Re: Spam message when using CVS for webpages
I join our fellow colleagues asking to remove this license advertisement as being harmful to the primary function of the site. So time to do that... Please.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 02:04:11PM -0400, Ian Kelling wrote: > > I definitely admire the ingenuity to offer source code in more > places. However, I'm pretty confident Savannah webpages are a sufficient > place to satisfy the AGPL requirement of offering source, and adding > output like this to command line operations where the only expected > output is information related to the operation is undesirable for > various reasons and will very likely cause breakage for scripts and > tools which make calls to Savannah. I'm aware that it interfered with Karl's scripts; I'm also aware that it works fine with GNUN scripts, the scripts updating www.gnu.org pages and Emacs-to-CVS interface, so I wouldn't say it's really very likely to break tools. The modified script has been running for a month on vcs1 and for over four months on download0, it can wait for a day or two for rms' clarifications. we seldom have such opportunities to gather users' feedback, they occur much rarelier than, say, the fundraiser. signature.asc Description: PGP signature
Re: Spam message when using CVS for webpages
On Thu, Oct 19, 2023 at 11:04:42AM +, Ineiev wrote: > I can think of adding a command like 'offer-source' to sv_membersh, > with a message on the page where the users register their SSH keys. > that would reasonably guarantee the awareness for the new users, > but the existing users rarely change their SSH keys. clearing all > SSH keys in Savannah would make Savannah admins unable to use them > for recovering lost accounts. of course, we could save a reserved > copy, but the need for the users to re-fill their keys would alone > be quite annoying. Historically, AGPLv1 (created by Affero and approved by the FSF [0]) only required ([1], Section 2d) that existing opportunities to request transmission of the source code be preserved. AGPLv3 Section 13 [2] removed that condition and said that any modified version must offer the corresponding source code. So I wonder what was AGPL author's intention: * Is this kind of indirection acceptable at all? I mean, technically, it wouldn't be the script that prominently offers all its users the source code, but the directions on how to get the source code are placed at the web page where keys needed to use that script are registered. * Is it acceptable to only notify new users and those who update their registered keys? if yes, we could avoid forcing all Savannah users re-register their keys just to make sure they saw the notice about how to get the source code. [0] https://www.gnu.org/licenses/license-list.html#AGPLv1.0 [1] https://directory.fsf.org/wiki/License:AGPL-1.0-only [2] https://www.gnu.org/l/agpl-3.0.txt signature.asc Description: PGP signature
Re: Spam message when using CVS for webpages
On Thu, Oct 19, 2023 at 11:21:43AM +0100, Gavin Smith wrote: > > Also, if sv_membersh is copyrighted to the FSF a simple solution would > be relicensing it to avoid this requirement. No, it isn't.
Re: Spam message when using CVS for webpages
On Thu, Oct 19, 2023 at 11:16:06AM +0100, Gavin Smith wrote: > > I proposed that the program could offer the source via some kind of > messaging service on the Savannah web portal that users would be > guaranteed to be aware of and have access to, in order to satisfy the > AGPL requirements. There could be an entry in the side menu like > "Automatic notices" along with the number of unread notices. > > sv_membersh together with what helper scripts or programs are > providing the notifications would be considered a single unit that is > providing its notifications in accordance with the AGPL. First, Savane has no messaging service, it relies on email; more important, I'm not sure how to guarantee the awareness. sv_membersh could send the offer via email, but then it would have to depend on that additional service (if I'm not mistaken, hosts like download0 currently don't use it); then, having emails on every VCS network transaction wouldn't be better than what we have now. I can think of adding a command like 'offer-source' to sv_membersh, with a message on the page where the users register their SSH keys. that would reasonably guarantee the awareness for the new users, but the existing users rarely change their SSH keys. clearing all SSH keys in Savannah would make Savannah admins unable to use them for recovering lost accounts. of course, we could save a reserved copy, but the need for the users to re-fill their keys would alone be quite annoying. signature.asc Description: PGP signature
Re: Spam message when using CVS for webpages
> On Thu, Oct 19, 2023 at 10:57 AM Ineiev wrote: > > > > In contrast, sv_membersh is distributed under the AGPL; now, > > the AGPL does include the same provisions, but also adds Section 13 > > requiring that our modified version prominently offer all users > > interacting with it remotely an opportunity to receive > > the corresponding source of our version; and AGPL Section 13 has > > nothing like "you needn't make it do so if it doesn't." Also, if sv_membersh is copyrighted to the FSF a simple solution would be relicensing it to avoid this requirement.
