On Sat, Aug 23, 2014 at 02:06:39AM -0400, Richard Fontana wrote:
We can now advertise stable URLs for source packages on http://snapshot.debian.org, but we do not include such URLs in binary packages. Perhaps it would be sufficient to document the site somewhere in the base system?
Yes, that seems like a reasonable approach.
I think a future revision of the license ought to clarify this, so thank you for calling attention to it.
An important thing to clarify is how specific the URL has to be. It's pretty obvious how to navigate snapshot.debian.org to find the specific sources corresponding to a particular package and its version number. So it would be nice if the license allowed this (as opposed to forcing copyright-next licensed packages to be forced to include some kind of automatically generated URL each time the package is updated with a new version).
OTOH, if a bad actor were to specify something like "http://forums.megacorp.com", and it was not so obvious how to find the sources at:
http://forums.megacorp.com/cellar/disused_lavatory/beware_of_leopard/b06bda4...
... that might be something you might understandably want to head off by demanding a precise URL that takes you directly to the sources.
The policy intention here is for the user to be able to rebuild the binary from the supplied Corresponding Source without undue effort or experimentation. The real target here is the proprietary or trade secret build systems that I understand plague many of the widely-encountered GPL noncompliance cases (hence the example refers to a specific version of a proprietary compiler -- the user ought to know that the binary was built with this proprietary compiler in case the user wishes to procure a copy of it himself or herself). Here too I can see how this language can be improved so as not to be read as burdensome for the free software distribution case.
The technical difficulty here is that there is a difference between whether the binary needs to be bit-for-bit identical, or not. If you can build a binary that _works_, but it's not clear whether gcc 4.7 or gcc 4.8 was used, in practice GPL enforcers won't come after you; they've got better things to do. That's a somewhat different question from whether the license is being violated technically or not.
(Yesterday, in comments after his LinuxCon NA presentation, Bradley admittedly freely that he probably violates the license in minor ways all the time --- as do all developers, because there is always tiny niggling details that are so easy to get wrong. And so something to worry about is what happens if you have a license enforcer who is doing so with an evil intent; to basically shut you down by finding defect after defect, and while a court might end up disagreeing about whether a purported violation really wasn't a violation, a bad actor could easily afford much greater lawyer fees than an open source project... which is an interesting thing to consider when trying to argue from a perspective of "reasonable reading" of a license.)
I'll also note that "fails to build from source" is a bug report that is not as uncommon as you might think. Right now, it's treated as a release-criticial bug which Debian maintiners try to fix as soon as possible. Licenses which is too hardline and which treats it as a license violation which must be remediated while you lose one of your "free strikes" is potentially vulnerable to abuse by a bad actor. So something to think about...
Cheers,
- Ted
P.S. While Debian is moving towards "source-only" uploads where all binary packages are built from autobuilders, there are also many binary packages, especially for the x86 platform, which are uploaded in binary form, and where there are no build logs archived anywhere, and where it might not be obvious at all whether a binary was built using gcc 4.7, gcc 4.8, or Clang.
And as a further example of how people violate the GPL all the time, consider what happens when someone puts a copy of an binary on a USB stick and hands it to a friend who needs it to recover their system? This is an example of how people violate the GPL every day in small ways. Which isn't necessarily a problem in terms of Software Freedom, but it's much like setting unrealisitic speed limits; if the law is being violated every day, it tends to breed disrespect for the law...