FS#5355 - Source code availability for full GPL compliance
Attached to Project:
Arch Linux
Opened by Tom Killian (tomk) - Tuesday, 05 September 2006, 13:30 GMT
Last edited by Eric Belanger (Snowman) - Wednesday, 22 July 2009, 23:53 GMT
Opened by Tom Killian (tomk) - Tuesday, 05 September 2006, 13:30 GMT
Last edited by Eric Belanger (Snowman) - Wednesday, 22 July 2009, 23:53 GMT
|
Details
Currently being discussed here:
http://bbs.archlinux.org/viewtopic.php?t=24826 in the aftermath of Mepis' related problems. |
This task depends upon
Closed by Eric Belanger (Snowman)
Wednesday, 22 July 2009, 23:53 GMT
Reason for closing: Implemented
Wednesday, 22 July 2009, 23:53 GMT
Reason for closing: Implemented
http://beranger.org/index.php?page=diary&2008/05/19/10/09/10-gratuitous-assertions-in-the-lat
Not good "advertising" but that site has some strong opinions about Arch/pacman anyway...
"As per section 3 of the GPL license, one copying a GPL licensed program may either: redistribute the source, provide the source upon request, or have express permission from the copyright owners to redistribute it without the source.
I will gladly back any request for source code. Feel free to email me directly and i will mail you a CD, for the cost of shipping and the CD itself.
Problem solved."
Is phrakture likely to be able to keep good on his/her promise here? Does he/she keep a personal snapshot of all GPL'd software distributed on all Arch Linux releases going back 3 years, including all versions that were built into packages distributed via AUR? If he/she does, and really can deliver a source CD based on the specific versions of GPL'd software requested, then this promise is sound. If not (and I suspect this is the case), then this promise is not good enough, because it is quite possible that it will be impossible or impractical for phrakture to recover the source "after the fact". What if I request the source for the unique and specific version of 300 individual pieces of GPL software as distributed by Arch Linux? Will phrakture be able to hunt down and obtain the individual pieces in a timely manner (if at all)? Will he/she even be willing to when actually requested to do so? I think that his/her promise as stated in the thread is a bit hasty and insincere to be honest.
As a consequence of this, I don't think that the bug is resolved. Arch Linux, by distributing binary packages for GPL'd software, is required to host copies of the software so that they can ensure that regardless of what happens with the project's web site (I would not be at all surprised to find that Source links in packages found in AUR will go bad after time as project names and URLs change), the source package will always be available, without telling the user "go find it yourself". Alternately, the project could keep its copies of all of the sources private and provide them on request as phrakware said they would do, but I really don't think they have the resources to do that.
Consider that I could write a script that would dig through AUR, pick packages randomly (including picking random versions of packages), and then mail a request off to the Arch team asking for those on CD. Now the Arch team is responsible for downloading all those sources (and some of them will probably require some work as the URL may have changed since it was put into AUR, so the original sources will have to be hunted down) and putting them on CD for me. That just seems needlessly onorous for the Arch team. Why not just replace all of the source links in the AUR package pages with links to the file cached on Arch's servers, and be done with the problem once and for all? I don't know how much additional disk space this would require of Arch, and I know it would not be insignificant, but that's the cost of the GPL. You get good quality free software, and you get to redistribute it for free, but if you do so, you have to pay the cost of making the sources available. I've got my $20 donation to the Arch team ready to send should they need it to cover the extra disk space costs.
From the current Packages pages of AUR:
http://aur.archlinux.org/packages.php
The "855resolution 0.4-5" package has its Source link as:
http://perso.wanadoo.fr/apoirier/855resolution-0.4.tgz
However, this is a bad URL and results in some French "file not found" portal page.
This particular package is not under the GPL, so it isn't a direct example of GPL violation by Arch. But it illustrates how the Arch mechanism for linking to source can become broken and if this ever happens for a GPL package, then this *will* be a violation of the GPL (even more so than not hosting source directly already is).
