Parabola Issue Tracker: Issueshttps://labs.parabola.nu/https://labs.parabola.nu/favicon.ico?15367742552024-03-21T14:59:45ZParabola Issue Tracker
Redmine Packages - Freedom Issue #3609 (open): List of core freedom issues affecting work in Parabola.https://labs.parabola.nu/issues/36092024-03-21T14:59:45ZGNUtooGNUtoo@cyberdimension.org
<p>This bug is meant to track freedom issues affecting core components in Parabola.</p>
<p>For instance Pacman is a core component in Parabola since almost anything else depend on it.</p>
<p>Libretools is also required for working on Parabola as well as package definitions.</p>
<p>While there are often freedom issues found in regular packages (for instance a game being nonfree) the impact of these is more limited because it only affect a subset of users and doesn't affect packages required to contribute to Parabola (which are needed to fix these issues in the first place). Some packages (like u-boot for instance) can be critical to some users or use cases but don't affect all the users and contributors to Parabola.</p> Packages - Freedom Issue #3608 (open): [libretools, devtools-par] librerelease has nonfree softwa...https://labs.parabola.nu/issues/36082024-03-21T14:46:44ZGNUtooGNUtoo@cyberdimension.org
<p>Hi,</p>
<p>While trying to package libretools in another FSDG distribution, I found that it actually depends on/contains nonfree software.</p>
<p>So far I only looked at librerelease as that's the software I'm most interested in packaging, but this has wider implications as lot more files are nonfree (more on that below).</p>
<p>The issue with librerelease from libretools is that it depends on lib/common.sh which comes from devtools-par. And that file has 'License: Unspecified'.</p>
A lot more files in devtools-par have 'License: Unspecified', here's the total number of files:
<ul>
<li>archbuild.in</li>
<li>archco.in</li>
<li>archrelease.in</li>
<li>archrm.in</li>
<li>bash_completion.in</li>
<li>checkpkg.in</li>
<li>commitpkg.in</li>
<li>crossrepomove.in</li>
<li>find-libdeps.in</li>
<li>finddeps.in</li>
<li>lddd.in</li>
<li>lib/archroot.sh</li>
<li>lib/common.sh</li>
<li>lib/valid-tags.sh</li>
<li>rebuildpkgs.in</li>
<li>zsh_completion.in</li>
</ul>
In addition the following files also lack a license:
<ul>
<li>.gitignore</li>
<li>Makefile</li>
<li>PKGBUILD.proto</li>
<li>makepkg-x86_64.conf</li>
<li>pacman-extra.conf</li>
<li>pacman-gnome-unstable.conf</li>
<li>pacman-kde-unstable.conf</li>
<li>pacman-multilib-staging.conf</li>
<li>pacman-multilib-testing.conf</li>
<li>pacman-multilib.conf</li>
<li>pacman-staging.conf</li>
<li>pacman-testing.conf</li>
<li>zsh_completion.in</li>
</ul>
Only these files have a valid free software license:
<ul>
<li>arch-nspawn.in</li>
<li>makechrootpkg.in</li>
<li>mkarchroot.in</li>
</ul> Packages - Bug #3584 (forwarded upstream): armv7h packages fail to install - signing key is "unkn...https://labs.parabola.nu/issues/35842024-02-16T01:30:49ZGNUtooGNUtoo@cyberdimension.org
<p>In <a class="external" href="https://repo.parabola.nu/sources/parabola/">https://repo.parabola.nu/sources/parabola/</a> there is no archlinuxarm-keyring-20140119.tar.gz, though there are other packages in libre like hyperbola-keyring.</p>
<p>Unfortunately that source file is not upstream anymore either and Arch Linux ARM doesn't seem to have upgraded its keyring.</p>
<p>So I don't know what to do here.</p> Packages - Bug #3561 (info needed): wp-cli not built from source (but source code is provided)https://labs.parabola.nu/issues/35612023-12-26T11:59:52ZGNUtooGNUtoo@cyberdimension.org
