bug#34565: ungoogled-chromium contains Widevine DRM

[Julien Lepiller]

Le 2019-02-20 14:03, Jason Self a écrit :
> Jason Self wrote:
> > I should probably add on that this position comes from my interaction
> > with the FSF in 2010: When LibreWRT was founded in 2010 (before it
> > later merged into libreCMC) we submitted a similar question to the
> > FSF,as to if it was sufficient for the LibreWRT build scripts (which
> > would be run by the person building the firmware image from source
> > and would have completely automated, just like how someone might
> > instruct Guix to build from source) to download Linux and then run
> > the Linux-libre deblobbing scripts on it vs having the build scripts
> > instead download tarballs that were already cleaned up. I can't seem
> > to find the email from back then but the response was that we needed
> > to use already cleaned-up tarballs, not ask the user to clean up the
> > software afterward even if automated. So that was what we did. Guix
> > should do something similar.
>
> I haven't been able to find this conversation in my email. As it seems
> to be directly relevant to Guix, since it seems to also be the exact
> same method they use, I have emailed the FSF asking if they can locate
> this in their ticketing system and to re-send the conversation to me.
> More to come.

I think the situation is different though. You can see the build script
inside the "origin" record as the liberation procedure that anyone can
see and verify. It's also a procedure targeted at our build farms, so
that they can produce the liberated source code. Users never manipulate
non-free source code, unless something is wrong on the build farm side.

Essentially, users only download the liberated sources, and build the
package from that, or they download the sources from the build farm
and build the package from that. The source they download is the
one that `guix build -S foo` gives you, and the semantics is
"give me the sources to build foo", not "build the sources of foo".

I think that this way is more transparent, since we can independently,
altough with tooling not provided by guix, check and re-run the
liberation procedure that is documented as part of the guix package
recipe. This is much better than trusting someone to have actually
run the right liberation procedure as you can examine both the result
and the procedure itself.

I hope this is clearer now :)

Well, I'm still interested by that discussion on libreWRT.