* Arun Isaac <arunis...@systemreboot.net> [2021-05-01 09:58]: > > > In general, I don't find it easy to find source code for package > > "hello". > > Don't know what you're talking about. It's very easy to get source code > for a package. For example, > > $ guix build -S hello
I have assumed there must be such function. Yet I don't think that satisfied the licensing requirements. It may look picky from my side, but licensing is very important, and without proper application of a license a distribution get into risks. Distributions are built on foundation of licensing. Licenses have to be respected thus. Examples, from GPL3 (but various packages may have different licenses, which do not apply as here): ,---- | 5. Conveying Modified Source Versions. -- this applies when there | are patches by Guix, and there are many such packages. `---- You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. Example patches for glibc package in /gnu/store: ag70kyqnm7wkdq2261d9m4im5rnl1d20-glibc-hurd-clock_gettime_monotonic.patch j5m8zbb066vzbhrvy402s4cg79zgzkfp-glibc-bootstrap-system-2.16.0.patch lgrlsr3qnxxvic3y472qwybv5wbyabm6-glibc-hidden-visibility-ldconfig.patch mvq0q2f211bxb4syfxvng9kgdxzkr5f3-glibc-versioned-locpath.patch pfz4y5i7krlvam2m8lpddmg9vi44rpqh-glibc-boot-2.2.5.patch qkgnyh78n4y55r0ymaqzbrx842jvsmhw-glibc-hurd-signal-sa-siginfo.patch rnqkir22908x6z3i1mk4phyvskz15qc4-glibc-supported-locales.patch s4g72j3kx547bmn2lphcnva4npgi3qp9-glibc-bootstrap-system-2.2.5.patch svva3cym2n04d2x3bpi4rs6qpnw0m162-glibc-hurd-clock_t_centiseconds.patch sz5nmndsway8bq7283ihdgvmm3xb14l8-glibc-allow-kernel-2.6.32.patch v1h2i4i5xmrs9d4c44w5wshv5zyszb8k-glibc-ldd-x86_64.patch vh29xqy3daavjpi0ikpmqzfczzpbscix-glibc-reinstate-prlimit64-fallback.patch wm80397r10sj6qckf6987qd2hh842p30-glibc-boot-2.16.0.patch However, there is no prominent notice stating that it was modified and the given date. Even if those patches are applied on the fly, there is no such notice, and it should be there. We speak here of distribution or conveying, and licensing. We do not speak of using guix package manager. When binary package (object code) is placed on a server anywhere, that is conveying. ,---- | To "convey" a work means any kind of propagation that enables other | parties to make or receive copies. Mere interaction with a user through | a computer network, with no transfer of a copy, is not conveying. `---- When object code is on a public http server, in this case also known as substitutes, that object code has to comply to licensing conditions. Currently it does not. It only shows the license. It does not show the notice where corresponding source code can be found. I am sending this copy of email to Ludovic Courtès for considerations, though I think he needs support of somebody who can read and understand the licensing conditions. This requires re-work of guix package management. More about it: ,---- | 6. Conveying Non-Source Forms. `---- You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: ... snip ... d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. When a person receives binary package like object code, there is no offer and no offering in that package. It may be very difficult for Guix to comply to licenses. However, I cannot say that is fully free distribution as their packages are systematically in non-compliance at least to GPL3, probably GPL2 and maybe AGPL licenses. Because nobody was thinking of it, Guix missed it, and now they have hard time complying. But compliance is important as it acknowledges developers of software. We speak of license compliance all the time. We cannot be hypocrites and now say that Guix does not need to comply to licensing. I understand that there exist continuous integration server, but let me say frankly, if a user receives object code from Guix continous server, then the corresponding source code to THAT version of the object code has to be kept somewhere. I don't think that Guix does that, but I may be wrong. ,---- | Regardless of what server hosts the Corresponding Source, you remain | obligated to ensure that it is available for as long as needed to | satisfy these requirements. `---- I don't think Guix can do that. There are too many versions of software constantly being updated. I am not sure in that. SUMMARY ======= 1. Software modified by Guix with those GPL-related licenses, do not carry prominent notices stating that they modified it with a date. 2. I may assume, this may be wrong, but I may assume that substitutes are built software, object code, located on servers. Along with object code there must be offer to corresponding source code. There is no such offer in the packages distributes. In other words when a binary is downloaded, it has to contain such offer as downloading binary is conveying, publishing it on server for others to receive it is distributing and conveying, and people should have clear direction where to get the source code. There are general instructions however, but licensing applies for every single individual package, not generally, and there are different licenses. Each single package has to comply to the licensing. It is irrelevant if object code is obtained by using Guix package manager, because substitutes are on the server and accessible by let us say "curl" or web browser. 3. For each version of the distributed object code or packages, Guix need to keep the corresponding code for as long as necessary. Even after 5 years somebody can come along and say "I want corresponding source code for version 1.12" -- but Guix maybe updated it to version 2.41 and does not maybe have any more corresponding source code for version 1.12 Why do you think that GNU servers are complying to licensing requirements even after decades of moments of distributions? Why should Guix be exempted to comply to licensing requirements for ALL packages they distribute? -- Jean Take action in Free Software Foundation campaigns: https://www.fsf.org/campaigns Sign an open letter in support of Richard M. Stallman https://stallmansupport.org/ https://rms-support-letter.github.io/ _______________________________________________ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss