Re: Starting a Quality Assurance Meeting/Team/Sociocracy circle
Hi Chris, On Wed, Jun 19 2024, Christopher Baines wrote: > Any [...] volunteer members? If after the dust settles there is still space for one more, I'd be happy to participate as a trainee. Kind regards Felix
Rust-team branch status?
Hi Guixers, I want to update the Librewolf package, but it now depends on Rust >= 1.76, which is newer than what's in master. I see the rust-team branch has versions up to 1.77 — is there a timeline for merging that, or a TODO list of things that need to be done to merge it? I'm not sure if I can help there, but would rather direct efforts towards getting rust updated than patching Librewolf to build with older versions.
Re: Next Steps For the Software Heritage Problem
Hi, On Thu, 20 Jun 2024 at 19:42, Dale Mellor wrote: > I'm sure guix lint tried to push my code out to them the last time I > tried. Yes, it’s the checker ’archival’. Therefore, running “guix lint -x archival” does not send any request to SWH. Cheers, simon
Re: Next Steps For the Software Heritage Problem (Dale Mellor)
> Date: Wed, 19 Jun 2024 09:36:29 +0100 > From: Dale Mellor > I use Guix as a tool to develop my own projects, private and > personal for reasons I'm keeping to myself. As part of that I write package > definitions for them, and use the Guix machinery to build and test. I > *cannot* > have Guix just giving my code away to anybody, that is just fundamentally > wrong. > If you release software as free software, you are giving away software, to anybody and everybody. > We need to ask what is Guix? A free operating system, a framework for > developing free operating systems, or a more generic tool for software > development and deployment? If the latter it *cannot* do nefarious things > without explicit consent. Guix is a free operating system _and_ a generic tool for software development and deployment. It makes no sense to say it does nefarious things without explicit consent. Just like you cannot try to prohibit GNU Make from being used to do nefarious things like building malware. You cannot place usage restriction on free software. > > I think at least there should be a /restricted/ license type available to > package definitions, and the system absolutely should not give source code > away > from packages which use this (of course, they won't get into the official > distribution, but that's fine). > How can you restrict others from posting links to your content, as what essentially package definitions in Guix are. > More broadly, I think they should just stop inter-operating with SH. Just > walk away. > > Dale
Re: Next Steps For the Software Heritage Problem
Am Thu, Jun 20, 2024 at 10:59:41PM +0200 schrieb Ekaitz Zarraga: > For this specific case we could add some flag to the command line like > `--do-not-archive` or something like that. guix lint -x archival if I understand "guix lint --help" correctly. Andreas
Re: Next Steps For the Software Heritage Problem
Hi, On 2024-06-20 22:54, Andreas Enge wrote: Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor: I'm sure guix lint tried to push my code out to them the last time I tried. Ah indeed, there is this in guix/lint.scm: (define (check-archival package) "Check whether PACKAGE's source code is archived on Software Heritage. If it's not, and if its source code is a VCS snapshot, then send a \"save\" request to Software Heritage. It potentially calls this: (define (save-package-source package) "Attempt to save the source of PACKAGE on SWH. Return a list of warnings." Which calls this from swh.scm: (define* (save-origin url #:optional (type "git")) "Request URL to be saved." (call (swh-url "/api/1/origin/save" type "url" url) json->save-reply http-post*)) So it does not push code, but a URL from which the code can be downloaded. Thus it requires the code to be available from the Internet; local code is "safe" from SWH. Now I do not know what will happen if you save your code as a git repository at a hidden URL. For instance, does SWH check the license? I would hope so. There is documentation of this feature here: https://archive.softwareheritage.org/api/1/origin/save/doc/ which says this: Depending of the provided origin url, the save request can either be: - immediately accepted, for well known code hosting providers like for instance GitHub or GitLab - rejected, in case the url is blacklisted by Software Heritage - put in pending state until a manual check is done in order to determine if it can be loaded or not So I suppose that if you submit a hidden, but publicly available URL pointing to non-free code, the request will be "put in pending state", manually checked and rejected, and maybe the URL added to the blacklist. Andreas For this specific case we could add some flag to the command line like `--do-not-archive` or something like that. WDYT?
Re: Next Steps For the Software Heritage Problem
Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor: > I'm sure guix lint tried to push my code out to them the last time I tried. Ah indeed, there is this in guix/lint.scm: (define (check-archival package) "Check whether PACKAGE's source code is archived on Software Heritage. If it's not, and if its source code is a VCS snapshot, then send a \"save\" request to Software Heritage. It potentially calls this: (define (save-package-source package) "Attempt to save the source of PACKAGE on SWH. Return a list of warnings." Which calls this from swh.scm: (define* (save-origin url #:optional (type "git")) "Request URL to be saved." (call (swh-url "/api/1/origin/save" type "url" url) json->save-reply http-post*)) So it does not push code, but a URL from which the code can be downloaded. Thus it requires the code to be available from the Internet; local code is "safe" from SWH. Now I do not know what will happen if you save your code as a git repository at a hidden URL. For instance, does SWH check the license? I would hope so. There is documentation of this feature here: https://archive.softwareheritage.org/api/1/origin/save/doc/ which says this: Depending of the provided origin url, the save request can either be: - immediately accepted, for well known code hosting providers like for instance GitHub or GitLab - rejected, in case the url is blacklisted by Software Heritage - put in pending state until a manual check is done in order to determine if it can be loaded or not So I suppose that if you submit a hidden, but publicly available URL pointing to non-free code, the request will be "put in pending state", manually checked and rejected, and maybe the URL added to the blacklist. Andreas
Re: Starting a Quality Assurance Meeting/Team/Sociocracy circle
Hello Chris, Am Wed, Jun 19, 2024 at 04:26:26PM +0100 schrieb Christopher Baines: > I know nothing about Sociocracy, but I did like what I heard about it at > the Guix Days, so I want to at least work out what a minimally viable > circle around this would look like, and whether there's support for > setting one up. an excellent initiative, please count me in! > I think the domain of responsibility would include: > ... All this makes perfect sense. I would like to include that we should write documentation for the Guix Build Coordinator and all its related projects, which will help us spread the maintenance load. > The final thing is to have some regular meeting, ideally a less than 30 > minute voice or video call every month, which would be about discussing > and making decisions on things in this area. If no one else wants to > organise this bit, I can commit to organising the meetings initially. I do not wish to organise in the sense of leading the discussion, but we could use my BigBlueButton conference room at Aquilenet. Andreas
Re: Next Steps For the Software Heritage Problem
On Thu, 2024-06-20 at 19:00 +0200, Andreas Enge wrote: > Am Wed, Jun 19, 2024 at 09:36:29AM +0100 schrieb Dale Mellor: > > No, it's not. I use Guix as a tool to develop my own projects, private > > and > > personal for reasons I'm keeping to myself. As part of that I write package > > definitions for them, and use the Guix machinery to build and test. I > > *cannot* > > have Guix just giving my code away to anybody, that is just fundamentally > > wrong. > > Is there a misunderstanding here? The Guix software framework does not > communicate software that you work on to outsiders. I'm sure guix lint tried to push my code out to them the last time I tried.
