[GNU-linux-libre] Good practices for removing nonfree code found in source code.

[Denis 'GNUtoo' Carikli]

Hi,

So far when I found issues in FSDG compliant distributions, it was easy
to fix as we could simply blacklist packages, or make different
packages that avoided nonfree dependencies that we don't ship, etc.

But recently I've found some nonfree code in u-boot, just by grepping
for "reverse engineering" in its source code[1][2]:
- arch/x86/dts/microcode/ has nonfree microcode with a nonfree license.
- there is a nonfree firmware in
  drivers/usb/host/xhci-rcar-r8a779x_usb3_v3.h whose license is in 
  Licenses/r8a779x_usb3.txt.

In addition there is various documentation that as far as I know isn't
used in any FSDG compliant distribution that instruct users how to
build u-boot images that include nonfree software.

In Parabola only the documentation affecting the boards we support is
shipped in the packages themselves, and that documentation doesn't have
that issue. In Guix I didn't see any problematic boards being
supported. And in Replicant we don't have such instructions either.

So users should probably not be pushed to install nonfree software just
because there is that documentation in the corresponding source code
but it's probably still a good practice to remove it, as it also
document what is problematic along the way.

With at least Guix, Hyperbola, Parabola, PureOS, Trisquel, and LibreCMC,
a package definition is a file or set of files that contains
instructions (for another program) to fetch source code (so here the
u-boot source code) and patch it, build it, etc. And at the end that
produces a package that can be either installed or combined with other
packages to create a distribution image (for libreCMC for instance).

However with Replicant, it's very different as we have no notion of
packages at all. Instead the full Replicant source code which is
composed of many git repositories is checked out in the same
directory tree, and then the released images are built inside that.
We now ship a compressed tarball of all that source code aside the
images but we also still need to do that for older releases as well.

What are the best practice to fix cases like u-boot or fix other
nonfree code found in free software source code for the various FSDG
compliant distributions?
- Can I simply do some rm -rf inside the package definition to remove
  these files? In that case the nonfree code might still be present in
  the source code shipped alongside the package.
- What about git repositories, like with Replicant? Is it OK if I just
  add commits to remove the nonfree code that has been found? Or should
  the full history be rewritten somehow? The later would make the
  maintenance of such code way more complex as we often do need to
  rebase our changes on top of the upstream distributions we are based
  on, and we can't simply add packages inside the Android build system
  (it's way way way too much work for Replicant).
- What do various distribution do for former releases when nonfree code
  has been found? Do they archive it somewhere else (like on
  archive.org) and stop distributing these releases?

References:
-----------
[1]While it also finds many false positive as people talk about drivers
   having been reverse engineered or functionality that needs to be
   reverse engineered, most nonfree licenses have clauses forbidding
   reverse engineering, so if we discard the false positive, it's
   really effective at finding nonfree software. Though it doesn't find
   binaries simply lacking licenses and/or corresponding source code.
[2]https://labs.parabola.nu/issues/3095

Denis.

pgpAHcjycEWS7.pgp
Description: OpenPGP digital signature