I think the GPL's requirements can be summarized pretty simply as:
"If you host a GPL'd binary, you have to host the source as well."
Note the word HOST in this statement. If you HOST a binary, you have to HOST the source as well. You can't HOST the binary but provide a link to the source.
[Yes, there are alternatives, such as providing the source only upon request, but that a) is not a very friendly way to treat your users and b) requires that ability to produce such CD's upon request which as I wrote above, doesn't seem very likely to be possible if you don't have all of the source archived anyway]
I have been really happy with Arch so far, and am fully prepared to convert to exclusively using Arch because my experience has been so great. However, this GPL issue gives me a little pause. Not only do I have a moral belief that the GPL should be adhered to, to the point of going above and beyond its most basic requirements to satisfy the spirit as well as the letter of the GPL (for example by providing convenient links for every binary package in Arch to Arch-hosted sources), but I also have a practical concern: I don't want to ever find myself in a position of needing to compile some package that I have on my Arch system but am unable to get to the source because Arch's links are bad or out of date, and have to go out searching for the original sources myself. That is not a risk I feel willing to take.
However, I am not pointing fingers here; I don't think that the Arch team is explicitly trying to violate the GPL or be 'bad sports', I just think this issue needs a bit more attention and to be solved using the same great KISS philosophy that Arch is based on. And I have no doubt that it can be solved in a way that satisfies the GPL, makes the users (and me) happy, and doesn't stress Arch's team very much. I look forward to that solution!
We are working toward getting real sources on the mirrors in addition to the packages.
Rather than whining like a bunch of little children, why don't you help out instead of acting like some sort of GPL Police.
For fuck's sake. I care about the GPL too. We are not compliant right now, and are trying. Random rants on some random schmucks website are not enough - NOTIFY people. Tell someone. Don't rant to a wall and expect people to notice.
If you're implying that I'm whining like a child, well not that it probably matters to you or anyone else, but I think that's ridiculous. I was just trying to educate you on what you need to do, to get you to take this problem seriously (and it didn't SEEM like you took the problem seriously, given your obviously disingenous offer to provide sources on CD upon request, and the fact that it's been two years since you made that offer and still never actually took any steps to really come into compliance with the GPL).
I'm super glad to learn that you 'are trying', and I have no doubt that a great solution is forthcoming. But don't tell me or anyone else that we're 'whining like a bunch of little children'. That's extremely disrespectful and unnecessary.
I actually was ready to provide CDs when I made that offer, and have not once gotten a request for a CD. Would you like one?
I guess it just seemed impossible for me to believe that you could really think that you'd be able to supply a source CD cobbled together from a bunch of sources which you may or may not have direct or easy access to. So I assumed that you didn't really think very hard about whether or not you could actually *do* it, and that it was just easier to *say* that you would be willing to do it, than to actually solve the problem of making sources available via the Arch package repository.
However, that's quite a few assumptions for me to make about your intentions and your motives and really there's no excuse for me doing that. Sometimes I find myself 'thinking for the other guy' rather than just asking him what he meant. I think it comes from having a very impatient personality.
I really like Arch and I just want more reasons to like it, GPL compliance would be huge for me. Once again, thanks for taking it seriously and I look forward to seeing the solution.
http://beranger.org/index.php?page=diary&2008/05/20/07/13/57
We talked it over via email, and things were handled nicely.
That said, I am testing a script to generate source tarballs here:
http://dev.archlinux.org/~aaron/sources/ (note: Access Forbidden right now, check back soon)
"No. The GPL requires (section 3) you to be able to: (i) either provide the FULL, COMPLETE sources; (ii) or come with a written offer (valid for at least 3 years! can you guarantee that?) that you can provide the FULL, COMPLETE sources. You can charge for the cost of physically making and sending CDs/DVDs, if this is the case."
So in the first case, how long do you have to provide the full, complete sources? 3 years too?