Re: Come watch a live stream coding session for the Hurd
Am Thu, Jun 20, 2024 at 06:45:26PM +0200 schrieb Tobias Alexandra Platen: > I'm planing to do something similar with my libsurvive project, > as I am developing hardware that "Respects Your Freedom". I will > present how I use guix in some of those livestreams. Great, please share the venue and schedule on this channel once you have more details! Andreas
Re: Next Steps For the Software Heritage Problem
Am Wed, Jun 19, 2024 at 09:36:29AM +0100 schrieb Dale Mellor: > No, it's not. I use Guix as a tool to develop my own projects, private and > personal for reasons I'm keeping to myself. As part of that I write package > definitions for them, and use the Guix machinery to build and test. I > *cannot* > have Guix just giving my code away to anybody, that is just fundamentally > wrong. > > I think at least there should be a /restricted/ license type available to > package definitions, and the system absolutely should not give source code > away > from packages which use this (of course, they won't get into the official > distribution, but that's fine). Is there a misunderstanding here? The Guix software framework does not communicate software that you work on to outsiders. As I understand it, SWH looks at the Guix packages that are publicly available in the Guix git repo, and then archives the corresponding source code of these packages. By definition, this is free software (otherwise we would not package it), and available from elsewhere on the Internet (the "uri" part of the "source" field). So I think Guix does not actually do anything in this context, and all this discussion is moot. (Well, I suppose we may encourage SWH to archive these sources, and am personally very much in favour of it; but they do not need us for archiving the sources.) The goal of SWH is to archive all free software in the world, and if you want to prevent your software from appearing in their collection, the only reliable solution is to not publish it as free software (which apparently is your approach, Dale, for the software you are talking about). Andreas
Re: Come watch a live stream coding session for the Hurd
I'm planing to do something similar with my libsurvive project, as I am developing hardware that "Respects Your Freedom". I will present how I use guix in some of those livestreams.
Re: Next Steps For the Software Heritage Problem
On Tue, 2024-06-18 at 07:19 -0700, Ian Eure wrote: > Hi MSavoritias, > > Thank you for the email. > > I’m going to lay out this situation as clearly as I can, in the > hope that others will better understand, and hopefully treat it > with the seriousness it deserves. > > 1. Guix requests SWH to archive some source code. This is fine. No, it's not. I use Guix as a tool to develop my own projects, private and personal for reasons I'm keeping to myself. As part of that I write package definitions for them, and use the Guix machinery to build and test. I *cannot* have Guix just giving my code away to anybody, that is just fundamentally wrong. We need to ask what is Guix? A free operating system, a framework for developing free operating systems, or a more generic tool for software development and deployment? If the latter it *cannot* do nefarious things without explicit consent. I think at least there should be a /restricted/ license type available to package definitions, and the system absolutely should not give source code away from packages which use this (of course, they won't get into the official distribution, but that's fine). More broadly, I think they should just stop inter-operating with SH. Just walk away. Dale
Re: Next Steps For the Software Heritage Problem
Hi MSavoritias, all, On Thu, 20 Jun 2024 at 09:51, MSavoritias wrote: >> Not to avoid the question but from a pragmatic point of view, one >> might ask if the source code you write and do not want to be included >> in the training dataset, if this source code is concretely part of >> that training dataset. [...] > Thats all fair and valid. Sadly tho SWH: > - > there is provenance. (unless i start searching > HuggingFace. Being concrete and explicit, could you please share: 1. Which part of your code is included in the pretraining dataset? It’s easy, you can copy/paste a snippet and it returns the location from where it comes from. https://huggingface.co/spaces/bigcode/search-v2a 2. What is your code that is included in SWH archive? Again, it’s easy: checkout some commit of your repository, then inside this repository, you can run: echo "https://archive.softwareheritage.org/swh:1:dir:$(guix hash -S git -f hex -H sha1 .)" Do not miss the ’.’ (dot) once entering the repository. This command returns SWHID. Other said, using this identifier, you might know if the repository is stored by SWH. (Be careful with temporary artifacts as .go files or else.) Or you can also check for one specific content: $ echo "https://archive.softwareheritage.org/swh:1:cnt:$(guix hash -S git -f hex -H sha1 COPYING)" https://archive.softwareheritage.org/swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2 And the URL display the content of the file COPYING. Here GPL 3 license for instance. 