Page MenuHomePureOS Tracker
Create Task
Maniphest T384

cargo - downloads potentially nonfree code
Open, Freedom IssuePublic
Actions

Description

cargo is a helper tool to download Rust crates.

As such it is a domain-specific package manager, which potentially involves nonfree code - and is outside the control of PureOS.

FSF guidelines for systems explicitly forbids to "steer users towards obtaining any nonfree information for practical use, or encourage them to do so [and should not] refer to third-party repositories that are not committed to only including free software; even if they only have free software today, that may not be true tomorrow."

The package should be blocked from getting included from Debian into PureOS.

The following packages reverse (build-)depends or recommends on cargo and should be blocked as well:

  • dh-cargo
  • meson
  • rustc
  • lots of packages reverse-build-depending on meson...

Given the amount of reverse build-dependencies (and more expected, when Rust library packaging takes off in Debian), we should probably try amputate cargo's ability to fetch external sources: Even if that feature is the main purpose of cargo upstream, Debian packages are forbidden to make use of that during build, so any package failing to build with such amputated cargo is either violating Debian rules or need to go anyway.

Event Timeline

mak added a subscriber: mak.Apr 10 2018, 10:10

This is impossible, as pretty much all of GNOME, systemd, Xorg depends on Meson, and no Rust code can be built without cargo properly at the moment.

Does this anti-site-specific-package-manager requirement really exist somewhere for us? Because we are in for a world of pain and an incredible maintenance burden as well as very angry upstream projects if we go down that path (there was already quite some complaints from the Python community about the prospect of not having pip), and removing these tools greatly limits what our users can do with PureOS.
Furthermore, other FSF-endorsed distributions such as Trisquel do contain tools like NPM, Cargo, etc., so - as far as I know at the moment - PureOS would be the only distribution doing this.

mak added a comment.Apr 10 2018, 10:11

Also, every one of these package managers will not download non-free stuff behind the user's back. Like APT itself or a webbrowser, it will download things only if the users has directly requested that.

jonas.smedegaard added a comment.Apr 12 2018, 07:40

This issue is about following requirements defined by the GNU DFSG. Bug description is now updated to include relevant quotes from GNU FSDG.

Please discuss the sense/relevancy of following GNU FSDG in general, as a separate issue, not here. That includes disccusion whether it makes sense for PureOS to address issues not identified nor addressed in other distributions endorsed as FSDG

And no, this issue is *not* about code operating behind the back of the user.