Re: [GNU-linux-libre] review of uruk

[Denis 'GNUtoo' Carikli]

Hi,

On Fri, 24 Mar 2023 11:24:56 +0200
tct <tct@ceata.org> wrote:
> https://www.urukproject.org/dist/en.html#docker
Docker uses a repository with nonfree software (docker hub). It has
things like Microsoft Windows images that are clearly nonfree.

But as-is that would only be an issue in PureOS because PureOS provides
docker, and users can bugreport to pureOS and get it fixed there, so
it's probably not something blocking here. Though people need to
bugreport about it in all FSDG distributions shipping a docker package.

Parabola has a (quick and dirty) patch to deactivate that nonfree
docker.io repository, that I did but I'd need more RAM to manage to
build the package with these patches, or to look how to build on a
Parabola server and sign the packages locally, or to find a way to
increase the tmpfs inside the build chroot. The package works fine when
built manually (with makepkg) though.

The issue is also that my patches do the job, but I don't know go, so I
didn't manage to keep the compatibility with non-patched docker command
line.

To summarize, this cannot work with a patched docker:
> docker run alimiracle/urukos /bin/bash
because the non-patched docker assume that the default repository is
docker.io and we can't have docker.io as default as it contains nonfree
software.

With the Parabola patch, that could be modified to:
> docker run registry-1.docker.io/alimiracle/urukos /bin/bash

And if someone manage to fix my patch, that could be modified to
something like that:
> docker run docker.io/alimiracle/urukos /bin/bash
this would also works with non-patched docker.

So once docker gets patched in FSDG distributions, that instruction
would probably need to get modified to take that into account somehow
(like point to 1 command for FSDG distros and another for non-FSDG
distros or mention where it works or doesn't work).

I've already reviewed the PureOS docker image (by reviewing its build
instructions) and it should be a 100% pureOS image. So it should be as
FSDG-compliant as PureOS.

> https://sourceforge.net/projects/urukos/files/3.0
I've looked a bit at it but I'm still unsure if sourceforge is OK
or not for FSDG distributions: It has the worst grade ("Unacceptable)
in the GNU ethical repository criteria[1], and the notes with it is that
"Important site functionality doesn't work without JavaScript, or with
LibreJS enabled. (C0)"[2] and the proposed updates[3] to this criteria
still have the same grade and comment[4] for sourceforge.

However it doesn't tell if nonfree javascript is required though. But
if it is, and that you need to run nonfree software to download uruk or
contribute to uruk for instance, it will most likely be considered as
steering users toward nonfree software.

To know for sure, someone will probably need to try to download uruk
with javascript blocked and see if it works, and/or look at the licenses
of files required to do the download.

And the issue here is that there might be some chicken and egg: if the
issue is the lack of space, that could probably be fixed by asking for
some space to the FSF, or other similar organization, but they might
want the distribution to be certified first.

Other organization might work too. For instance Replicant uses OSUOSL
for its releases (https://ftp2.osuosl.org/) and there doesn't seem to
require any JavaScript. Pushing files just requires ssh / sftp.

> https://blog.urukproject.org/fr/index.php/posts/uruk-cloudide
> https://github.com/azzenabidi/UrukCloudIDE
I've not looked at that yet. Though Github also has 'F'[2] GNU ethical
repository criteria.

The issue with all that is also that we need to be efficient somehow and
do a good job without spending too much time on it, and make it easy to
check our work. 

So it might be way easier to have the distribution fix that instead of
requiring the reviewers and/or the FSF to do research, think hard about
the implication of a distribution hosting software on sourceforge, and
using github to host some of the software related to the distribution.

> $ cat /etc/apt/sources.list
> deb https://repo.pureos.net/pureos/ byzantium main
> deb http://packages.urukproject.org nannar main

If we assume that the PureOS repository is a third party repository
that it itself FSDG compliant, and so that any issues can be fixed by
bugreporting to PureOS, we'd need to only review the uruk repository.

There seems to be 2 architectures supported somehow:
https://packages.urukproject.org/dists/nannar/main/binary-i386/Packages.bz2
https://packages.urukproject.org/dists/nannar/main/binary-amd64/Packages.bz2

But https://sourceforge.net/projects/urukos/ only mentions x86_64 and
PureOS doesn't support i686. So we could probably just review amd64.