<p>The pkp-cli recipe consists in the following:</p>
<pre>
build() {
cd "$_archive"
composer install --no-interaction --prefer-dist --no-scripts
php -dphar.readonly=0 utils/make-phar.php wp-cli.phar
}
</pre>
<p>After installing php-cli I can get the source code in this way:</p>
<pre>
# cd $(mktemp -d)
# phar extract -f /usr/bin/wp
# find > wp-cli-files.txt
</pre>
<p>wp-cli-files.txt is attached</p>
<p>I've looked at a random file (usr/bin/wp/vendor/wp-cli/wp-config-transformer/src/WPConfigTransformer.php) and the source code is perfectly readable so it does not look transformed in any way.</p>
<p>It is possible to build wp-cli from source, and there is a tutorial for that here: <a class="external" href="https://make.wordpress.org/cli/handbook/contributions/pull-requests/#setting-up">https://make.wordpress.org/cli/handbook/contributions/pull-requests/#setting-up</a></p>
<p>Do we need to remove wp-cli because it's not built from source or is the fact that it provide source code sufficient?</p> Packages - Freedom Issue #3473 (confirmed): [hackrf] some files depend on nonfree softwarehttps://labs.parabola.nu/issues/34732023-04-22T22:51:17ZGNUtooGNUtoo@cyberdimension.org
<p>The <a href="https://raw.githubusercontent.com/archlinux/svntogit-community/packages/hackrf/trunk/PKGBUILD" class="external">PKGBUILD</a> points to <a href="https://github.com/mossmann/hackrf/releases/download/v2023.01.1/hackrf-2023.01.1.tar.xz" class="external">hackrf-2023.01.1.tar.xz</a></p>
<p>Once downloaded we have the following in firmware/cpld/README:<br /> This is a binary file built from HDL source in sgpio_if. You do not need<br /> Xilinx tools unless you want to make your own modifications.</p>
<p>So the easiest way to fix this package is to generate a cleaned up tarball with the various firmwares removed and also not ship the firmwares unless we build them ourselves.</p> Packages - Freedom Issue #3471 (unconfirmed): [netctl] unclear licensehttps://labs.parabola.nu/issues/34712023-04-22T17:10:16ZGNUtooGNUtoo@cyberdimension.org
The netctl source code seems to be available here: <a class="external" href="https://gitlab.archlinux.org/archlinux/netctl">https://gitlab.archlinux.org/archlinux/netctl</a> and after downloading it, the only hints for a license are:
<ul>
<li>that there is a COPYING file</li>
<li>that for some reasons <a class="external" href="https://gitlab.archlinux.org/archlinux/netctl">https://gitlab.archlinux.org/archlinux/netctl</a> has a GNU GPLv3 button that then brings to a page that has this text: "This project is licensed under the GNU General Public License v3.0 only. Learn more". But this is done automatically by gitlab.</li>
</ul>
<p>So we probably need upstream to clarify the license of that software by sending a patch to do that (for instance by telling that this program and all that is in this git repository is released under the GPLv3 or later in the README as per what's explained both in the GPLv3 text (how to apply [...] and in the documentation that explains how to apply the GPL ( <a class="external" href="https://www.gnu.org/licenses/gpl-howto.html#why-license-notices">https://www.gnu.org/licenses/gpl-howto.html#why-license-notices</a> ).</p>
<p>Once done we can also update the FSD entry about netctl as well: <a class="external" href="https://directory.fsf.org/wiki/Netctl">https://directory.fsf.org/wiki/Netctl</a></p> Packages - Bug #3470 (confirmed): arduino: Has a package managerhttps://labs.parabola.nu/issues/34702023-04-15T13:49:16ZGNUtooGNUtoo@cyberdimension.org