3. Where such source code from #2 and #3 is packaged by Guix? That said, if the source is hosted on GitHub or GitLab.com or SourceHut or CodeBerg or some other popular forges or even mirrored without your consent on one of these, please consider that your code had been ingested by ChatGPT without any mean to verify. Obviously, that’s not an argument to accept the situation with HuggingFace and I understand that you do not want that your publicly release copyleft source code could be reused by any LLM. However, as said several times, rooting this willing of non-inclusion is larger than your own willing once you publicly released such source code under some copyleft license. I hope we agree on that. Again, I am not trying to avoid something. And again, we all have heard your points. Nothing is ignored. To my knowledge, the path forward is not yet well-defined. Since we are discussing at length with various different inputs, it means that a common understanding and/or opinion does not seem obvious. >> Well, I do not know if the outcome will be aligned with your current >> opinion, but be sure that your concerns as the others raised by Guix >> community members are taking into account. > > Thank you for giving me an honest and detailed answer. I feel you are pushy on the topic and for what my opinion is worth, it is not helpful to raise again and again that you want a way to opt-out. Yeah, people got it. :-) And you are probably not alone, I guess. It would help if you could provide a source code that your wrote and answer the three criteria above: included in pretraining dataset, included in SWH, packaged by Guix. I do not have special information from SWH but I am sure SWH people are working on the topic. And again, maybe the outcome will not be aligned with your opinion. Another story. Now, the other question you ask to Guix: do we continue to help SWH in harvesting? You propose to stop, IIUC. Ok, we got it, too. :-) From my point of view, the path forward is not to speak on the abstract but to root on concrete numbers; it would help in bounding what we are speaking about. Concretely, if you would like to be able to opt-out, could you point: 1. the piece from the Guix source code you are the author? 2. source code you are the author that is packaged by Guix? Again, I am not trying to avoid the discussion. Instead, I would prefer to root the discussion on concrete examples. Then it would appear to me easier to make progress. As Greg or Ekaitz also wrote: opting out has implications on the meaning of freedom behind “free software“. IMHO, that’s not because we would like to opt-out that we could, would be able to or allowed to. Therefore, instead of holding opinions on the abstract, let try to make progress and start on the concrete: which piece of source code are we speaking about? Cheers, simon
Re: Next Steps For the Software Heritage Problem
Hi, On 2024-06-20 08:36, MSavoritias wrote: On Wed, 19 Jun 2024 17:46:08 +0200 Ekaitz Zarraga wrote: On 2024-06-19 12:25, raingl...@riseup.net wrote: On 2024-06-19 11:54, Efraim Flashner wrote: On Wed, Jun 19, 2024 at 12:13:38PM +0300, MSavoritias wrote: ... One of our packages, dbxfs, left Github a while ago and continued development on a different forge. They adjusted their README to disallow hosting of their code on Github. Based on this restriction we have labeled later versions of the software as non-free and have not updated the package. IMO saying that source code cannot be uploaded to SWH would fall into the same category. No wonder more and more people are growing dissatisfied with the free software movement. Hey Ekaitz, Please remember two things in the context of all of this: 1. Guix is not a software entity but it is made of people that want a safer, collaborative space to create things. These things may be code, a blog post or anything else as part of guix. Even a social network account. I am saying this because you only talked about Free Software in your message and not about people or different contexts. And we are talking about people here. Not code. Code is not alive. I was specifically talking about the Free Software issue raised by Efraim and the message by Raingloom. And exactly what you point out is what I wanted separate as you very well did. Now we are talking about the people and about how things affect people, and that's a different matter I'm going to tackle below. 2. You seem to imply that Free Software or code is apolitical. (in the sense of social or state politics not) Which it is not. Nothing is. For example Free Software is explicitly pro-capitalist and pro-Google/big companies. I am not saying I disagree, but its good to keep in mind that politics exist and do exist always. And in the case I'm not one of those people that think everything is politics but that's not a debate I want to open. Free Software can be understood from many ways. I don't think it's pro-capitalist, but pro-freedom, but that freedom affects the capitalists too, and it's a *value* they have. But freedom is also an anarchist value, and it can be an anti-capitalist value too it becomes more politic when you put more things around it. The issue I was trying to point is Free Software attracts many people from many different backgrounds and politics, and trying