Re: Guix and FSDG

[Thompson, David]

Hi, just a quick note to begin: Please do not cross-post to multiple
mailing lists because it tends to cause confusion for everyone reading
those lists.  I have included only guix-devel in the CC list for this
reply.

On Wed, Nov 20, 2019 at 5:02 AM Raghav Gururajan
<address@hidden> wrote:
>
> (b) Facilitation of non-free information/code/program/software:
> As per FSDG, free system should neither steer users nor refer to third-
> party repositories, to obtain information/code/program/software that
> can contain non-free parts. Let's consider the same two main things
> provided by Guix, that are, (i) Package Definitions (Scheme Code) and
> (ii) Subsitiutes (Pre-Built Binary). If we take substitutes,they are
> pre-built binaries, built on the guix build farm, where the source is
> obtained, de-blobbed (if required) and compiled. Since guix provides
> substitutes only for free software/programs, there is no facilitation
> of non-free information/code/program/software here. If we take the
> package definitions, that is were issue rises. When no substitutes are
> available or when the program/software is chosen to be built, guix on
> the user's system does this: downloads source directly from upstream
> (along with non-free parts if it contains), then strips out non-free
> parts (if any), then builds and installs binaries. So these package
> definitions, contains information/lines-of-code, that steer users or
> refer to third-party repositories, to obtain
> information/code/program/software that can contain non-free parts.
> Therefore, Guix DOES violate FSDG in this aspect.

I believe this is incorrect and I will explain why.  This exact
circumstance was brought up in the early days of the Guix project when
FSDG compliance was a big topic of discussion because Ludovic and RMS
were making sure that Guix conformed to it.  It is true that Guix will
download source archives for packages that *may* contain files with a
nonfree license.  However, Guix has a special mechanism developed
specifically to deal with this issue.  In Guix, the <origin> data type
is used to store information about a package's source code.  In this
data structure there is a field called "snippet" which may contain a
custom procedure written by the person that wrote the package.  The
role of the snippet procedure is to *remove* any files in the source
archive that are not freely licensed.  The result is a new source
archive that contains only freely licensed files.  The most important
part of this process is that the original source archive is *never*
accessible to the Guix user via any Guix tools.  The original archive
is discarded and does not end up in the canonical location for Guix
data: /gnu/store.  Thus, running `guix build --source
problematic-package` will only ever return the cleaned archive, never
the original with nonfree files.  Therefore, Guix has taken sufficient
technical measures to avoid steering its user towards nonfree software
and thus Guix is compliant with the FSDG.

Hope this helps,

- Dave