Freedom Issue #1035
Updated by bill-auger 11 months ago
From a conversation on the gnu-linux-libre mailing list:
http://lists.nongnu.org/archive/html/gnu-linux-libre/2016-04/msg00070.html
http://lists.nongnu.org/archive/html/gnu-linux-libre/2016-04/msg00116.html
A lot of programming languages have own packages managers: npm (CSS/JavaScript), Bower (Web), pip (Python), RubyGems (Ruby), CPAN (Perl), Cargo (Rust), many more. These things would qualify as "repositories" under the Free System Distribution Guidelines; and most do not limit themselves to only including free software. Until/unless Stallman's ideas of either convincing them to only include free software or develop a free replacement come along, I propose disabling such things in Parabola.
|\6=. *summary of the proposed options:* |
|_.proposal |_.workload[1] |_.intrusiveness[2] |_.disruption[3] |_.effectiveness[4] |_.FSDG-fitness |
| do nothing - continue ignoring it[5] | none | none | none | none | none |
| convince TPPM repos to specify licenses[8] | negligible | none | none | dubious | dubious |
| convince TPPM repos to require libre licenses[6] | negligible | none | none | total | total |
| remove TPPM - do nothing else | negligible | none | total | total | total |
| add a pacman hook to warn during install | negligible | none | none | none | dubious |
| move TPPM to a new 'dubious/dangerous' repo | medium | none | low | partial | dubious |
| disable default URL, make user-configurable[9] | medium | minimal | low | total | total |
| disable the search feature | medium | minimal | medium | total | total |
| filter the search feature[7] (and[8]) | medium | minimal | low | dubious | dubious |
| remove TPPM, accept packaging requests[10] | maximal | none | high | total | total |
| maintain libre repos as a GNU project[6] | maximal | none | none | total | total |
NOTES:
fn1. [1a]: A "workload: medium" proposals entail maintaining blacklist replacements for each TPPM, even if unmodified
fn1. [1b]: "workload: maximal" proposals entail the perpetual burden of package curation
fn2. "intrusiveness: minimal" proposals entail patching the clients
fn3. "disruption" how does this proposal impede the user's work-flow
fn4. [4a]: "effectiveness: total" (even if non-free packages are still installable) because those proposals resolve the conflict with the FSDG - namely: they would no longer recommend/suggest/steer-toward non-free
fn4. [4b]: "effectiveness: partial" because TPPMs would be inaccessible by default - the user would need to re-configure pacman, in order to access them
fn4. [4c]: "effectiveness: dubious" because the mechanism would rely entirely on the honor and licensing knowledge of the third-party packager
fn5. "proposal: do nothing" is the current state of things in the liberally-curated FSDG distros, which this ticket aims to address
fn6. "convince TPPM repos to require libre licenses" and "maintain libre repos as a GNU project" are obviously the ideal options; but neither is very likely to happen
fn7. "filter the search feature" may not be possible for some of these - it is not yet know which, if any, expose licensing information via API/metadata
fn8. "convince the TPPM repos to specify licenses" and "filter the search feature" are mutually-dependent
fn9. IMHO, "disable default URL, make user-configurable" has the best chance of being generally acceptable to all (it is our current plan for 'octopi' and 'docker')
fn10. ... although i would prefer "remove TPPM, accept packaging requests" for the language-specific TPPMs
-----
|\4=.known TPPMs: |
|_.TPPM |_.status |_.converter |_.description |
| apm | ? | | Atom (text editor) add-ons package manager |
| asp | blacklisted | | Downloader of ArchLinux build recipes (obsolete) |
| apper | ? | | Package manager using PackageKit |
| bower | ? | | javascript package manager |
| cabal | libre | cblrepo, arch-hs | haskell package manager |
| cargo | non-free | cargo-pkgbuild | rust package manager |
| cpan | non-free | fpm | PERL package manager |
| debootstrap | partially-fixed | | Downloader of OS images |
| docker | partially-fixed | | Downloader of OS images |
| dub | ? | | D package manager |
| flatpak | maybe-libre | | Package manager for arbitrary software |
| fusesoc | ? | | Package manager for FPGA/ASIC development |
| lxc/lxd | non-free | | Downloader of OS images |
| helm | ? | | The Kubernetes Package Manager |
| nimble | ? | | nim package manager |
| npm | ? | nodejs-npm2arch | javascript package manager |
| nuget | ? | | dotnet package manager |
| ocaml-findlib | ? | | OCaml package manager |
| opam | ? | | OCaml package manager |
| pecl | non-free | | PHP package manager |
| pip | blacklisted | pipman-git, pip2arch-git, python-pypi2pkgbuild | python package manager |
| rpm-tools | ? | | RPM Package Manager |
| rubygems | blacklisted | gem2arch, pacgem | ruby package manager |
| shards | ? | | Crystal package manager |
| sn0int | ? | | Semi-automatic OSINT framework and package manager |
| guix | ? | | Package manager for arbitrary software |
NOTES:
* 'libre' indicates that the repo has a libre-only licensing policy
* 'libre' indicates that the repo has non-free or no licensing policy
* this list does not include the "in-app" downlaoders such as kodi, emacs, and many games, though these are relevant
http://lists.nongnu.org/archive/html/gnu-linux-libre/2016-04/msg00070.html
http://lists.nongnu.org/archive/html/gnu-linux-libre/2016-04/msg00116.html
A lot of programming languages have own packages managers: npm (CSS/JavaScript), Bower (Web), pip (Python), RubyGems (Ruby), CPAN (Perl), Cargo (Rust), many more. These things would qualify as "repositories" under the Free System Distribution Guidelines; and most do not limit themselves to only including free software. Until/unless Stallman's ideas of either convincing them to only include free software or develop a free replacement come along, I propose disabling such things in Parabola.
