more
> authenticity of the origin of software. PGP keys are really not enough
> there. Like you said, if software comes from Samsung and from Samsung
> website, that is pretty authentic, not absolute, but it becomes
> reasonable.
For Authors, in many cases, like with Linux, not all authors are
known, but instead the copyrights are known.

Note that if the directory doesn't want to do something like that,
you might be able to work with Wikidata to add the information for
various software releases. From my experience it can take a bit of time
(months) to add new properties, but the rest can be really fast.

If you need to do something like that at a large scale, you probably
want to write code to do the work instead of doing it yourself manually,
and see with Wikidata how to manage your code.

It's also possible to make both work together as Wikidata has the
concept of external identifiers. For instance I added one for Parabola
packages (it was really fast to add), so it might be possible to add
one for the free software directories and for packages of various
FSDG distributions.

If you do all that I would also advise to add references each time, as
anybody can add information, so the quality varies a lot.

The inventaire.io has a lot of experience on reusing Wikidata data and
it does make snapshots and fixes on top[1]. So here filtering on the
reference could be an idea to make sure that all the data is good, and
manually reviewing data between snapshot releases would also be a good
idea.

> All of the GNU software that I have seen directly from GNU servers,
> apart from Guix and distributions, as distributed from GNU servers
> seem to have this chain and GNU servers keep almost all historical
> versions as well, like the license says "for long as needed". Great
> work.
Note that I recall that at some point, a software release (I don't
recall if it was part of GNU) was silently updated to fix a bug. So
distributions also have information on that when that happens.

> Guix way of automated verifications is not bad, but users will not
> learn much about it. At least package managers shall be verifying the
> upstream packages to the secondary web servers.
I think there is some feature like that for binaries in Guix. 

For source I don't think there is much beside the usual checksums and/or
gpg verification in all the distributions I looked at.

If you want to add something like that for source in Guix (I think it
would be welcome) you could use Tor for instance to download the source
code from different points of the Internet. The letsencrypt certificate
authority probably has a system to verify something (the certificates?
the domain name?) from various points of the Internet too, so they
might have interesting insights.

References:
-----------
[1]https://media.ccc.de/v/wikidatacon2019-1059-inventaire_what_we_learnt_from_reusing_and_extending_wikidata_shifting_data

Denis.

pgpZmnTYUEtR4.pgp
Description: OpenPGP digital signature