Suppose you release the arch package foo 1.5-1 . Then two days later, you realized there was a new 1.6 version, and you release the new package.
Now you have to keep both 1.5 and 1.6 sources for 3 years?
First off, you are only required to provide sources to anyone who you distributed the binaries to. So if no one downloaded the foo 1.5-1 binary package, then you technically would never be responsible for providing the source to anyone. However, this would be pretty difficult to track so for all practical purposes, once you've put a binary package up you have to assume that someone has downloaded it, and that you will have to honor any request for sources for that package for 3 years.
And yes, you'd have to keep sources for both the foo 1.5-1 package and 1.6 package, for 3 years from the date that you last distributed those packages.
Each time you supply a binary package to someone, the GPL requires you to make available the sources for that exact package for three years to *that person*. You technically don't have to make the sources available to anyone else. And you technically can have a time limit that is unique to each person and package download. However, this is so far beyond the bounds of practicality that it is simply easier to make the sources for all versions of all packages available to everyone for at least three years beyond the date that you last made binaries available.
I form my opinion based on this section from the GPLv2:
"3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
"
(I omitted (c) because I don't think it's relevent)
I guess it all depends on what 'Accompany' is interpreted to mean. For binaries distributed on physical media such as CD-ROM or tape, it's quite clear: if you put the sources on the same CD/tape that the binaries are on, you have satisfied (a).
But what about an FTP or HTTP server? For a file like an ISO image file, it is also possible to include the source with the binaries, since when the user downloads the image, they get the whole image, and if you've included the source in it, you've satisfied (a).
But what about for links to individual binary package files with links to source files on the same page? The user can download just the binary package file and not choose to download the source at the same time. It "feels" to me like this is not satisfying (a) because after the file transfer operation resulting from clicking on the binary package link, they have just the binaries - the file that they downloaded (the "media") has no source in it. So the link to the source "feels" to me like it is an "offer to provide the source upon request" - i.e., the source is there should the user choose later to download it. This sounds to me like it satisfies (b), which I interpret as meaning that the source link has to be kept around for 3 years after the binary link goes away.
However, this section from the GNU GPL FAQ seems to take a different view:
"Can I put the binaries on my Internet server and put the source on a different Internet site?
The GPL says you must offer access to copy the source code “from the same place”; that is, next to the binaries. However, if you make arrangements with another site to keep the necessary source code available, and put a link or cross-reference to the source code next to the binaries, we think that qualifies as “from the same place”.
Note, however, that it is not enough to find some site that happens to have the appropriate source code today, and tell people to look there. Tomorrow that site may have deleted that source code, or simply replaced it with a newer version of the same program. Then you would no longer be complying with the GPL requirements. To make a reasonable effort to comply, you need to make a positive arrangement with the other site, and thus ensure that the source will be available there for as long as you keep the binaries available. "
The very last part - "ensure that the source will be available there for as long as you keep the binaries available" seems to say that you only have to keep the sources available as long as the binaries are available. I don't know how this jives with the 3 year requirement of (b), but there you have it.
Also, here is another interesting thing from the GPL FAQ:
"Can I make binaries available on a network server, but send sources only to people who order them?
If you make object code available on a network server, you have to provide the Corresponding Source on a network server as well. The easiest way to do this would be to publish them on the same server, but if you'd like, you can alternatively provide instructions for getting the source from another server, or even a version control system. No matter what you do, the source should be just as easy to access as the object code, though. This is all specified in section 6(d) of GPLv3.
The sources you provide must correspond exactly to the binaries. In particular, you must make sure they are for the same version of the program—not an older version and not a newer version."
Note that the above specifically prohibits what phrackture had offered to do, which is to send a CD upon request to provide sources for binary package files which were originally made available via a computer network.
However, this FAQ seems to be a bit GPLv3-oriented so it's possible that the FAQ doesn't apply so well to GPLv2 software, which is what the majority if packages in Arch use (I think). I just looked at the GPLv3 and it's significantly different when it comes to requirements for binary packages hosted on a computer network, which only adds to the confusion.
