Group: Software/research/ExternalRepositories

From LibrePlanet
Jump to: navigation, search

Introduction

Context

While distributions typically have high quality packages that work fine, a lot of software is not packaged in distributions.

This often lead users to rely on third party package managers that are often provided by the distribution.

This page tries to summarize the research about such third party package managers, especially to understand which one can be added in or kept in FSDG compliant distributions, and which ones should be removed or replaced.

Read a related article: Keeping track of freedom while managing packages

Goals

For some reasons, FSDG compliant distributions have many packages that are configured to use third party repositories that contain nonfree software. This makes it complicated for end users to understand what is provided by the distribution and what is not, especially because the FSDG distributions are supposed to be fully free.

In order to solve this problem, we need to:

  • Understand what third party repositories programs or packages use, and understand the requirements of these third party repositories.
  • Teach users about the problem until it is fully solved
  • Start addressing the problem in various ways:
    • Work with upstream to make it possible to configure at compilation time a filter that will filter out the nonfree third party software. This also requires to have very strict licensing policies in the third party repository. For instance if a third party package says it is GPLv2 while also including nonfree software, we can't easily filter it out. Also note that the FSDG requires more than having just fully free packages, so it might be worth looking into that before starting to work on that to see how FSDG requirements can be expressed in third party package definitions somehow.
    • If working with upstream is not possible, create alternative repositories that are fully free.
    • It is also sometimes possible to disable the nonfree repositories and create other alternatives. The 'guix time-machine [...] -- guix shell -C <package list> -- <command>' command is a good alternative to docker for instance. It is also possible to use Guix or debuerreotype to create docker containers which in some cases can help users avoid the docker hub repository.

Similar issues

Some programs are not package managers but have a similar effect: they download and run code from remote locations.

A well known example of that is web browsers that in many cases automatically run nonfree JavaScript from web pages. And there are several ways to avoid that. Some FSDG distributions even configure some browsers (but usually not all of them) to not run nonfree JavaScript by default. But this typically doesn't cover all browsers, and when a browser is covered, the user is still not in control of the code that is being run (there are legal freedoms as the code is free and that the user can get the source, but it is usually extremely unpractical to run a modified version, even for very technical users).

But there are also less well known programs that run code from remote locations, and this is dangerous because users are not aware of that. For instance yt-dlp in some situation can also run nonfree JavaScript. Knowing in which conditions it does that requires more research. We also need to do more research to understand which programs are affected. For instance does python-woob also run nonfree JavaScript? If so which version do that? In which conditions?

FSDG compliant repositories

This contains lists of FSDG compliant repositories.

Repository type FSDG compliant implementations References for FSDG compliance
Browser addons See BrowserAddons
Emacs packages repositories
GNU Package:
  • Free software licenses[1]
  • No nonfree dependencies[2]
  • Does not recommend nonfree programs[3]
Source packages manager for GNU packages (and their dependencies)
Boot software distribution
General purpose package manager on top of existing distributions In the list of FSDG compliant GNU distros
Kernel packages repositories

The CrossDistroBootstrap also has some information on how reusable are some FSDG distribution repositories. For instance PureOS and Trisquel are now in upstream debootstrap, but to use that safely and easily distributions also need to package the PureOS/Trisquel keyrings.

As for using other distribution repositories, the DistroExecutionEnvironments page has more information about which container/virtualization systems work with which distribution.

Research

Programming languages

Repository name Programs / Packages Repository type Licenses requirements Reliability of license fields Status Guix import[4]
Akku Akku R6RS/R7RS scheme Its its man page has: "Please pay some attention to the license field to make sure that it is accurate. Use the identifiers from the SPDX project, making sure to use an open source license.". This means that it probably allows the artistic license 1.0 which is non-free as it is open-source but not free according to GNU unless someone convince them to change this. ?
Distribution Status
Dragora
Dynebolic
Guix