<p>The package manager is available in "Tools" -> "Board: [...]" -> "Boards Manager".</p>
<p>I've no idea of it's policies, so we need to look if the repository is fully free software. If it's fully free it might be OK FSDG wise.</p>
<p>I've also added an entry in the Libreplanet Wiki about it: <a class="external" href="https://libreplanet.org/wiki/Group:Software/research/ExternalRepositories">https://libreplanet.org/wiki/Group:Software/research/ExternalRepositories</a></p> Packages - Bug #3469 (confirmed): arduino-avr-core contain binaries (but also their source code)https://labs.parabola.nu/issues/34692023-04-15T13:39:22ZGNUtooGNUtoo@cyberdimension.org
<p>The arduino package isn't useful alone: it needs some extra software to support specific microcontroller boards.</p>
So I know two options so far:
<ul>
<li>Use the builtin package manager to install code to support these boards</li>
<li>Use the Arch Linux / Parabola packages for that</li>
</ul>
<p>The advantage of the later is that it is patched to use Arch Linux packages like avrdude. In contrast the arduino-avr-code installed through the Arduino package manager pulls an avrdude binary for instance (and it more limited than the one build by Arch Linux).</p>
The Arch Linux packaged arduino-avr-core consist of source code that is copied as-is, but it also contains the following bootloaders binaries:
<ul>
<li>Arduino-COMBINED-dfu-usbserial-atmega16u2-Mega2560-Rev3.hex</li>
<li>Arduino-COMBINED-dfu-usbserial-atmega16u2-MegaADK-Rev3.hex</li>
<li>Arduino-COMBINED-dfu-usbserial-atmega16u2-Uno-Rev3.hex</li>
<li>Arduino-usbserial-atmega16u2-Mega2560-Rev3.hex</li>
<li>Arduino-usbserial-atmega16u2-MegaADK-Rev3.hex</li>
<li>Arduino-usbserial-atmega16u2-Uno-Rev3.hex</li>
<li>Arduino-usbserial-mega.hex</li>
<li>Arduino-usbserial-uno.hex</li>
<li>ATmegaBOOT_168_atmega1280.hex</li>
<li>ATmegaBOOT_168_atmega328_bt.hex</li>
<li>ATmegaBOOT_168_atmega328.hex</li>
<li>ATmegaBOOT_168_atmega328_pro_8MHz.hex</li>
<li>ATmegaBOOT_168_diecimila.hex</li>
<li>ATmegaBOOT_168.hex</li>
<li>ATmegaBOOT_168_ng.hex</li>
<li>ATmegaBOOT_168_pro_8MHz.hex</li>
<li>ATmegaBOOT.hex</li>
<li>ATmegaBOOT-prod-firmware-2009-11-07.hex</li>
<li>Caterina-Circuitplay32u4.hex</li>
<li>Caterina-Esplora.hex</li>
<li>Caterina-Industrial101.hex</li>
<li>Caterina-LeonardoEthernet.hex</li>
<li>Caterina-Leonardo.hex</li>
<li>Caterina-LilyPadUSB.hex</li>
<li>Caterina-LininoOne.hex</li>
<li>Caterina-Micro.hex</li>
<li>Caterina-Robot-Control.hex</li>
<li>Caterina-Robot-Motor.hex</li>
<li>Caterina-Yun.hex</li>
<li>Caterina-YunMini.hex</li>
<li>Caterina-Yun-noblink.hex</li>
<li>Esplora-prod-firmware-2012-12-10.hex</li>
<li>gemma_v1.hex</li>
<li>Genuino-COMBINED-dfu-usbserial-atmega16u2-Mega2560-R3.hex</li>
<li>Genuino-COMBINED-dfu-usbserial-atmega16u2-Uno-R3.hex</li>
<li>Genuino-usbserial-atmega16u2-Mega2560-R3.hex</li>
<li>Genuino-usbserial-atmega16u2-Uno-R3.hex</li>
<li>Leonardo-prod-firmware-2012-04-26.hex</li>
<li>Leonardo-prod-firmware-2012-12-10.hex</li>
<li>LilyPadBOOT_168.hex</li>
<li>Mega2560-prod-firmware-2011-06-29.hex</li>
<li>MEGA-dfu_and_usbserial_combined.hex</li>
<li>Micro-prod-firmware-2012-11-23.hex</li>
<li>Micro-prod-firmware-2012-12-10.hex</li>
<li>optiboot_atmega168.hex</li>
<li>optiboot_atmega328.hex</li>
<li>optiboot_atmega328-Mini.hex</li>
<li>optiboot_atmega8.hex</li>
<li>stk500boot_v2_mega2560.hex</li>
<li>UNO-dfu_and_usbserial_combined.hex</li>
<li>wifi_dnld.hex</li>
<li>wifiHD.hex</li>
</ul>
<p>It doesn't seem to contain avrdude.</p>