Re: Spam message when using CVS for webpages
On Thu, Oct 19, 2023 at 10:57 AM Ineiev wrote: > > In contrast, sv_membersh is distributed under the AGPL; now, > the AGPL does include the same provisions, but also adds Section 13 > requiring that our modified version prominently offer all users > interacting with it remotely an opportunity to receive > the corresponding source of our version; and AGPL Section 13 has > nothing like "you needn't make it do so if it doesn't." I proposed that the program could offer the source via some kind of messaging service on the Savannah web portal that users would be guaranteed to be aware of and have access to, in order to satisfy the AGPL requirements. There could be an entry in the side menu like "Automatic notices" along with the number of unread notices. sv_membersh together with what helper scripts or programs are providing the notifications would be considered a single unit that is providing its notifications in accordance with the AGPL.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 01:15:30PM -0600, Bob Proulx wrote: > Ineiev wrote: > > Savane is the free software hosting system savannah.gnu.org runs. > > > > sv_membersh is the restricted shell used as the login shell for Savane users > > when they connect via SSH. > > > > Savane released under the AGPL; offering the corresponding source code > > is a requirement of the AGPL. > > I spent some time looking at this issue and my assessment is that > sv_membersh is only a peripheral part of Savannah at best. It isn't > needed for Savannah to operate. It's a security gate that we use to > protect the host from potentially malicious activity or potentially > accidental harm. I can't see why this matters. what matters is the fact that we use it. since we use it, we must comply with its license. > It does not need to be savane software and might be > any suitable component program. Only part of the message depends on this, the one saying it's part of Savane. if it were part of Giungla, it would say, "sv_membersh is part of Giungla." > Even though Savannah as a whole is distributed under the AGPL Savannah > makes use of many programs which are licensed under other licenses > such as the other various GPL versions and other permissive licenses. I feel that as expressed, this mixes Savane, the package we maintain in Savannah 'administration' group, and Savannah, the set of services the GNU Project provides. we don't distribute Savannah, and it is based on a few separate programs, each with its own licensing terms. > That the whole of Savannah is available under the AGPL does not make a > requirement that every component used in Savannah be forced into the > AGPL. No, but sv_membersh and the Savane Perl modules it uses were released under the AGPL, and we both jointly can't just reconsider that decision. > For example GNU ls does not emit its license upon every invocation. > That would interfere with its primary function. But ls will emit its > license information when this is asked for with ls --version. GNU ls is distributed under the GPL, and what you are speaking about is covered by the GPLv3 Section 5d, which explains that the legal notices may be accessible via a prominent item in the list of options the interface presents, and moreover, when an interactive interface doesn't display the notices, the licensee isn't required to make it display them. In contrast, sv_membersh is distributed under the AGPL; now, the AGPL does include the same provisions, but also adds Section 13 requiring that our modified version prominently offer all users interacting with it remotely an opportunity to receive the corresponding source of our version; and AGPL Section 13 has nothing like "you needn't make it do so if it doesn't." signature.asc Description: PGP signature
Re: Spam message when using CVS for webpages
Ineiev wrote: > Savane is the free software hosting system savannah.gnu.org runs. > > sv_membersh is the restricted shell used as the login shell for Savane users > when they connect via SSH. > > Savane released under the AGPL; offering the corresponding source code > is a requirement of the AGPL. I spent some time looking at this issue and my assessment is that sv_membersh is only a peripheral part of Savannah at best. It isn't needed for Savannah to operate. It's a security gate that we use to protect the host from potentially malicious activity or potentially accidental harm. It does not need to be savane software and might be any suitable component program. Even though Savannah as a whole is distributed under the AGPL Savannah makes use of many programs which are licensed under other licenses such as the other various GPL versions and other permissive licenses. That the whole of Savannah is available under the AGPL does not make a requirement that every component used in Savannah be forced into the AGPL. For example in Savannah cron is used. If that were true then it would be required to re-license cron from GPLv2+ to the AGPL. Savannah uses git and git is licensed under the GPLv2. Savannah uses Subversion is licensed under the Apache-2.0 license. And so on and so forth. Simply using these components does not require that the license always be advertised. For example GNU ls does not emit its license upon every invocation. That would interfere with its primary function. But ls will emit its license information when this is asked for with ls --version. I join our fellow colleagues asking to remove this license advertisement as being harmful to the primary function of the site. Thanks! Bob