akku

Hyperbola
LibreCMC
Parabola Doesn't have Akku
ProteanOS
Replicant
PureOS
Trisquel Doesn't have Akku
Ututo S
No
Alire alire (pureOS?) Ada, SPARK Not reliable, even allows no license: "The manifest [...] contains [...] information about the crate [...] such as the name and version, others optional like the licenses" No
anaconda.com repositories
  • Conda
  • Miniconda
 Python According to the What’s in a package blog post from guix-hpc.info, we have package like PyTorch that bring in nonfree dependencies like CUDA in conda. Also note that there are terms of services associated with the use of the servers: "Use of Anaconda’s Offerings at an organization of more than 200 employees requires a Business or Enterprise license. For more information, see our full Terms of Service, or read Frequently Asked Questions about our Terms of Service."[5] ?
Distribution Status
Dragora
Dynebolic
Guix

conda

Hyperbola
LibreCMC
Parabola
ProteanOS
Replicant
PureOS
Trisquel
Ututo S
No
anaconda.org repositories Python Seem to have non-free dependencies. For instance in the recipe of PyTorch) we can see CUDA as dependencies. ?
Distribution Status
Dragora
Dynebolic
Guix
Hyperbola
LibreCMC
Parabola
ProteanOS
Replicant
PureOS
Trisquel
Ututo S
No
ConanCenter Conan C/C++ Conan and repository ? ? No
Composer PHP Yes
CPAN ? Perl Allow any license (including nonfree software) ? Yes
CRAN ? R The CRAN policy has strict license requirements, but it also allows the following nonfree licenses: Very high. See "Source packages" in the CRAN policy. Yes
CRAN (via the Guix CRAN channel)

(unofficial Guix repository)

N/A R Same as CRAN. Not referenced by FSDG distributions, so nothing to fix.

Since CRAN licensing information is very strict, it might be very easy to make an FSDG compliant repository out of it, by removing packages with licenses considered nonfree by GNU / The FSF. That repository is already fully automated so it might be very easy to fix and maintain.

Yes[6]
crates.io Cargo Rust ? ? lib.rs is a a free frontend to crates so the repository can be viewed without non-free JS. Yes
Eggs Scheme Yes
Elm Elm Yes
Hackage Cabal Haskell FLOSS license required, points to FSF and OSI for the licenses list. ? Yes
luarocks luarocks Lua ? ?
Distribution Status
Dragora Has luarocks
Dynebolic
Guix Doesn't have luarocks
Hyperbola
LibreCMC
Parabola Has luarocks
ProteanOS
Replicant
PureOS
Trisquel
Ututo S
npm Registry npm JavaScript ? ?
hex.pm Erlang Yes
opam OCaml Yes
PECL ? PHP Allow nonfree software, GPL and LGPLv3 (libraries?) not accepted ?
pkg.go.dev Go ? ? Yes
Python Package Index
  • pip
 Python Allow any license (including nonfree software) ?
Distribution Status
Dragora
Dynebolic
Guix
Hyperbola
LibreCMC
Parabola blacklisted
ProteanOS
Replicant
PureOS
Trisquel blacklisted
Ututo S

It is also possible to run your own private repository: pypi.org mentions that "PyPI does not support publishing private packages. If you need to publish your private package to a package index, the recommended solution is to run your own deployment of the devpi project."[7] and Guix has the

python-devpi-server package.

Yes
RubyGems rubygems Ruby Allow any license (including nonfree software) ?
Distribution Status
Dragora
Dynebolic
Guix
Hyperbola
LibreCMC
Parabola blacklisted
ProteanOS
Replicant
PureOS
Trisquel
Ututo S
Yes
Stackage Haskell Yes
Texlive Tex, LaTeX Yes

Parabola has a bug report (bug #1035) about programming language package managers, it has more reference and information on the issue.

Emacs

Repository name Repository type Enabled by default? Licenses requirements Reliability of license fields Status Comments
guix-emacs Guix packages for MELPA N/A Same than MELPA? ? ? The packages are generated automatically, so maybe it's possible somehow to filter-out nonfree software if there is some.
ELPA GNU Emacs Lisp Package Archive Yes, since emacs 24[8] Free software[9] Very strict[9] FSDG compliant[9]
ELPA non-GNU Emacs Lisp Package Archive Yes, since emacs 28.1[8] Free software[9] Very strict[9] FSDG compliant[9]
MELPA ELPA-compatible package repository No ? ? ?

Browser addons

For known FSDG compliant repositories that have browser addons, see the BrowserAddons wiki page.

Repository name / URL Compatible browsers Licenses requirements Reliability of license fields Status Comments
addons.mozilla.org
  • Firefox and derivatives
  • Don't seem very strict.
  • I was told that it wasn't possible to make certain distinctions (multiple licenses? GPL specific versions? Licenses with exceptions (GPL + exception), etc.
  • Not FSDG compliant
  • Already removed from most/all FSDG compliant distributions.

Containers and VM

See Group:Software/research/ExternalRepositories/DockerRegistries for more details about Docker registries, how to run your own registry easily, etc.

There is also a page about flatpak: Group:Software/research/ExternalRepositories/FlatpakRegistries.

Program name Repository type Repository website Licenses requirements Reliability of license fields Status
Docker Repository of distribution installation images and software images https://hub.docker.com/ Allows nonfree software There is no standard way to report the licenses being used. In many cases this makes it extremely complicated to know the license of a container. In other cases, (like a PureOS image) you can use the tools of the distribution to find out (PureOS packages do have licenses). Docker has a default repository for images according to the docker bug #7203 and to a stackoverflow comment. Since that repository is used in the 'docker' command line tool, it needs to be replaced or removed.
Distribution Status
Dragora
Dynebolic
Guix Has a docker package
Hyperbola
LibreCMC
Parabola #3421 Patched to not use docker hub by default. Users have to manually specify which docker repository to use when using docker commands that use docker repositories.
ProteanOS
Replicant Doesn't ship docker
PureOS Has a docker package
Trisquel
Ututo S
GNOME Boxes (+osinfo-db) Repository of distribution installation images that is constructed with libosinfo and osinfo-db
Distribution Status
Dragora
Dynebolic
Guix Bug #60109
Hyperbola
LibreCMC
Parabola Gnome Boxes and/or libosinfo are patched to only show FSDG compliant distributions.
ProteanOS
Replicant Doesn't ship GNOME Boxes
PureOS byzantium Has a gnome-boxes package
Trisquel
Ututo S
LXC Repository of distribution packages / rootfs images.linuxcontainers.org ? ? LXC provides $prefix/share/lxc/templates/lxc-download which can download various distributions like Debian, Ubuntu, etc.
Distribution Status
Dragora
Dynebolic
Guix '/gnu/store/*-lxc-*/share/lxc/templates/lxc-download --list' lists non-fsdg compliant distributions.
Hyperbola
LibreCMC
Parabola '/usr/share/lxc/templates/lxc-download --list' lists non-fsdg compliant distributions.
ProteanOS
Replicant
PureOS
Trisquel
Ututo S

Games

Program name Repository type Repository website Licenses requirements Reliability of license fields Status
Supertuxkart Addons ? ? ?
Wesnoth Addons ?
  • For code: License(s) compatible with the GPLv2 or later[10].
  • For the rest: or "GPLv2 or later", or creative common (including nonfree ones)[11].
Xonotic Content downloaded during online games:
  • Maps
  • Music
  • Other?
 ? ? ?
Distribution Status
Dragora
Dynebolic
Guix

xonotic

Hyperbola
LibreCMC
Parabola Bug #2360
ProteanOS
Replicant Doesn't ship xonotic
PureOS byzantium Doesn't ship xonotic
Trisquel Doesn't ship xonotic
Ututo S

