Project

General

Profile

Freedom Issue #3003

Freedom Issue #1035: [your-system-sanity]: Non-Free Software From Third-party Package Managers (TPPM)

[lxd]: has dubious containers repositories (It can download and install an ubuntu container from a single command)

GNUtoo - over 1 year ago - . Updated 7 months ago.

Status:
confirmed
Priority:
freedom issue
Assignee:
-
% Done:

0%


Description

# lxc remote list
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
|      NAME       |                   URL                    |   PROTOCOL    |  AUTH TYPE  | PUBLIC | STATIC |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| images          | https://images.linuxcontainers.org       | simplestreams | none        | YES    | NO     |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| local (current) | unix://                                  | lxd           | file access | NO     | YES    |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| ubuntu          | https://cloud-images.ubuntu.com/releases | simplestreams | none        | YES    | YES    |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
| ubuntu-daily    | https://cloud-images.ubuntu.com/daily    | simplestreams | none        | YES    | YES    |
+-----------------+------------------------------------------+---------------+-------------+--------+--------+
# pacman -Q -o lxc
/usr/bin/lxc is owned by lxd 4.12-2
# lxc launch ubuntu:20.04
Creating the instance
Error: Remote operation canceled by user   

History

#1

Updated by bill-auger over 1 year ago

  • Priority changed from bug to freedom issue
  • Status changed from unconfirmed to confirmed
  • Tracker changed from Bug to Freedom Issue

gnutoo - just some tips on using the redmine interface - you forgot to set the ticket metadata - in this case:

Issue Concern: 'freedom issue'
Status: 'confirmed'
Priority: 'freedom issue'

(or if you are planning to start working on it now:
Status: 'in-progress'
Assignee: 'gnutoo'
)

the metadata can always be changed after the ticket is opened, by clicking: Reply, then Description::Edit

FWIW, the 'Priority' field is not doing much work for us - i have considered simply hiding it; but i think the 'status' and 'assignee' are rather important for "tracking" the issue progress

#2

Updated by bill-auger over 1 year ago

  • Subject changed from lxd has dubious containers repositories (It can download and install an ubuntu container from a single command) to [lxd]: has dubious containers repositories (It can download and install an ubuntu container from a single command)

BTW, are you able to get any of those container to boot? - i remember trying this and it would download the images; but i could not get any to boot

#3

Updated by gap 7 months ago

Bump: lxd was never blacklisted.

It's also worth noting that lxd is a Canonical project, and Canonical has a history of making decisions which are poor for freedom, security, and privacy, which leads me to suspect that even if this package were to be cleaned up for a version in the libre repo, it might still have other issues.

#4

Updated by bill-auger 7 months ago

  • Parent task set to #1035
#5

Updated by Zuss 7 months ago

Sure Canonical may make some bad decisions and whatnot but I don't see anything majorly wrong with LXC/LXD itself (currently) that would warrant a blacklist.

The main concern is that by default it does include Canonicals servers for the images they build (that consist of non fully free distros), which users can use to create their containers.

Quoted from the FSDG

Nor should the distribution refer to third-party repositories that are not committed to only including free software

One can modify the installation to not include such servers by default and instead let the user create their own images, or rather find a different server that does intend on providing only free software images. But nothing would stop them from adding servers that do contain non fully free images unless one were to create and maintain a blacklist of servers. Even at that, they can create their own images with non-free software. Up to how far is Parabola responsible for the users choice of images?
I would like to think at best we get rid of the default servers so then the user will either wonder why those servers aren't included or they'll go about their own way to build the images.

As for creating images with one command, that is the intended purpose of LXD to help streamline that process. The only users allowed to create a container are those added to the "lxd" group or the root user. By default all containers are unprivileged as well unless explicitly configured to be privileged.

Also available in: Atom PDF