Additionally, Bryan, can we stop taking jabs at me regarding this issue? I am solving it, there is no reason to call me out like this.
Since the GPL is a copyright license, the copyright holders of the software are the ones who have the power to enforce the GPL. If you see a violation of the GPL, you should inform the developers of the GPL-covered software involved. They either are the copyright holders, or are connected with the copyright holders. Learn more about reporting GPL violations.
>the GPL requires you to make available the sources for that exact package for three years to *that person*.
>You technically don't have to make the sources available to anyone else
Not true. If you choose to satisfy section 3 with the written offer (offer assumed if the source does not accompany the binary) then that written offer is good for ALL third parties. That is where 3c comes into play.
>Information will be added to the downloads page
Has this been done? I could not find it and had to ask on the forum.
>We are working toward getting real sources on the mirrors in addition to the packages.
any update on this?
>http://dev.archlinux.org/~aaron/sources/
Is this the source for the latest ISO or the current binaries that are available or what?
>I guess it all depends on what 'Accompany' is interpreted to mean
The word 'accompany' is a well defined word. The source has to be with the binary and the best way to ensure this is to host the source yourself. That doesn't mean the source and the binary has to be on the exact same server in the exact same location, but it is important to have a link to the source in the same location you have the link to the binary. If you can guarantee that a separate site will have the source available then that is acceptable but the question is, can you guarantee that.
>The 3 year case is only relevant with the written offer. If we are providing source on an ftp site or something of the sort,
>we only need to provide the source as long as we provide the binary.
True. But the source must be as readily available and accessible as the binary. Having links to a ISO full of binaries on the download page without having a link to the source code on the downloads page is a violation. If you have the source, which you must if you used it to build the binaries for the ISO then simply make those sources available either in a directory or rolled into a source ISO.
Along the same lines....if you provide a binary disc through osdisc then it would be a good to provide a source disc as well.
In my opinion, being GPL compliant is as important as any other aspect of a distro because it is required. It is not optional or a less-important task. Pretty artwork, improved installer, bug fixes are all important but they are optional or 'at your leisure' - license requirements are not. I hope this issue gets resolved. I will not consider arch further until more is done to resolve this issue.
Let me take at a stab at it.
- Use Amazon S3 for storage of the sources for all Arch-distributed GPL'd/LGPL'd binaries
- Have developers who maintain core/extra/community binary packages be responsible for uploading the sources to S3, for each source that is referenced by the package
- Modify the makepkg tool so that it first downloads from the source location listed in the PKGBUILD file, but if that source cannot be downloaded for some reason (such as the location of the source no longer being valid), it falls back to fetching the source from S3; in this way, sources would continued to be loaded from their original hosted locations, saving S3 bandwidth charges to Arch, until the original source is gone. In most cases, sources would never be downloaded from Arch's S3 bucket, so the bandwidth costs would be low.
I suggest using S3 because it takes the problem of managing the serving up of these source files completely away from the Arch team. All the Arch team would have to do would be to pay the monthly S3 fees; no worries about server hardware or backups or anything.
I've done some quick estimates of the cost of hosting the sources in this way. I count 4125 packages currently in core, extra, and community. Assuming that ALL of them are GPL'd/LGPL'd and require the source to be hosted, and assuming that the average size of the source tarballs is 5 MB, the total disk space needed would be about 20 GB. On S3, 20 GB storage costs about $3 per month. There is also a one-time cost for uploading all of that data, of about $2. Assuming 100 GB of file downloads from this bucket per month, the monthly data transfer fees would be $17.
So all told, with some very conservative estimates, the total cost per month to bring Arch in compliance with the GPL would be about $20. And likely the cost would be considerably less because a) not all packages would need to have source hosted, b) the average size of source files for packages is probably less than 5 MB, and c) assuming that the sources are almost always fetched from the original host by makepkg instead of from Arch's S3 bucket, monthly download would likely be alot less than 100 GB.
I think $20 per month is not a great barrier to bringing Arch into GPL compliance. In fact, I volunteer to pay for ALL of the Amazon S3 fees *personally* if we can just get the ball rolling on this.
Can you explain how it is better to try to get legal advice to see if Arch can somehow screw over the authors of GPL software, than to just bring Arch Linux into GPL compliance by cheaply hosting the sources on S3?
Also note, that (IIRC) linking upstream is technically enough under GPL3, so we only really need to host packages that are licensed as GPL2 only.
I don't see why we would need to modify makepkg to fallback to getting the source from wherever we posted them (although that may be a nice feature).
Allan: thank you for the update, much appreciated. Because it's been six months since this bug was filed, and since I think that many people who care about the integrity of the Linux distribution they install on their computer take this issue seriously, I think that it would be a good thing to provide an actual ETA for this feature. If you have the disk space, and the scripts, then what's holding the process up for completing this feature and closing out this bug?
Also - I've read about the GPLv3 on the GNU site. I don't see any sigificant changes in its requirement for hosting source over GPLv2. It seems to make explicit the fact that you can host the sources on a different server than the binaries, but still requires YOU (the hoster of the binaries) to host the sources, or to provide guarantees from the third party to whom you provide links to the source in lieu of providing the source yourself, for three years after you stop providing binaries. There is no way that Arch is doing this, it's much more onerous than just hosting the source. So please, just host all GPL source, v2 or v3, and put this issue to rest. And please note, that the GPL requires that Arch patches to the source that were used to create a binary be hosted along with the original source as well, so don't forget to do that.
There *has* been progress on this. We had to buy a new server to support the sheer size of these sources, and cron jobs and scripts have been comitted to the dbscripts repo.
They just need to be turned on.... but it's Christmas guys... go have fun with your families, we don't need to snipe at each other about "integrity" and things of this nature.
For what it's worth, it's not Christmas where I am, it's the day after. Either way, nobody's asking anyone to post to this bug instead of enjoying their holiday. Come back to it when your holiday is over. When that happens, could you just give me, for my own curiousity, the estimates that Arch developers have used for the amount of data that will be stored in the source repository, and the expected bandwidth used per month? It would be interesting to see if S3 would be cheaper or more expensive according to your estimates (the cost of a server would buy years of S3 service at the usage level I'd expect for Arch sources). It's not that I'm proposing switch to S3 if the Arch team already has bought a dedicated server for this purpose, I'd just like to understand the economics involved because it might be a useful comparison to refer to in the future for such decisions.
Finally, it's not 'sniping' to point out that there are people who care about the GPL compliance of Arch. I'm talking about the integrity of the distribution as being GPL-compliant, and in this way adhering to the philosophies that the GPL sets out both in spirit and in letter. I'm not talking about the personal integrity of anyone posting to this bug or using Arch, sorry if that was not clear.
I merely asked what the severity of the bug was from his perspective. Since he just took ownership of the bug, presumably because he would like to personally address it, it seems like a perfectly reasonable question to me, especially considering how long this bug has been open. As a software developer myself I know that it's easy to have inaccurate priority fields in a bug entry since priorities change and keeping these sorts of fields up to date often slips through the cracks.
I find it a little worrying that complying with the license requirements of software that the Arch project is shipping is deemed low priority; I would expect that it would be one of the most important kinds of bugs to fix. I'm part of "the Arch community" and I personally find this issue problematic enough that it alone will induce me to give up on Arch completely, should it not be addressed soon. This is not a threat, it's just a fact, and I say it only because I want you to understand that this is a very important issue to some people. I wish someone else who feels strongly about the GPL would chime in here so I wouldn't feel like the only one :)
But moreover, you should realize that you are legally obligated to fix this bug, by the terms of the GPL, regardless of how low you prioritize this issue.
