FS#33926 - Pacman should be a bit more explicit when users install closed source/nonfree packages

Attached to Project: Pacman
Opened by Georgiy Treyvus (hiushoz) - Tuesday, 19 February 2013, 08:27 GMT
Last edited by Allan McRae (Allan) - Tuesday, 19 February 2013, 11:00 GMT
Task Type Feature Request
Category General
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version 4.0.3
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

First of all let me begin by stating what I feel Arch/Pacman does right and then I will proceed to explain what Arch/Pacman could do better.

What Pacman does right:

Here's a quote taken straight from ( https://wiki.archlinux.org/index.php/The_Arch_Way ) which I whole heartedly agree with:

"The large number of packages and build scripts in the various Arch Linux repositories also support freedom of choice, offering free and open source software for those who prefer it, as well as proprietary software packages, for those who embrace functionality over ideology. It is the user who chooses."

I think this is an excellent philosophy. Though I try to stick with FLOSS whenever possible when I do need something closed source it's truly great that it can be easily gotten from the same default common repositories. It's really nice when you don't have to enable third party repositories maintained by who the hell knows who. It's nice not having to fiddle with signing keys(not that there was much of a choice before Pacman 4). It's really nice that when I really need closed source software I can just get it and use it without a hassle.

What Pacman could do better:

Though I think it's really nice that closed source software is easily available should I need it the fact is that I (and many other users also) care about my freedom. I try to stick with an absolute minimum of closed source/nonfree software. I'm one of those people that has actually used the stock Fedora repositories without enabling RPMFusion or any other such fripperies. I've literally done stuff like this for months at a time. Only closed source stuff on my laptop was the BIOS itself and not even the driver just the firmware used by my wireless card.

Say I want to install something which either is a closed source package or depends on a closed source package. I feel that there should be a small warning when thats the case. This warning should not be particularly obtrusive but it should be there and should explicity identify all closed/nonfree packages involved so I know exactly what the problem is. Those who don't care about freedom could simply ignore it. Hell to further make life nicer for these people there should be both a command line switch and a setting you can tweak in pacman.conf to disable these warnings. However I feel these warnings should be there for those of us that care about our freedom and be enabled by default. This way people can easily make an informed decision about how they want their system to be.

There are clunky workarounds to this problem. Like before installing a package one can go pacman -Si or pacman -Sii and look at the license section. If it says something Like GNU, MIT, BSD, Apache, Artistic, or whatever else there's just this warm fuzzy feeling. If it says Custom as it often does that means that I need to spend an assload more time investigating further and that the package involved is probably not good news. However not all packages with a Custom license are closed source. For example sure the flashplugin package is closed but the truecrypt package is open source. It has somewhat weird licensing terms for sure. Maybe it's not free enough for the Fedora but it is free enough for me and I'm guessing many other reasonably sane individuals as well. Basically having Custom for the license is not particularly informative. One suggestion might be to split Custom into Other Open Source License and Closed Source categories. The final point I want to make is that this workaround totally fails if say an otherwise bona fide open source package program depends on a closed source package. Users would have no way of knowing whether or not their freedom was potentially being compromised short of recursively following the dependency tree all the way down which is absolutely ridiculous. I really feel Pacman should take care of that.

In conclusion I feel implementing the suggestions outlined above would be a huge step forward for Arch/Pacman. I feel that this would make it easier for users to choose the optimal balance between ideals and pragmatism. I feel that these changes would make Pacman conform further in accordance with The Arch Way. After all The Arch Way is about users being able to control and shape every aspect of their system. This should include whether or not they're willing to tolerate nonfree/closed source crap and if so exactly how much. The Arch Way is also about transparency and about not hiding any aspects of the system. The Arch Way is ultimately about people being empowered to make informed descisions about every aspect of their system as I said before.

Please consider this and let me know your thoughts.
This task depends upon

Closed by  Allan McRae (Allan)
Tuesday, 19 February 2013, 11:00 GMT
Reason for closing:  Duplicate
Additional comments about closing:  The part relevant for pacman is duplicate of  FS#6510 
Comment by Allan McRae (Allan) - Tuesday, 19 February 2013, 11:00 GMT
Worst bug report ever... the commentary is not needed.

It comes down to
1) being more specific with licenses
2) adding an option to restrict/notify packages with given licenses

The first is not going to be implemented in Arch. The second is  FS#6510 .
Comment by Georgiy Treyvus (hiushoz) - Tuesday, 19 February 2013, 19:29 GMT
@Allan:

Sorry that I wasn't aware of/this is a duplicate of item #2. Also why not implement item #1? We don't need an elaborate taxonomy just a simple indicator of whether or not our rights as users are under attack. It's a simple boolean value. All it would take is splitting Custom into two simple categories. Something like Other Open Source License and Closed Source License. Would it really be that hard? Just like add a boolean value(or an int as Pacman appears to be coded in C89 if I recall correctly from when I last audited the source) like users_are_free to struct __alpm_pkg_t and a few lines of supporting code sprinkled here or there. Most of the stuff in the Arch repos already has well known/defined licenses so converting the Custom ones is not going to be so bad as they're a tiny fraction of what's in the repos. Why should flashplugin which is closed source trash be treated the same way as truecrypt and sbcl which are both Open Source but have slightly quircky licenses?
Comment by Allan McRae (Allan) - Tuesday, 19 February 2013, 21:55 GMT
It is treated the same way in Arch Linux because we do not care about the difference. That is not a pacman issue...

Loading...