Other programs

Program name Program type Repository type Repository website Licenses requirements Reliability of license fields Status
Arduino IDE Repository of software to support microcontroller boards (available in "Boards Manager") The Arduino IDE has a package manager in "Tools" -> "Board: [...]" -> "Boards Manager".
Distribution Status
Dragora
Dynebolic
Guix Doesn't ship arduino (yet)
Hyperbola
LibreCMC
Parabola Present
ProteanOS
Replicant Doesn't ship arduino
PureOS byzantium Has an arduino package
Trisquel
Ututo S
Gajim Instant messaging client Repository of plugins plugins from ftp.gajim.org ? ?
Distribution Status
Dragora
Dynebolic
Guix
Hyperbola
LibreCMC
Parabola
ProteanOS
Replicant Doesn't ship Gajim
PureOS byzantium
Trisquel
  • Has

gajim-plugininstaller

Ututo S
Kicad PCB design software Repository of Kicad plugins https://repository.kicad.org/ In tools->Plugin and content manager, there is a package manager of Kicad addons.
Distribution Status
Dragora
Dynebolic
Guix Has Kicad
Hyperbola
LibreCMC
Parabola Has a kicad package
ProteanOS
Replicant Doesn't ship kicad
PureOS byzantium Has a kicad package
Trisquel
Ututo S
Libreoffice Document editing software Extensions extensions.libreoffice.org ? ?

TODO:

  • Needs confirmation of the bug (Does upstream have licenses requirements or not?).
Distribution Status
Dragora
Dynebolic
Guix

libreoffice

Hyperbola
LibreCMC
Parabola Bug #3412
ProteanOS
Replicant Doesn't ship libreoffice
PureOS byzantium Has a libreoffice package
Trisquel

libreoffice

Ututo S
Nextcloud Collaboration server Addons apps.nextcloud.com ? ? TODO: Check if Nextcloud uses apps.nextcloud.com
Distribution Status
Dragora
Dynebolic
Guix Doesn't have nextcloud
Hyperbola Doesn't have nextcloud
LibreCMC
Parabola Has nextcloud
ProteanOS
Replicant Doesn't have nextcloud
PureOS
Trisquel Doesn't have nextcloud
Ututo S
phoronix-test-suite Performance benchmarking tool tests
Distribution Status
Dragora Doesn't have phoronix-test-suite
Dynebolic
Guix Filters out nonfree tests
Hyperbola Doesn't have phoronix-test-suite
LibreCMC
Parabola Filters out nonfree tests
ProteanOS
Replicant Doesn't have phoronix-test-suite
PureOS
Trisquel 
* Only available in Trisquel 9.0 (etiona)
* bug #23630 (for etiona)
Ututo S

GNU packages

Repository name Repository type Licenses requirements Reliability of license fields Status
GNU PPA

List of pages

This set of pages talks about external repositories.


(Note that this page does not automatically update; if you add another page under Hardware/, make sure to refresh/purge this page.)


See also

  • DistroUpstreamSupport: This page has a list of which FSDG distributions are supported in some of the external repositories present here.
  • CrossDistroBootstrap: For how to bootstrap an FSDG distribution from another FSDG compliant distribution.

References

  1. https://www.gnu.org/prep/maintain/maintain.html#Licensing-of-GNU-Packages
  2. https://www.gnu.org/help/evaluation.html
  3. https://www.gnu.org/prep/maintain/maintain.html#Ethical-and-Philosophical-Consideration
  4. This could help avoiding the use of the repository as it makes it easier to create packages and/or check licensing information for the software you want/need. See the "10.5 Invoking guix import" section in the Guix manual for more information. Also note that guix import also works on some 100% free repositories like elpa, and it also has an importer for GNU packages as well.
  5. https://www.anaconda.com/pricing/
  6. Guix-cran probably already uses guix import to generate the packages.
  7. https://pypi.org/help/#private-indices
  8. 8.08.1 Reference: https://www.emacswiki.org/emacs/ELPA
  9. 9.09.19.29.39.49.5 The repository is hosted in savannah. Since Savannah has extremely strict licensing requirements for hosting, so it should be OK.
  10. https://wiki.wesnoth.org/Wesnoth:Copyrights#User_Made_Content_-_Code
  11. https://wiki.wesnoth.org/Wesnoth:Copyrights#User_Made_Content_-_Visual_and_Audio_Content


"issue" is not in the list (interest, location, project, school) of allowed values for the "Organized around" property.

This page was a featured resource in October 2024.


Retrieved from "https://libreplanet.org/wiki?title=Group:Software/research/ExternalRepositories&oldid=72040"