to push for one side defeats its purpose: making people stay together because they have some shared value. There are many valid reasons why someone might criticize the Free Software movement and people behind it, but making free software only has 4 simple rules. If you don't comply with them you are not free software anymore. It's as simple as that, and that simple it should be. Free Software gives me the FREEDOM to print the code, make a roll with it and shove it up my ass if I want to (and even distribute my modified copies for other people to do so). The same freedom I have to upload it to github. If you prevent me from doing one or the other you are restricting my freedom and that's defeating the purpose of free software and we cannot consider your code free software anymore. The line is clear, and trying to pretend to be free software while restricting people's freedoms (regardless of what they are) is absurd. This is missing the context that GPL does indeed restrict people's freedom to license code as the see fit. Because it was written to further the political goals of FSF. It is on purpose. So we are already restricting the freedom of people to do what they want on purpose. It does restrict your freedom but only if your goal is restrict other people's software freedom. I'd say the argument here was that GPL provides more absolute freedom in the current world than other licenses but I don't think the GPL was a very easy decision to make for the radical freedom fighters. That's why some people don't like it. And lets not forget "your freedom ends where the other persons freedom begins" and consent of course in the issue at hand. Yes, but I don't think this is a matter Free Software needs to deal with. And my original message was around that. Now, we should do something as a set of people that collaboratively work in a project. Probably not under the Free Software label, because what free software is is already pretty clear and well defined, but as something else, may that be Guix users and contributors, if we wish. The Free Software movement can be labeled (and is often labeled) as a political movement but I'd say it's more of an ethical movement. It's a way to share *values* and the value we share here is freedom. We might or might not share other values, politics, religion or anything, but as long as we put the freedom in the first place we should agree that free software is better than any other software model we have. There are bad actors in the world (say thieves, killers
Re: Next Steps For the Software Heritage Problem
On Wed, 19 Jun 2024 16:41:33 +0200 Simon Tournier wrote: > Hi MSavoritias, all, > > Let me provide more context. > > The concern started couple of months ago, to my knowledge. And > discussion is still on going. So I think that’s incorrect to say “any > result for over 6 months”. Hey Simon, I was talking about the perspective of a guix person that is not part of maintainers or any mailing lists that these discussions are happening. So from my side there hasn't been any updates from SWH or from Guix either for the named issue or the LLM issue. > Moreover, I feel you have a misunderstanding about HuggingFace and SWH > partnership. From the reading of public information, HuggingFace and > BigCode trains on a subset of SWH source code archive. I mean, it is > a snapshot and to my knowledge, they provided the list of source code > that had been used for training. > > Not to avoid the question but from a pragmatic point of view, one > might ask if the source code you write and do not want to be included > in the training dataset, if this source code is concretely part of > that training dataset. > > HuggingFace is not training continuously with source code from SWH. > > And technically, SWH is an archive i.e., the code is not stored hot. > I do not know and I have not read all details by HuggingFace of their > method; i.e., which kind of data they process – independent unique > files, complete repository, etc. What I know is that the piece when > fetching from SWH is named SWH Vault; it requires to “cook” and > prepare all the files that take times, from minutes to days. Thats all fair and valid. Sadly tho SWH: - Doesn't even mention on their website anything about what happens to my code and where. so there is provenance. (unless i start searching HuggingFace. - The email from the director that was sent to me says explicitly that they don't see an issue with it being opt-out after the fact and embrase LLMs usage. So that seems to me that its already in there. > All that to say two key points: > > 1. People behind SWH are well-aware about various sides of the > concerns. As said, they are long-time free software supporters. Be > sure they have eared community concerns. Some discussions are still > pending because as explained, all sides of ethical questions needs to > be cautious. > > Please do not think it is ignored. > > > 2. FWIW, I am in touch with SWH people – among other members from Guix > community. For instance, in order to feed the discussion, Roberto > from SWH pointed to me this blog point by Bruce Perens: > > https://perens.com/2019/10/12/invasion-of-the-ethical-licenses/ > > Well, I do not know if the outcome