Search Engine on start.fedoraproject.org

Toshio Kuratomi a.badger at gmail.com
Sat Jul 24 13:55:29 UTC 2010 

On Fri, Jul 23, 2010 at 02:20:42PM -0500, Mike McGrath wrote:
> On Wed, 21 Jul 2010, Mike McGrath wrote:
> 
> > It's been pointed out to me that start.fedoraproject.org is in violation
> > of Infrastructure's free software policy:
> >
> > http://infrastructure.fedoraproject.org/csi/free-software-policy/en-US/html-single/#FreeSoftware-Standard-Choosing
> >
> > In particular the "Proprietary Dependence" clause.  Now, start.fp.o has
> > existed long before the policy was put in place and a grandfather
> > exception does exist.... but I thought I'd mention it.  This could be an
> > opportunity to completely re-think the start.fedoraproject.org home page.
> > I know that upon its design there was some major things in the works but
> > AFAIK most if not all of them fell through and that search engine link was
> > all that was left.
> >
> > Thoughts, comments?
> >
> 
> Got this from jds2001 (Jon Stanley - Board Member, cardnals fan) who
> requested that I forward it on:
> 
> I don’t think that start.fp.o violates the free software policy, as we
> don’t host Google in Fedora Infrastructure.  I think that if we had a
> Google Search Appliance, that would very clearly violate the policy.
> Making calls to external services to me seems questionable from a pure
> freedom standpoint, but from a practical standpoint, very difficult to
> actually do.
> 
> Take Red Hat Bugzilla for example, which is (I think everyone would agree)
> in Fedora’s critical path – without it, Fedora doesn’t happen. However,
> the source code for that particular instance of Bugzilla, which has
> admittedly been modified from the upstream version to meet Red Hat’s (and
> Fedora’s) needs remains locked up inside of Red Hat. Do we cease to use it
> simply because the source is unavailable? If we cease to use Google on
> start.fedoraproject.org, I don’t see how we in good conscience could
> continue using Red Hat's Bugzilla. As for Mo’s question on “what is closed
> in RHT BZ?”, the admin API that pkgdb uses to create components, etc is
> not upstream (it wasn’t the last time I did pkgdb work that required it,
> and had to work against a test instance provided by Red Hat rather than my
> own test instance). Note that this is not an issue of trust in RHT, or a
> lack of appreciation for the service that they provide gratis, but rather
> a simple statement of “we can’t be hypocrites”
> 
> As Jef pointed out, if you cannot personally inspect the systems of a
> service provider, you have no assurance that the system that you’re using
> is indeed open. Going back to Bugzilla, yes, there is an upstream project
> called “Bugzilla”, which is what Red Hat’s instance is based on. No one
> disagrees with that. However, there is no way for me to audit that what is
> actually being provided by that “service” is the upstream code base, just
> as there’s no way for a Fedora user (without sysadmin-web) to audit the
> fact that the Mediawiki instance that we provide is in fact the Mediawiki
> code that we purport it to be.
> 
> In short, I don’t think that we can remove Google search without also
> removing all other external dependencies from the infrastructure, which is
> neither desirable nor practical.
> 
Several thoughts here:

1) I think we should have a rather stringent free-software-only policy in
infrastructure.

2) I feel in my guts that using google search violates the policy that I'd
like to set but I can see where Jon's coming from with the idea of software
that we ourselves run vs services that we depend upon others providing to
us.

3) Using Red Hat bugzilla while we know that it is closed source does seem
hypocritical to me.

4) I think the first step should be to ask Red Hat if they're willing to
throw the bugzilla code they use over the wall -- just having a tarball of
the code they use is probably enough to satisfy the strict definition of our
policy.

5) I don't think that we *must* audit an upstream installation to be in
compliance with a free software policy.  There are certainly services which
claim to be free software and services which claim to be proprietary (or at
least, make no claims to being free software).  With the question of whether
google search is allowable, google has, to the best of my knowledge, never
claimed that their search is free software so it seems a rather obvious
thing to scratch off the list.

6) So one policy could simply trust what upstream tells us about the
licensing and availability of the code that they are running (we probably
need to make clear that the code that they are running needs to be
available, not just under an open license.  That way you can't simply claim
that your unreleased code is under the BSD license, you also have to release
that code.)

-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/advisory-board/attachments/20100724/e065c754/attachment.bin

More information about the advisory-board mailing list