Proposal: the libre repo could be a way to reach out
Parabola is a unique and sorely needed project in that it's literally the only OS in existence that is 100% libre, down to every single file included in the system, with a social contract, FSDG-compliance issue trackers, and FSF endorsement effectively constituting a hearty promise ensuring this will always be the case.
The issue I raised previously in the "Request for Ideas" post was an attempt to probe and discover the current issues with Parabola and invent ways to increase popularity and reach out to new people.
However, I think one is hiding in plain sight: the
For those who are unaware, when a package is blacklisted for violating the FSDG or another requirement of Parabola, if possible, a cleaned-up version of the package is made which fixes the flaws with the now-blacklisted version, and is placed in the
Many of these blacklisted packages include very sneaky things, including mislabelled licenses, nonfree documentation in a package otherwise labelled as free, files with no license, or even firmware blobs.
When such things are discovered, upstream appears to be seldom notified, let alone contacted in any official capacity.
Moreover, had it not been for Parabola, many of these discoveries would remain undiscovered.
I think we need to begin reaching out to projects which are self-labelled as "open source", "FOSS", "FLOSS", or otherwise labelled in some way which does not fully support the ideas of the free software movement.
We could check the blacklist, find a package, and reach out to the maintainers, explaining what the issue is, and why they should care.
This could be done in an official capacity, with individual hackers representing Parabola, or perhaps as a libre letter signed by the community around Parabola.
In this way, we show people what the issue is with more credentials than a lone person politely asking in an email, for instance, and begin to build up momentum for change.
At first this may be hit-and-miss, but as we build up a growing list of success stories, perhaps more projects will get the message by word of mouth and begin to understand the issues, leading to a more likely chance of interaction, and successful interaction.
Moreover, this would pay dividends in the long-term, as we tackle the root cause of the issue: packages including flaws in the first place. Once projects begin to realise and recognise the issues, they will not introduce such flaws in the first place, which will free up time for the Parabola hackers to do other tasks rather than spending lots of time maintaining the blacklist and
this is all well-intentioned, idealistic, enthusiastic, and fine ideas - not to be pessimistic, but realistically, i should add a hint of "naiive" and "unlikely" to that list, for balance - only because this is not a new idea exactly - people have been posting freedom bug reports to software projects for many years - those are most often ignored, and often ridiculed, though sometimes the response is positive - however, in many of the positive cases, the response is like: "if someone else does the work or research, we may accept the contribution; but we are not going to do this ourselves" - so even the positive cases are not certain to lead to solutions
OTOH, the OP has a bit of pessimism in it - i would not conclude that the upstreams are rarely asked - i believe that in most cases, they are asked; and there have been many successes - most of them are changes which enable the software to compile and be somewhat useful without the non-free parts - usually the result is a loss of some functionality; and the authors do it grudgingly, believing that those builds are inferior, low-quality, or "dangerous" - the non-free parts or support are rarely removed or replaced - that means parabola still needs to blacklist the package, in order to build it in the special "inferior" configuration
in one case, the authors added a prominent warning when the program is first run, like "the parabola package is dangerous and insecure - you should not use the parabola package - download our build instead" - that, of course, not only undermined parabola's "good deed", but added yet another bit of ugliness, that parabola needed to patch out of the software ("one step forward, two steps back" as they saying does) - after a few years though, they removed that special configuration anyways; so now the parabola package is frozen at one version indefinitely, and it almost certainly will stop working eventually
the general results are not likely to change with any amount of momentum or authority behind it - parabola exists because those authors do not want their software to be 100% - it is rarely an oversight on their part - if those authors wanted their software to be 100% libre, it already would be, and parabola would not need to exist
lastly, i will add that the grand plan of a formal, organized, project is not ideally seated in parabola - such an effort belongs is better suited as a shared effort among all FSDG distros, within the FSDG or FSD work-groups - if only parabola is involved, then there is nothing new to do or discuss - parabola already does these things for itself
The main reason I think we (ie. Parabola, an alliance of the FSDG-compliant distros, or some other project which has freedom as a goal) should start reaching out in an organised, formal capacity is because the lone request/bug report/patch/contribution, when it has been attempted, hasn't been terribly historically successful.
It doesn't carry much weight and is easily ignored.
Projects might realise the issues are great if contacted with a well-written letter, a long list of signatories, and growing support in the community starting momentum for change.
(I believe RMS called this "overcoming social inertia".)
This approach has been historically more successful and proprietary projects even became libre via this method, some of which we presently have packaged in the repos.
Which project had the silly so-called "insecurity" notice?
That's hilarious; the vast majority of proprietary projects do not release source code and as such are completely unauditable without substantial reverse-engineering efforts and rely on security by obscurity and blind faith on the part of the user.
Removing components which do not have source code available to audit (which is pretty much all proprietary software) would only make the resulting package more secure.
Not to mention that Parabola would remove all proprietary components, whether or not the source was available.
Misconceptions like these might also be more easily corrected if we did more of the aforementioned outreach.