will be aligned with your current > opinion, but be sure that your concerns as the others raised by Guix > community members are taking into account. Thank you for giving me an honest and detailed answer. I wish I could say this was encouraging but as things currently stand I would like much more transparency about what is actually happening from Guix and SWH. Because currently: - The director seemed completely oblivious to any issues with LLMs or code harvesting without consent. - Efraim seemed to have suggested that there hasn't been any communication and its even offtopic. - Nothing has been written from Guix or SWH publicly about it and there are no mechanisms in place in the short term even to mitigate some of these things. (Which my next steps try to fix when I make the patches in a few weeks) Regards, MSavoritias > Cheers, > simon
Re: Next Steps For the Software Heritage Problem
On Wed, 19 Jun 2024 17:46:08 +0200 Ekaitz Zarraga wrote: > On 2024-06-19 12:25, raingl...@riseup.net wrote: > > On 2024-06-19 11:54, Efraim Flashner wrote: > >> On Wed, Jun 19, 2024 at 12:13:38PM +0300, MSavoritias wrote: > >> ... > >> One of our packages, dbxfs, left Github a while ago and continued > >> development on a different forge. They adjusted their README to > >> disallow hosting of their code on Github. Based on this > >> restriction we have labeled later versions of the software as > >> non-free and have not updated the package. IMO saying that source > >> code cannot be uploaded to SWH would fall into the same category. > > > > No wonder more and more people are growing dissatisfied with the > > free software movement. > > > Hey Ekaitz, Please remember two things in the context of all of this: 1. Guix is not a software entity but it is made of people that want a safer, collaborative space to create things. These things may be code, a blog post or anything else as part of guix. Even a social network account. I am saying this because you only talked about Free Software in your message and not about people or different contexts. And we are talking about people here. Not code. Code is not alive. 2. You seem to imply that Free Software or code is apolitical. (in the sense of social or state politics not) Which it is not. Nothing is. For example Free Software is explicitly pro-capitalist and pro-Google/big companies. I am not saying I disagree, but its good to keep in mind that politics exist and do exist always. And in the case > There are many valid reasons why someone might criticize the Free > Software movement and people behind it, but making free software only > has 4 simple rules. If you don't comply with them you are not free > software anymore. It's as simple as that, and that simple it should > be. > > Free Software gives me the FREEDOM to print the code, make a roll > with it and shove it up my ass if I want to (and even distribute my > modified copies for other people to do so). The same freedom I have > to upload it to github. If you prevent me from doing one or the other > you are restricting my freedom and that's defeating the purpose of > free software and we cannot consider your code free software anymore. > The line is clear, and trying to pretend to be free software while > restricting people's freedoms (regardless of what they are) is absurd. This is missing the context that GPL does indeed restrict people's freedom to license code as the see fit. Because it was written to further the political goals of FSF. It is on purpose. So we are already restricting the freedom of people to do what they want on purpose. And lets not forget "your freedom ends where the other persons freedom begins" and consent of course in the issue at hand. > > The Free Software movement can be labeled (and is often labeled) as a > political movement but I'd say it's more of an ethical movement. It's > a way to share *values* and the value we share here is freedom. We > might or might not share other values, politics, religion or > anything, but as long as we put the freedom in the first place we > should agree that free software is better than any other software > model we have. > > There are bad actors in the world (say thieves, killers or... GitHub > and AI), and we can discuss about how we should deal with them but I > don't think the answer is putting our *values* aside but embrace them > harder (one value, freedom, in our case). Definetily agree. The solution is not to embrace propietary software or restrict software. Its to write down some common social rules that are rooted in consent. > If people is not happy with the Free Software movement because it > puts the freedom first, I can only understand it as people being mad > about Free Software because it's about software. > > For other values, we can start other initiatives I may or may not > agree more with, but if the value is freedom (in software), I don't > think there's any better way to push for it. But trying to disguise > other things inside of the Free Software is kind of dishonest. Fair. I mean we already have CoC and channel descriptions. Idk if we have event guidelines/CoC yet but we should. > I don't know, maybe I'm just a little bit tired. No worries. I think it was very well said. MSavoritias