<p>As the source code is also provided it's probably OK FSDG wise as long as the binaries match the source code. However there is a Parabola policy that requires to have everything built from source in the packages.</p>
So we have 2 options here that aren't mutually exclusive:
<ul>
<li>Remove all these bootloaders binaries (With rm -f)</li>
<li>Compile the bootloaders from source and replace the old binaries with the ones built.</li>
</ul>
<p>The bootloaders are also not needed for normal operation of the arduino program: they are just used to recover boards when the users erased the bootloader. So simply removing them will probably only break that functionality.</p> Packages - Bug #3451 (fixed): community/bass lacking source codehttps://labs.parabola.nu/issues/34512023-03-08T23:19:21ZGNUtooGNUtoo@cyberdimension.org
<p>The <a href="https://downloads.sourceforge.net/scummvm/bass-cd-1.2.zip" class="external">source code zip</a> has the following files:<br /><pre>
bass-cd-1.2/sky.dnr
bass-cd-1.2/sky.dsk
bass-cd-1.2/readme.txt
bass-cd-1.2/sky.cpt
</pre></p>
<p>And the license is the following (from readme.txt):<br /><pre>
1) You may distribute this game for free on any medium, provided this readme
and all associated copyright notices and disclaimers are left intact.
2) You may charge a reasonable copying fee for this archive, and may distribute
it in aggregate as part of a larger & possibly commercial software distribution
(such as a Linux distribution or magazine coverdisk). You must provide proper
attribution and ensure this readme and all associated copyright notices, and
disclaimers are left intact.
3) You may not charge a fee for the game itself. This includes reselling the
game as an individual item.
4) You may modify the game as you wish. You may also distribute modified
versions under the terms set forth in this license, but with the additional
requirement that the work is marked with a prominent notice which states that
it is a modified version.
5) All game content is (C) Revolution Software Ltd. The ScummVM engine is (C)
The ScummVM Team (www.scummvm.org)
6) THE GAMEDATA IN THIS ARCHIVE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING AND NOT LIMITED TO ANY IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
</pre></p>
<p>The same readme.txt has:<br /><pre>
Some time ago, we (ScummVM) had the good fortune to come in contact with Tony
Warriner at Revolution Software Ltd. With their blessing and support, we then
obtained the original source code for Beneath a Steel Sky and added support for
it to our adventure game interpreter, ScummVM. And now, on the eve of ScummVM
0.5.0 (the first release featuring B.A.S.S support), Revolution Software Ltd.
has decided to release Sky to the public as freeware!
</pre></p>
<p>So that is probably OK FSDG wise as this data could be considered as non-functionnal and that we get permissions to redisrtibute it even commercially.</p>
<p>However AFAIK Parabola has a free culture requirement, so even if we have the right to modify it, we might lack the information to do that (the source code).</p>
<p>Though maybe some people have more information about the game format and all, so maybe I'm mistaken?</p> Packages - Privacy Issue #3402 (confirmed): Check if xonotic enable statistics.xonotic.org by def...https://labs.parabola.nu/issues/34022022-12-20T23:13:55ZGNUtooGNUtoo@cyberdimension.org
<p>I've only looked at it through Guix as my parabola installations that can run xonotic already have configuration data.</p>
<p>After agreeing to the services TOS, that basically tell you that TOS apply to stats.xonotic.org and to the xonotic-forum, you are asked if you want to "Allow player statistics to use your nickname at stats.xonotic.org?".</p>
