Re: [GNU-linux-libre] Developing free non-gnu operating systems

[Jean Louis]

* Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> [2021-10-06 14:01]:
> With 'guix pack', as part of Replicant, we released binaries
> made from pure Guix:
> https://ftp.osuosl.org/pub/replicant/build-tools/repo/28-01-2021/
> 
> And we also published corresponding source code along the way and all
> the commands used to make both the binary release and the source code
> release.
> 
> So it's possible to get the source code in an automated way with the
> exact same tools.

I have not unpacked it to see and verify. That you say something is
possible, I know this, but I wish to see real world practical example
of compliance to GPLv2/v3.

What I am asking you to see real world example of GPLv2/v3 compliance,
in this file here:
https://ftp.osuosl.org/pub/replicant/build-tools/repo/28-01-2021/sz1lkq3ryr5iv6amy6f3d2pziks27g28-tarball-pack.tar.xz

Do you have inside of that file a notice where to get sources,
probably these:
https://ftp.osuosl.org/pub/replicant/build-tools/repo/28-01-2021/sz1lkq3ryr5iv6amy6f3d2pziks27g28-sources.tar.xz

> The question would be how different it is from Debian based
> distributions where you can get the source code with apt source:

I am sure I have not brough the viewpoint well across. Probably
several distributions miss the point I have explained in relation to
binaries and true compliance to GPLv2/v3. There are few issues I have
mentioned and one of them is compliance when distributin binaries.

Distributing binaries does not involve a method, method of obtaining
binaries can be this or that. You could use Guix package manager, or
apt-get but also wget or WWW browser, right?

>From GPLv3:
,----
| If the place to copy the object code is a network server, the
| Corresponding Source may be on a different server (operated by you or
| a third party) that supports equivalent copying facilities, provided
| you maintain clear directions next to the object code saying where to
| find the Corresponding Source.
`----

Does your binary package clearly designates where to obtain source?
https://ftp.osuosl.org/pub/replicant/build-tools/repo/28-01-2021/sz1lkq3ryr5iv6amy6f3d2pziks27g28-tarball-pack.tar.xz

Imagine now, I take your binary package and I put it on my server for
distribution without any modifications whatsover, is the end receiver
of that package who get it from my server clearly informed through
that binary package which has probably inside what is called "object
code" where the source is? 

In that case I am responsible, not you, to provide sources. I can
provide it from third party server which is your original, but I have
to be sure I am complying to GPLv3 (and we only hypothetically say
that your package is GPLv3 which may not be).

> - The way to get full source code is less well known with Guix. I had
>   to try and to ask around, but now at least I know how to do it and I
>   can publicize it. I didn't check if that was also in the manual.

Well said, thanks for acknowledgment. Though that is least issue. Guix
package manager can download the source. 

But the GPLv3 section I have cited is not covered by providing such
option.

You see, packages are available over HTTP. But by Guix they are made
almost inaccessible from Internet if user does not use Guix package
manager. However, packages can be obtained from Internet without Guix
package manager. Then where is the compliance in that case?

And it is just, I mention again, just on of several issues.

> As I understand once a package is in Guix, its source will also be
> hosted in Software Heritage on behalf of Guix. 

Let us find an example of a substitute or binary from Guix, and then
it may become easier demonstratable.

> So both combined gives some pretty good assurance that in the future
> you will still be able to build old software because it will also have
> all the source code of the dependencies and if it built at a given
> git revision, it's likely to also build in the future at the same git
> revision.

That is good point, maybe it solves it, but let us see example. Please
try to provide more particular example.

Let us say for example, I have used Guix package manager and I got
binary for version 1.2 -- now I put that binary on special place on my
hard disk, and I forgot about it. I upgrade my system and continue
using version 2.3, somewhere in future version 1.2 may be required on
less powerful computer -- and we look there in the binary, and we see
there is no information "next to object code" where is the source.

> The issue here is probably that Guix does a lot of things, so it's
> not always obvious how to do things with it.

I know. 

Though GPLv3 is clear. Things should be obvious, and I know they are
not obvious.

Manual does not matter. When somebody obtains binary from let us say
HTTP server, no need for Guix manual, he got binary, where is the
source "next to object code"?


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/