I have a hundred different things to work on at any given time and this is simply low on my list of things because it's going to give us little direct benefit (besides getting rid of these "OMG MUST FIX NOW" bug comments).
The fact that work has been done on this (code has been written, servers have been upgraded, etc) should prove to everyone except the most zealous that we are working on this in good faith.
I'll apologize again if I seem demanding. It's hard for me to explain why I feel the way I do or why I am trying so hard to get accelerated action on this bug without sounding like I am demanding something, but please understand that it comes from caring about this issue alot. I love using Arch but it pains me to be participating in copyright violations against thousands of software developers who have given their works away for free.
The GPL packages that Arch Linux is distributed are under copyright by their authors. As such, Arch Linux (or anyone else) has no legal right to distribute copies of this software without explicit permission from the copyright holder. The copyright holder gives explicit permission to anyone on condition that they abide by the terms of the GPL license. If you don't abide by the license, then you don't have permission to distribute the software. If you don't have permission to distribute the software and are doing so anyway, then you are violating the copyright.
To put it another way, you said: "The violation is in the terms of the GPL *license* not the copyright", but the license is the only thing that gives you permission to copy the work, and since Arch Linux is not complying with the terms of the license, Arch Linux has no permission to copy the work, and is thus violating the copyright.
I will stop it at some point, so we have a point of reference to look at.
There are a few pending questions I'm waiting to get answered by the devs.
When those are answered, I will set this up to run as a cron job and keep our sources updated
However, I think you might need to change the directory structure you are using for hosting the sources. The reason I say this is that by the terms of the GPL, you are required to host not only the original sources, but your patches to those sources, for any binary you distribute based on the sources+patches. So basically, the contents of the /var/abs directory for any package built and distributed needs to be hosted. This includes the patches, associated scripts, etc.
And this has to be done for every version of the software that is distributed, so I think that the most logical way to do this would be to host a directory for each package, of the name:
/sources/${PACKAGENAME}-${VERSION}
Whose contents would be basically exactly the same as the /var/abs/.../${PACKAGENAME} directory for that particular package and version.
Example:
In my /var/abs/core/grub directory I currently have:
[code]
bji$ ls /var/abs/core/grub
040_all_grub-0.96-nxstack.patch grub-inode-size.patch intelmac.patch
05-grub-0.97-initrdaddr.diff grub.install menu.lst
PKGBUILD i2o.patch more-raid.patch
grub-0.97-gpt.patch install-grub special-devices.patch
[/code]
The version of the package is 0.97-14. So I think that the corresponding directory on ftp.archlinux.org would be /sources/grub-0.97-14 (or /sources/core/grub-0.97-14 if you prefer, for extra consistency with the /var/abs directory tree structure), with all of the above files in it.
This could be really easily scripted on the ftp server, since all that needs to be accomplished is scripting a means for detecting when a new package source is available (via pacman -Sy), then checking the resulting new PKGBUILD files and copying the /var/abs/.../${PACKAGE} directory over to /ftp-root-whatever/sources/${PACKAGE}-${VERSION} for all new versions (this might be most easily accomplished, although not most efficiently, by simply checking every PKGBUILD file in /var/abs and seeing if a corresponding /ftp-root-whatever/sources/${PACKAGE}-${VERSION} directory exists, and if not, copying it over, without having to otherwise keep track of which packages are "new" since the last pacman -Sy). Please note that this requires that the process that checks for new packages and copies files to the ftp directory run frequently enough that it never "miss" an updated package.
Also, this doesn't need to be done for all packages - the script could check the license line of the PKGBUILD files and only copy those which include GPL, LGPL, or any other terms which indicate a GPL-style license with GPL source hosting requirements.
Make sense?