<p>It also tells you that "Player statistics are enabled by default, you can change this in the Profile menu". And so even if you select "no" or "undecided", you are tracked.</p>
<p>So as I understand tracking has to be opt-in, and having it opt-out is forbidden by the GDPR and the FSDG.</p>
<p>So we need to fix that in Parabola (and also in Guix). I'll try to bugreport in Guix too when I find the time.</p> Packages - Freedom Issue #3388 (confirmed): Many Java packages not built from source?https://labs.parabola.nu/issues/33882022-12-13T16:21:04ZGNUtooGNUtoo@cyberdimension.org
<p>How to find them:<br />(1) Get the list of reverse dependencies in <code>Required By</code> in <a class="external" href="https://archlinux.org/packages/extra/x86_64/jre-openjdk/">https://archlinux.org/packages/extra/x86_64/jre-openjdk/</a><br />(2) For each package check if the one we have in Parabola comes from Arch Linux, and if so, look if it is built from source</p> Packages - Bug #3334 (confirmed): Make aarch64-linux-gnu-gcc work again on armv7hhttps://labs.parabola.nu/issues/33342022-08-28T10:28:42ZGNUtooGNUtoo@cyberdimension.org
<p>Before we had an aarch64-linux-gnu-gcc package on armv7h, but it was removed accidentally.<br />And if we build the PKGBUILD it fails, so we need to fix the build and to upload a new package.</p>
<p>NOTE: the main reason we want this, is to compile the aarch64 kernel and bootloaders in a armv7h librechroot</p> Packages - Bug #3132 (not-a-bug): libre: asciidoc: The 8.6.10 source package changed upstreamhttps://labs.parabola.nu/issues/31322021-11-21T04:49:24ZGNUtooGNUtoo@cyberdimension.org
<p>While building asciidoc I have:<br /><pre>
| ==> Validating source files with sha256sums...
| asciidoc-8.6.10.tar.gz ... FAILED
| ==> ERROR: One or more files did not pass the validity check!
| ==> ERROR: Could not download sources.
+ get_output x86_64 libre/asciidoc /home/parabola/packages/libre/asciidoc
</pre></p>
<p>The PKGBUILD has the following:<br /><pre>
sha256sums=('9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983')
</pre></p>
<p>And instead what I have downloaded has:<br /><pre>
$ sha256sum asciidoc-8.6.10.tar.gz
22d6793d4f48cefb4a6963853212a214591a591ece1bcbc56af3c67c642003ea asciidoc-8.6.10.tar.gz
</pre></p>
<p>And here both tarballs are different, and the sha256sum that is in the PKGBUILD does correspond to the archive checksum at the time.</p>
This can be verified by downloading the asciidoc package source at:
<ul>
<li><a class="external" href="https://repo.parabola.nu/sources/parabola/asciidoc-8.6.10-2.parabola1-any.src.tar.gz">https://repo.parabola.nu/sources/parabola/asciidoc-8.6.10-2.parabola1-any.src.tar.gz</a></li>
<li><a class="external" href="https://repo.parabola.nu/sources/parabola/asciidoc-8.6.10-2.parabola1-any.src.tar.gz.sig">https://repo.parabola.nu/sources/parabola/asciidoc-8.6.10-2.parabola1-any.src.tar.gz.sig</a></li>
</ul>
<p>The signature matches:<br /><pre>
$ gpg --verify asciidoc-8.6.10-2.parabola1-any.src.tar.gz.sig
gpg: assuming signed data in 'asciidoc-8.6.10-2.parabola1-any.src.tar.gz'
gpg: Signature made lun. 20 juil. 2020 07:57:07 CEST
gpg: using RSA key FBCC5AD7421197B7ABA72853908710913E8C7778
gpg: Good signature from "bill-auger <bill-auger@peers.community>" [unknown]
gpg: aka "bill-auger <mr.j.spam.me@gmail.com>" [unknown]
gpg: aka "bill-auger <bill-auger@programmer.net>" [unknown]
gpg: aka "[jpeg image of size 6017]" [unknown]
gpg: Note: This key has expired!