|\6=. *summary of the proposed options:* |
|_.proposal |_.workload[1] |_.intrusiveness[2] |_.disruption[3] |_.effectiveness[4] |_.FSDG-fitness |
| do nothing - continue ignoring it[5] | none | none | none | none | none |
| convince TPPM repos to specify licenses[8] | negligible | none | none | dubious | dubious |
| convince TPPM repos to require libre licenses[6] | negligible | none | none | total | total |
| remove TPPM - do nothing else | negligible | none | total | total | total |
| add a pacman hook to warn during install | negligible | none | none | none | dubious |
| move TPPM to a new 'dubious/dangerous' repo | medium | none | low | partial | dubious |
| disable default URL, make user-configurable[9] | medium | minimal | low | total | total |
| disable the search feature | medium | minimal | medium | total | total |
| filter the search feature[7] (and[8]) | medium | minimal | low | dubious | dubious |
| remove TPPM, accept packaging requests[10] | maximal | none | high | total | total |
| maintain libre repos as a GNU project[6] | maximal | none | none | total | total |
NOTES:
fn1. [1a]: A "workload: medium" proposals entail maintaining blacklist replacements for each TPPM, even if unmodified
fn1. [1b]: "workload: maximal" proposals entail the perpetual burden of package curation
fn2. "intrusiveness: minimal" proposals entail patching the clients
fn3. "disruption" how does this proposal impede the user's work-flow
fn4. [4a]: "effectiveness: total" (even if non-free packages are still installable) because those proposals resolve the conflict with the FSDG - namely: they would no longer recommend/suggest/steer-toward non-free
fn4. [4b]: "effectiveness: partial" because TPPMs would be inaccessible by default - the user would need to re-configure pacman, in order to access them
fn4. [4c]: "effectiveness: dubious" because the mechanism would rely entirely on the honor and licensing knowledge of the third-party packager
fn5. "proposal: do nothing" is the current state of things in the liberally-curated FSDG distros, which this ticket aims to address
fn6. "convince TPPM repos to require libre licenses" and "maintain libre repos as a GNU project" are obviously the ideal options; but neither is very likely to happen
fn7. "filter the search feature" may not be possible for some of these - it is not yet know which, if any, expose licensing information via API/metadata
fn8. "convince the TPPM repos to specify licenses" and "filter the search feature" are mutually-dependent
fn9. IMHO, "disable default URL, make user-configurable" has the best chance of being generally acceptable to all (it is our current plan for 'octopi' and 'docker')
fn10. ... although i would prefer "remove TPPM, accept packaging requests" for the language-specific TPPMs
-----
|\4=.known TPPMs: |
|_.TPPM |_.status |_.converter |_.description |
| apm | ? | | Atom (text editor) add-ons package manager |
| asp | blacklisted | | Downloader of ArchLinux build recipes (obsolete) |
| apper | ? | | Package manager using PackageKit |
| bower | ? | | javascript package manager |
| cabal | libre | cblrepo, arch-hs | haskell package manager |
| cargo | non-free | cargo-pkgbuild | rust package manager |
| cpan | non-free | fpm | PERL package manager |
| debootstrap | partially-fixed | | Downloader of OS images |
| docker | partially-fixed | | Downloader of OS images |
| dub | ? | | D package manager |
| flatpak | maybe-libre | | Package manager for arbitrary software |
| fusesoc | ? | | Package manager for FPGA/ASIC development |
| lxc/lxd | non-free | | Downloader of OS images |
| helm | ? | | The Kubernetes Package Manager |
| nimble | ? | | nim package manager |
| npm | ? | nodejs-npm2arch | javascript package manager |
| nuget | ? | | dotnet package manager |
| ocaml-findlib | ? | | OCaml package manager |
| opam | ? | | OCaml package manager |
| pecl | non-free | | PHP package manager |
| pip | blacklisted | pipman-git, pip2arch-git, python-pypi2pkgbuild | python package manager |
| rpm-tools | ? | | RPM Package Manager |
| rubygems | blacklisted | gem2arch, pacgem | ruby package manager |
| shards | ? | | Crystal package manager |
| sn0int | ? | | Semi-automatic OSINT framework and package manager |
| guix | ? | | Package manager for arbitrary software |
NOTES:
* 'libre' indicates that the repo has a libre-only licensing policy
* 'libre' indicates that the repo has non-free or no licensing policy
* this list does not include the "in-app" downlaoders such as kodi, emacs, and many games, though these are relevant