However, this is a) highly unlikely to ever occur, b) could be dealt with on a case-by-case basis instead of having to go through the effort of becoming retroactively GPL-compliant for all old Arch Linux packages, and c) certainly ought to be deferred (probably indefinitely) as a low-priority secondary task related to fixing GPL compliance for Arch Linux. In 3 years this aspect of the GPL compliance issue will be irrelevent anyway due to the terms of the GPL only requiring source hosting for 3 years.
Getting the existing current packages and all future versions up on the source server, is by far the most important thing. If you never find a way to get old package sources up, I for one won't care, and I'm one of the most vocal GPL proponents you're likely to find (obviously :) ...
You might consider a directory structure like this:
/sources/core/grub/grub-0.97-14.src.tar.gz
/sources/core/grub/grub-0.97-15.src.tar.gz
/sources/core/grub/grub-0.98-1.src.tar.gz
...
Since the directory structure of /var/abs is already being managed by somebody somewhere to ensure that the number of packages at any given level of the tree never gets too big, then re-using the same directory structure on the FTP server will gain the same benefit.
Additionally, if you're worried about the amount of disk space that you'll have to use, you might re-consider hosting the sources in directories (e.g. /sources/core/grub/{0.97-14,0.97-15,0.98-1}), with hard links for files which don't change between versions to save disk space (i.e. instead of a copy of the same grub source in the first two directories in my example, there would be just one copy, with the second directory having a hard link to it). This could be a big savings for packages which have lots of revisions in which the upstream source doesn't change, but patches and build scripts and such do. And finally, I believe that some FTP servers have features for automatically tarring up directories for download, which would let users get the same tarball that they'd get from "makepkg --allsource" instead of having to get the files individually.
It's a very nice thing to be able to leave legacy software running on a system and know that you can always get at the source should you run into a problem with that particular software. As a software developer sometimes I want to look at the source code for libraries I am using to help with debugging, and I don't want to always have to stay completely up-to-date with Arch Linux packages to have easy access to source.
But, this is just a nice-to-have feature and not something that is required to comply with the GPL. So do as you think is best.
And yes, they do include all patches and necessary files to build the package exactly as the official package has been built.
If *you* would like old sources, why not mirror them for a given period of time on your own web hosting service? This seems like a great community project, if you ask me.
ftp://ftp.archlinux.org/sources/
It's not 100% complete, but it's all automated and mostly working fine.
Just started another run, I don't think I got extra in there last time I did this - trying to do it in spurts so that we don't tax the server too much.
1347
As far as ive seen though, this dir doesnt get picked up by the mirrors. Ive tried some of them and only the Indonesian had it incl. sources.Another one had it empty, most not at all.
Is that up to the mirrors?
While browsing [community] to find out issues with unreachable source links, it was quite usual to find out some packages source links were snapshots etc not being hosted anymore in the application site.
See for example http://aur.archlinux.org/packages.php?ID=4440 .
As makepkg tries to download the sources from a remote source if it doesnt find them in the same direcotory its being invoked, ABS will fail every now and then for lazarus. This doesnt apply only to snapshots, for example attr does it too, see
FS#13134.What im asking is quite complex, and i have no idea what the answer is, thats why im asking.
Is there any gain in just hosting the sources like that in a dir in the ftp for compliancies sake if the user cant somehow easily access them with ABS? Can that be done already? If i point pacman to the ftp dir to get the source it will not pick it up because -src is appended to all of them. I hope that makes sense.
With official packages, we place sources in other/$pkgname on the ftp if they are snapshots or outdated often, and change the PKGBUILD to download from there. That is how this would be solved
I don't remember exactly how I answered it.
Maybe I just figured that the purpose of these sources should not be a common usage, otherwise there could be a risk to overload ftp.archlinux.org by retrieving too many sources from there.
Which basically is:
1) Is it just a matter of doing an --allsource and hosting it somewhere accessible?
2) Does it concern all versions of the (L)GPL (3 in particular)?
3) Any other licenses that need such compliance?
Once it's pushed live, it'll do sourceballs for the packages in community.
I'll close this bug.