Primary key fingerprint: 3954 A7AB 837D 0EA9 CFA9 7989 25DB 7D9B 5A8D 4B40
Subkey fingerprint: FBCC 5AD7 4211 97B7 ABA7 2853 9087 1091 3E8C 7778
</pre></p>
<p>And the checksum matches too:<br /><pre>
$ tar tf asciidoc-8.6.10-2.parabola1-any.src.tar.gz
asciidoc/
asciidoc/PKGBUILD
asciidoc/.SRCINFO
asciidoc/asciidoc-8.6.10.tar.gz
$ tar xf asciidoc-8.6.10-2.parabola1-any.src.tar.gz
asciidoc-8.6.10.tar.gz PKGBUILD .SRCINFO
$ sha256sum asciidoc/asciidoc-8.6.10.tar.gz
9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983 asciidoc/asciidoc-8.6.10.tar.gz
</pre></p>
<p>So the source was clearly modified upstream between when the package was made and now.</p>
<p>So let's look at the differences. For reference we have the following files:<br /><pre>
$ sha256sum 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz asciidoc-8.6.10.tar.gz
9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz
22d6793d4f48cefb4a6963853212a214591a591ece1bcbc56af3c67c642003ea asciidoc-8.6.10.tar.gz
</pre></p>
<p>And I'll attach the output of:<br /><pre>
$ diffoscope 9e52f8578d891beaef25730a92a6e723596ddbd07bfe0d2a56486fcf63a0b983_asciidoc-8.6.10.tar.gz asciidoc-8.6.10.tar.gz > asciidoc-8.6.10.tar.gz-diff.txt
</pre></p> Packages - Freedom Issue #3095 (fixed): u-boot has nonfree fileshttps://labs.parabola.nu/issues/30952021-09-16T17:38:38ZGNUtooGNUtoo@cyberdimension.org
<p>We have at least the following files that are nonfree in arch/x86/dts/microcode/:<br /><pre>
$ git grep "reverse engineering"
arch/x86/dts/microcode/m0220661105_cv.dtsi: * .No reverse engineering, decompilation, or disassembly of this software is
arch/x86/dts/microcode/m12206a7_00000029.dtsi: * .No reverse engineering, decompilation, or disassembly of this software is
arch/x86/dts/microcode/m12306a9_0000001b.dtsi: * .No reverse engineering, decompilation, or disassembly of this software is
arch/x86/dts/microcode/m7240651_0000001c.dtsi: * .No reverse engineering, decompilation, or disassembly of this software is
arch/x86/dts/microcode/mc0306d4_00000018.dtsi: * .No reverse engineering, decompilation, or disassembly of this software is
</pre></p>
<p>For the rest they may be documented in a somewhat recent thread in the linux-libre mailing list, so we could remove them in a second time once we understand if these are code or data.</p>
<p>There is also some documentation that contains instructions to build u-boot with nonfree binaries to remove and there too they could be removed once we find them.</p>
<p>In any case I don't know how to properly remove files in PKGBUILDs as I lost track of if the Parabola modifications to build processed source tarballs worked or not if they were removed or not and so on.</p>
<p>So if someone has an example to follow that works today I could do that modification.</p>
<p>If not I don't know what to do or how to do it.</p> Packages - Bug #2141 (fixed): libremakepkg failing to build package due to read-only startdir in ...https://labs.parabola.nu/issues/21412019-01-18T14:34:15ZGNUtooGNUtoo@cyberdimension.org
<p>I've tried building it inside an i686 chroot with:</p>
<pre>$ sudo libremakepkg -n parabola-i686</pre><br />and this gives:<br /><pre>
INSTALL sound/usb/snd-usb-audio.ko
INSTALL sound/usb/snd-usbmidi-lib.ko
INSTALL sound/usb/usx2y/snd-usb-us122l.ko
INSTALL sound/usb/usx2y/snd-usb-usx2y.ko
INSTALL sound/x86/snd-hdmi-lpe-audio.ko
INSTALL virt/lib/irqbypass.ko
DEPMOD 4.19.8-gnu-1
-> Installing hooks...
/startdir/PKGBUILD: line 466: /startdir/linux.install.pkg: Read-only file system
==> ERROR: A failure occurred in package_linux-libre().
Aborting...
</pre>
<p>related: <a class="external" href="https://lists.parabola.nu/pipermail/dev/2019-May/007207.html">https://lists.parabola.nu/pipermail/dev/2019-May/007207.html</a></p>