While distributions typically have high quality packages that work fine, a lot of software is not packaged in distributions.
This often lead users to rely on third party package managers that are often provided by the distribution.
This page tries to summarize the research about such third party package managers, especially to understand which one can be added in or kept in FSDG compliant distributions, and which ones should be removed or replaced.
For some reasons, FSDG compliant distributions have many packages that are configured to use third party repositories that contain nonfree software. This makes it complicated for end users to understand what is provided by the distribution and what is not, especially because the FSDG distributions are supposed to be fully free.
In order to solve this problem, we need to:
Understand what third party repositories programs or packages use, and understand the requirements of these third party repositories.
Teach users about the problem until it is fully solved
Start addressing the problem in various ways:
Work with upstream to make it possible to configure at compilation time a filter that will filter out the nonfree third party software. This also requires to have very strict licensing policies in the third party repository. For instance if a third party package says it is GPLv2 while also including nonfree software, we can't easily filter it out. Also note that the FSDG requires more than having just fully free packages, so it might be worth looking into that before starting to work on that to see how FSDG requirements can be expressed in third party package definitions somehow.
If working with upstream is not possible, create alternative repositories that are fully free.
It is also sometimes possible to disable the nonfree repositories and create other alternatives. The 'guix time-machine [...] -- guix shell -C <package list> -- <command>' command is a good alternative to docker for instance. It is also possible to use Guix or debuerreotype to create docker containers which in some cases can help users avoid the docker hub repository.
Similar issues
Some programs are not package managers but have a similar effect: they download and run code from remote locations.
A well known example of that is web browsers that in many cases automatically run nonfree JavaScript from web pages. And there are several ways to avoid that. Some FSDG distributions even configure some browsers (but usually not all of them) to not run nonfree JavaScript by default. But this typically doesn't cover all browsers, and when a browser is covered, the user is still not in control of the code that is being run (there are legal freedoms as the code is free and that the user can get the source, but it is usually extremely unpractical to run a modified version, even for very technical users).
But there are also less well known programs that run code from remote locations, and this is dangerous because users are not aware of that. For instance yt-dlp in some situation can also run nonfree JavaScript. Knowing in which conditions it does that requires more research. We also need to do more research to understand which programs are affected. For instance does python-woob also run nonfree JavaScript? If so which version do that? In which conditions?
FSDG compliant or 100% free software repositories
This contains repositories that are either 100% free or FSDG compliant.
The CrossDistroBootstrap also has some information on how reusable are some FSDG distribution repositories. For instance PureOS and Trisquel are now in upstream debootstrap, but to use that safely and easily distributions also need to package the PureOS/Trisquel keyrings.
As for using other distribution repositories, the DistroExecutionEnvironments page has more information about which container/virtualization systems work with which distribution.
Its its man page has: "Please pay some attention to the license field to make sure that it is accurate. Use the identifiers from the SPDX project, making sure to use an open source license.". This means that it probably allows the artistic license 1.0 which is non-free as it is open-source but not free according to GNU unless someone convince them to change this.
Not reliable, even allows no license: "The manifest [...] contains [...] information about the crate [...] such as the name and version, others optional like the licenses"
According to the What’s in a package blog post from guix-hpc.info, we have package like PyTorch that bring in nonfree dependencies like CUDA in conda. Also note that there are terms of services associated with the use of the servers: "Use of Anaconda’s Offerings at an organization of more than 200 employees requires a Business or Enterprise license. For more information, see our full Terms of Service, or read Frequently Asked Questions about our Terms of Service."[7]
Not referenced by FSDG distributions, so nothing to fix.
Since CRAN licensing information is very strict, it might be very easy to make an FSDG compliant repository out of it, by removing packages with licenses considered nonfree by GNU / The FSF. That repository is already fully automated so it might be very easy to fix and maintain.
It is also possible to run your own private repository: pypi.org mentions that "PyPI does not support publishing private packages. If you need to publish your private package to a package index, the recommended solution is to run your own deployment of the devpi project."[9] and Guix has the
For known FSDG compliant repositories that have browser addons, see the BrowserAddons wiki page.
Repository name / URL
Compatible browsers
Licenses requirements
Reliability of license fields
Status
Comments
addons.mozilla.org
Firefox and derivatives
Don't seem very strict.
I was told that it wasn't possible to make certain distinctions (multiple licenses? GPL specific versions? Licenses with exceptions (GPL + exception), etc.
Not FSDG compliant
Already removed from most/all FSDG compliant distributions.
There is no standard way to report the licenses being used. In many cases this makes it extremely complicated to know the license of a container. In other cases, (like a PureOS image) you can use the tools of the distribution to find out (PureOS packages do have licenses).
Docker has a default repository for images according to the docker bug #7203 and to a stackoverflow comment. Since that repository is used in the 'docker' command line tool, it needs to be replaced or removed.
Distribution
Status
Dragora
Dynebolic
Guix
Has a docker package
Hyperbola
LibreCMC
Parabola
#3421 Patched to not use docker hub by default. Users have to manually specify which docker repository to use when using docker commands that use docker repositories.
ProteanOS
Replicant
Doesn't ship docker
PureOS
Has a docker package
Trisquel
Ututo S
GNOME Boxes (+osinfo-db)
Repository of distribution installation images that is constructed with libosinfo and osinfo-db
↑The Canoeboot declared that "Canoeboot adheres to GNU FSDG, which means it must not directly distribute proprietary software, and neither should it lead people towards proprietary software." on the GNU Boot mailing list. And Canoeboot isn't listed in the list of FSDG compliant distributions in gnu.org/distros. This means that the maintainer voluntarily follows the FSDG. If the maintainer stops following it there is no way to notify users though.
↑ The project declared that "This channel provides exclusively free software in accordance with the FSDG." on the project README.md. This means that the maintainers voluntarily follows the FSDG. If the maintainers stops following it there is no way to notify users though.
↑This could help avoiding the use of the repository as it makes it easier to create packages and/or check licensing information for the software you want/need. See the "10.5 Invoking guix import" section in the Guix manual for more information. Also note that guix import also works on some 100% free repositories like elpa, and it also has an importer for GNU packages as well.
The Free Software Foundation (FSF) is a nonprofit with a worldwide mission to promote computer user freedom.
We defend the rights of all software users. (Read more)