Re: Spam message when using CVS for webpages
On Okt 18 2023, Ian Kelling wrote: > I definitely admire the ingenuity to offer source code in more > places. However, I'm pretty confident Savannah webpages are a sufficient > place to satisfy the AGPL requirement of offering source, and adding > output like this to command line operations where the only expected > output is information related to the operation is undesirable for > various reasons and will very likely cause breakage for scripts and > tools which make calls to Savannah. I think the message should only be printed when accessing the server interactively. While Savannah servers are not meant for interactive use, you _can_ access them with plain ssh, which gives you the login banner, and adding the blurb from sv_membersh here would not disturb any valid use. -- Andreas Schwab, sch...@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
Re: Spam message when using CVS for webpages
Ineiev writes: > The problem is, we don't deploy the exactly same version for all > Savannah hosts at once, we update them one by one, so you hardly > would be able to tell which Git commit corresponds to software > running on the particular host; this feature makes sure the users > can download the right version. I definitely admire the ingenuity to offer source code in more places. However, I'm pretty confident Savannah webpages are a sufficient place to satisfy the AGPL requirement of offering source, and adding output like this to command line operations where the only expected output is information related to the operation is undesirable for various reasons and will very likely cause breakage for scripts and tools which make calls to Savannah. For the problem of different machines having different source, the link for source at the bottom of savannah webpages could say something like: "Savannah source repository is here: http://. Savannah is split onto several machines, and the code running on some machines can lag behind what is in our repository. Here is how to get the exact versions being run: To get the source code on the machine handling cvs requests, run rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . To get the source code on the machine doing X, run ... (fill in more here)" Especially because this is likely to break other tools and annoy people, I think it should be reverted until there is some consensus among savannah hackers on the right solution.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 03:32:44PM +, Ineiev wrote: > On Wed, Oct 18, 2023 at 03:46:55PM +0100, Gavin Smith wrote: > > I am trying to update a project's webpages after a new release, but > > every time I issue a cvs command the message is printed: > > > > > sv_membersh is part of Savane. > > > In order to download the corresponding source code of Savane, run > > > > > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . > > > > I don't know what sv_membersh or Savane is or why I should care. > > Savane is the free software hosting system savannah.gnu.org runs. > > sv_membersh is the restricted shell used as the login shell for Savane users > when they connect via SSH. > > Savane released under the AGPL; offering the corresponding source code > is a requirement of the AGPL. > > Do you think the message should elaborate on these points? I don't know; if it is truly a requirement of the AGPL then it could be more clear that this is why the message is being printed. It looks too much like an error message. Maybe it could be prefixed with "Affero GPL notice: "? I had never chosen to run "sv_membersh" - the command I was running was "cvs". The fact that messages are being printed with details about internal workings make it look like something is broken. Even if it uses SSH internally, I am not really thinking about SSH when I run cvs. Perhaps the message could also contain clear instructions on how to turn it off, too. > The problem is, we don't deploy the exactly same version for all > Savannah hosts at once, we update them one by one, so you hardly > would be able to tell which Git commit corresponds to software > running on the particular host; this feature makes sure the users > can download the right version. Could you put instructions on the Savannah web portal for checking versions of software and getting corresponding source code for different hosts, which users could refer to instead of sending them the message? I am not familiar with the Affero GPL but I looked at section 13 "Remote Network Interaction") (at https://www.gnu.org/licenses/agpl-3.0.en.html). "... your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version" I don't know if I really could have been said to be "interacting" with sv_membersh. It was running as a back-end service for one-off commands that I was running from the command line. Another suggestion is to ensure that anybody running these command line commands also has access to the Savannah web portal. Then the "offer" could be provided through the web portal, rather than by printing output to the terminal. > > Can this unnecessary and annoying message please be removed? > > You can disable that message in your Savannah account configuration > (the 'Quiet SSH member shell' checkbox). Thanks, I will do that.