On Mon, 26 Jun 2023 21:00:35 -0400 Richard wrote: > > - a slight variation to that, would be to curate > > libre-only repositories for each package manager, and hard-code that URL, > so > > that the user needs not to define one > > That would be adequate, but in some cases could be a gigantic job.
it would be a gigantic job in _all_ cases, guaranteed - first identifying the potential good set according to the license declared as metadata (if any is declared), then collecting those, and hosting them, is the least of the effort - that could perhaps be mostly automated - but each of those many thousands of packages should be audited, to ensure that the declared license is correct (if any is declared) and if the code-base itself is licensed properly, contains no blobs, and so on - rough estimate: a minimum of one hour per package, times thousands of packages, for each of dozens of repositories therefore, it would be wise to classify and prioritize them all before attempting such a feat - that is the purpose of the table on the parabola ticket On Mon, 26 Jun 2023 21:00:35 -0400 Richard wrote: > You may have the attention capacity available to think about each one > in parallel, but I don't. It is useful for you to accumulate > information about them all. that table was not to consider any specifically - it was to abstract the general properties they all have in common, and to itemize and rank the possible solutions, which are applicable to all - it was not necessary to investigate any of them, in order to make that table of options we have yet to accumulate much information on any of them, and we have only applied any solution to three of them so far, each among the simplest, but least satisfying solutions - namely: get rid of it entirely, or null its default search/download URL rather than handle any one of them independently, they all could be investigated and evaluated in stages - that would help to prioritize the most important vs the most demanding ones the only analysis that was done so far (call this stage 1), is that i read the policies of a few of the more popular ones - that was only to classify them as having a strong, weak, or absent licensing policy - only one (haskell cabal) had a strong libre-only licensing policy; so we can eliminate that one for all subsequent stages then next phase is to determine if the client has access to the declared license in the metadata, before downloading - if so, that one would qualify for the hacking treatment (filter search results and downloads, based on the declared license) - that is relatively simple but a weak solution; because none of those packages would be audited - the declared license could easily be incorrect, because most of these repos accept anonymous uploads, which are not vetted in any way however, precisely _how_ to implement that filter is not important at this stage, only that it is a candidate for that sort of treatment - all of these tools are free software; so we know that it is possible _somehow_ once they are all classified by their applicable treatments, they could be prioritized by importance, and the actual work could begin if the client does not have access to the license metadata, then depending on its importance, it could get the null URL treatment, or be ejected from libre-land entirely, or a greatly more time-consuming approach would be needed to rescue it if ejecting rust for example, is the only feasible option, and if doing so breaks every rust program in existence, then i guess every rust program needs to be ejected too; because i seriously doubt that we are going to accomplish the complete repo reconstruction necessary to rescue the worst of those programs i am much more in favor of first identifying which of those programs are amenable to the most and least feasible treatments, rather than to focus on any one without that foreknowledge; because frankly, i dont see any of them as important enough to prioritize blindly
