[Dev] Criteria beyond FSDG compliance for Parabola and third party repositories?
bill-auger
bill-auger at peers.community
Thu Dec 22 22:08:52 GMT 2022
On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote:
> The question is if Parabola should add policies that go further
i am generally on-board with that - i suggested a policy review
and revisions about a year ago
On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote:
> I am also unsure if Parabola also has a rule that requires to have very
> precise licensing information or not[7]?
only the PKGBUILD license=() array - i think that should
reference licenses of _whatever_ is in the parabola source
package (*-src.tar.xz)
On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote:
> unlike Parabola, Trisquel and PureOS probably
> have rules requiring to recompile package from the upstream
> distribution.
im pretty sure that Trisquel and PureOS are both > %90 packages
imported from their respective upstereams, same as parabola
another point comes to mind though - as distros near 100%
"reproducible", the motivation and value of rebuilds changes,
from avoiding to trust the upstream via redundant effort, to a
verification of the upstream package globally, across all debian
downstreams
On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote:
> If for instance we decide in Parabola that all the third-party
> repositories should follow the same rules than Parabola, then we will
> probably end up having to remove all the software that is configured to
> use third party repositories, or at least disable the repositories.
luckily, the abrupt ejection of pip and rubygems has cause
minimal damage - the remaining others are much less popular
On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote:
> Parabola has a document that explains what users should expect of
> it[6], so in any case we can explain users what Parabola protects
> against and what it doesn't protect against.
>
> [6]https://wiki.parabola.nu/How_does_Parabola_protects_users_against_nonfree_software
maybe freemor will like to look that over and/or improve or
expand that article - freemor has been the most adamant about
that aspect of parabola - explaining the rather low limitations,
to how any distro can protect its users, especially debunking
the common security paranoia support questions (such as: each
user must define a "threat model" and be somewhat vigilant - the
distro can not do that those things for everyone)
not to mention that that parabola as a power-user distro, does
not really want protect the user from oneself - i think myself
and freemor agree, the "take-home message" should be "Parabola
protects users primarily, by teaching them how to protect
themselves, and providing clean tools and a clean base
environment in which to do so"
parabola users even need to know how to protect themselves
against parabola (learn about makepkg, keep a liveISO and learn
about pacstrap, etc) - there are no guarantees from parabola or
any upstream - this month has been a specially wild ride -
parabola has been broken in 3-4 rather serious ways this month -
probably every parabola user hit at least one snag this month
over-all, some "Parabola 101" primer would be helpful - eg: to
update the obsolete "beginners guide" - ie: "what parabola can
do for users" is a much shorter list and is less important than
"what parabola users can (and must) do each for oneself"
On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote:
> Personally I would prefer if we keep FSDG compliant repositories
the difficulty is in how to determine which repos are FSDG
compliant repositories, when none of them have that as a goal -
the haskell repo strive to be OSI-compliant - that is perhaps
close enough - but i expect a very short list in the end:
* debian
* guix
* haskell
* hyperbola
* pureos
* trisquel
that could be the complete list already
More information about the Dev
mailing list