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 10:07 AM Gavin Smith wrote: > On Wed, Oct 18, 2023 at 09:56:17AM -0500, Corwin Brust wrote: > > Thanks for raising this issue. FWIW it has also been brought up by > > others. We are planning on discussing with FSF today, at the regular > > "volunteers" meeting, where most weeks svh and fsf sysop staff connect. > > > > We'll update you assuming this topic does get discussed and there is some > > conclusion to share (or when there is). > > > > Kind regards, > > Corwin > > That's good to hear! Thank you for your quick response. > Hi Gavin, I wanted to write back just to quickly confirm that this was discussed with FSF staff. Per my understanding, I believe others of the Savannah Hackers are planning to weigh in on this discussion as well. (If that happens in another thread/ticket I'll be sure to CC you if I spot you in the copy-trail.) I also plan to make another reply myself to clarify my own position (granted, as the newest member of the team), in brief: that this notification is above and beyond the plain requirements of hosting an AGPL program and should be either removed/rolled-back or else perhaps we could consider setting the QUIET flag en-mass. Meanwhile, as the team works to invite discussion and socialize a consensus, I think Ineiv has already provided instruction for turning this off within the Savannah web interface. Don't hesitate to reach out if you have any trouble with that or other thoughts you may have. Thanks again for writing. Corwin
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 03:46:55PM +0100, Gavin Smith wrote: > I am trying to update a project's webpages after a new release, but > every time I issue a cvs command the message is printed: > > > sv_membersh is part of Savane. > > In order to download the corresponding source code of Savane, run > > > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . > > I don't know what sv_membersh or Savane is or why I should care. Savane is the free software hosting system savannah.gnu.org runs. sv_membersh is the restricted shell used as the login shell for Savane users when they connect via SSH. Savane released under the AGPL; offering the corresponding source code is a requirement of the AGPL. Do you think the message should elaborate on these points? > This message was not printed before and is distracting and confusing. I > have updated GNU webpages using CVS many times over several years and never > had this message before. That was an omission. > Using CVS from the command line is fiddly enough as it is (as I only > use CVS infrequently to update GNU webpages I don't use it enough to be > comfortable with it) without having extra messages to worry about. > This message looks like an advert to me and isn't helpful. If I wanted > to download the source code of Savane I would look for it myself, without > having it shoved in my face. The problem is, we don't deploy the exactly same version for all Savannah hosts at once, we update them one by one, so you hardly would be able to tell which Git commit corresponds to software running on the particular host; this feature makes sure the users can download the right version. > Can this unnecessary and annoying message please be removed? You can disable that message in your Savannah account configuration (the 'Quiet SSH member shell' checkbox). signature.asc Description: PGP signature
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 09:56:17AM -0500, Corwin Brust wrote: > Thanks for raising this issue. FWIW it has also been brought up by > others. We are planning on discussing with FSF today, at the regular > "volunteers" meeting, where most weeks svh and fsf sysop staff connect. > > We'll update you assuming this topic does get discussed and there is some > conclusion to share (or when there is). > > Kind regards, > Corwin That's good to hear! Thank you for your quick response.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 9:46 AM Gavin Smith wrote: > I am trying to update a project's webpages after a new release, but > every time I issue a cvs command the message is printed: > > > sv_membersh is part of Savane. > > In order to download the corresponding source code of Savane, run > > > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane > . > > I don't know what sv_membersh or Savane is or why I should care. [SNIP] > > This message looks like an advert to me and isn't helpful. Thanks for raising this issue. FWIW it has also been brought up by others. We are planning on discussing with FSF today, at the regular "volunteers" meeting, where most weeks svh and fsf sysop staff connect. We'll update you assuming this topic does get discussed and there is some conclusion to share (or when there is). Kind regards, Corwin
Spam message when using CVS for webpages
I am trying to update a project's webpages after a new release, but every time I issue a cvs command the message is printed: > sv_membersh is part of Savane. > In order to download the corresponding source code of Savane, run > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . I don't know what sv_membersh or Savane is or why I should care. This message was not printed before and is distracting and confusing. I have updated GNU webpages using CVS many times over several years and never had this message before. Using CVS from the command line is fiddly enough as it is (as I only use CVS infrequently to update GNU webpages I don't use it enough to be comfortable with it) without having extra messages to worry about. This message looks like an advert to me and isn't helpful. If I wanted to download the source code of Savane I would look for it myself, without having it shoved in my face. Can this unnecessary and annoying message please be removed? Thank you for your work on Savannah.