So if we just take the amd64 Pakcages.bz2 we have the following
packages:
> $ bzgrep "^Package" Packages.bz2 | awk '{print $2}' | sort -u
> aia
> background-nannar
> calamares
> caribou
> caribou-antler
> caribou-dbgsym
> cinnamon
> cinnamon-common
> cinnamon-control-center
> cinnamon-control-center-data
> cinnamon-dbg
> cinnamon-desktop-data
> cinnamon-doc
> cinnamon-l10n
> cinnamon-screensaver
> cinnamon-session
> cinnamon-session-common
> cinnamon-session-dbgsym
> cinnamon-settings-daemon
> cinnamon-settings-daemon-dbgsym
> cinnamon-settings-daemon-dev
> cinnamon-themes
> cjs
> cjs-dbgsym
> ffmulticonverter
> gir1.2-appindicator3-0.1
> gir1.2-caribou-1.0
> gir1.2-cinnamondesktop-3.0
> gir1.2-cmenu-3.0
> gir1.2-cvc-1.0
> gir1.2-meta-muffin-0.0
> gir1.2-nemo-3.0
> gir1.2-xapp-1.0
> iso-flag-png
> libappindicator3-1
> libcaribou0
> libcaribou0-dbgsym
> libcaribou-common
> libcaribou-dev
> libcaribou-gtk3-module
> libcaribou-gtk3-module-dbgsym
> libcaribou-gtk-module
> libcaribou-gtk-module-dbgsym
> libcinnamon-control-center1
> libcinnamon-control-center-dev
> libcinnamon-desktop4
> libcinnamon-desktop-dbg
> libcinnamon-desktop-dev
> libcinnamon-menu-3-0
> libcinnamon-menu-3-0-dbg
> libcinnamon-menu-3-dev
> libcjs0f
> libcjs0f-dbgsym
> libcjs-dev
> libcscreensaver0
> libcscreensaver-dbg
> libcvc0
> libcvc-dbg
> libmuffin0
> libmuffin-dev
> libnemo-extension1
> libnemo-extension-dev
> libxapp1
> libxapp-dev
> live-installer
> masalla
> masalla-cursor
> mate-tweak
> mintstick
> muffin
> muffin-common
> muffin-dbg
> muffin-doc
> nemo
> nemo-data
> nemo-dbg
> nemo-fileroller
> nemo-fileroller-dbgsym
> python3-xapp
> python-configparser
> sticky
> swell-foop
> timeshift
> timeshift-dbgsym
> upm
> upms
> uruk-cleaner
> uruk-plank-theme
> urukupdater
> urukwelcom
> xapp
> xapps-common
> xapps-doc

The source packages list seem to be available here:
https://packages.urukproject.org/dists/nannar/main/source/Sources.bz2

And that gives 38 source packages:
> $ bzcat Sources.bz2 | grep "^Package:" | awk '{print $2}'
> aia
> background-nannar
> calamares
> calamares
> caribou
> cinnamon
> cinnamon-control-center
> cinnamon-desktop
> cinnamon-menus
> cinnamon-screensaver
> cinnamon-session
> cinnamon-settings-daemon
> cinnamon-themes
> cinnamon-translations
> cjs
> configparser
> ffmulticonverter
> flags
> live-installer
> masalla
> masalla-cursor
> mate-tweak
> mintstick
> muffin
> nemo
> nemo-fileroller
> python-xapp
> sticky
> swell-foop
> timeshift
> upm
> upms
> uruk-cleaner
> uruk-plank-theme
> uruk-plank-theme
> urukupdater
> urukwelcome
> xapp

There is probably some automatic way to check if we have source code
for all binary packages. Maybe just doing apt-source of the binary
package will result in the source being downloaded if the source
repository is configured. 

Rebuilding the packages could probably help see if there are any
difference with the source ones. If there are maybe diffoscope could
also be used to understand what the differences are.

The next thing could be to review these 38 packages. There are
Copyright files in these packages. I've looked rapidly at some
packages and the license in Copyrights matched the code, though the
copyright itself was not well reported. So it's probably good enough
to check the licenses.

There is a git repository with the packages here, but it doesn't seems
to be mentioned on the uruk website:
https://notabug.org/hayderctee/uruksource
so it might be a good idea to notify the uruk project about that as
users may want to send patches, and the uruk project accepts
contributions.

The next thing could be to review the two ISOs:  uruk_3.0.iso and
uruk-cinnamon_3.0.iso  and see if no nonfree files were added.

I've no idea how they were made, but if there are instructions
somewhere we could just re-do it and look at it with diffoscope to see
if there are any differences. If they aren't any we might not need to
do any extra reviews and we could probably just review the source code
used to do the isos. I've not found any instructions by looking
rapidly though.

There is also the website to review and to see if it steers users
toward nonfree software, has instructions to install nonfree software,
uses nonfree javascript, etc. I've not looked at it in details yet.

It at least mention other uruk sub-projects:
https://urukproject.org/en/index.html

So we might need to audit them as well, though several of they seem to
also be packaged in the extra packages. So maybe some diff -Nurd or
using meld could make the review faster.

The website also mentions mailing lists, but I've not looked at them
yet. It also mentions a IRC channel (#uruk-project) on Freenode. I've
not found it on liberachat though, and I'm unsure if it's still there
on freenode or not.

As for collaborating on doing this in depth review, the Libreplanet
wiki is probably a good place for that.

While all that look like a lot of work for a single person, it can be
split in very small parts, to enable many people to contribute a small
bit.

References:
-----------
[1]https://www.gnu.org/software/repo-criteria.html
[2]https://www.gnu.org/software/repo-criteria-evaluation.html
[3]https://www.gnu.org/software/proposed-new-repo-criteria.html
[4]https://www.gnu.org/software/repo-criteria-evaluation.html

PS: This email is also licensed under the same license than the
Libreplanet wiki (with the copyright assignement and so on), to help
people reuse it in Libreplanet articles.

Denis.

pgp710ZHc0hQH.pgp
Description: OpenPGP digital signature