On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote: > The question is if Parabola should add policies that go further
i am generally on-board with that - i suggested a policy review and revisions about a year ago On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote: > I am also unsure if Parabola also has a rule that requires to have very > precise licensing information or not[7]? only the PKGBUILD license=() array - i think that should reference licenses of _whatever_ is in the parabola source package (*-src.tar.xz) On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote: > unlike Parabola, Trisquel and PureOS probably > have rules requiring to recompile package from the upstream > distribution. im pretty sure that Trisquel and PureOS are both > %90 packages imported from their respective upstereams, same as parabola another point comes to mind though - as distros near 100% "reproducible", the motivation and value of rebuilds changes, from avoiding to trust the upstream via redundant effort, to a verification of the upstream package globally, across all debian downstreams On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote: > If for instance we decide in Parabola that all the third-party > repositories should follow the same rules than Parabola, then we will > probably end up having to remove all the software that is configured to > use third party repositories, or at least disable the repositories. luckily, the abrupt ejection of pip and rubygems has cause minimal damage - the remaining others are much less popular On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote: > Parabola has a document that explains what users should expect of > it[6], so in any case we can explain users what Parabola protects > against and what it doesn't protect against. > > [6]https://wiki.parabola.nu/How_does_Parabola_protects_users_against_nonfree_software maybe freemor will like to look that over and/or improve or expand that article - freemor has been the most adamant about that aspect of parabola - explaining the rather low limitations, to how any distro can protect its users, especially debunking the common security paranoia support questions (such as: each user must define a "threat model" and be somewhat vigilant - the distro can not do that those things for everyone) not to mention that that parabola as a power-user distro, does not really want protect the user from oneself - i think myself and freemor agree, the "take-home message" should be "Parabola protects users primarily, by teaching them how to protect themselves, and providing clean tools and a clean base environment in which to do so" parabola users even need to know how to protect themselves against parabola (learn about makepkg, keep a liveISO and learn about pacstrap, etc) - there are no guarantees from parabola or any upstream - this month has been a specially wild ride - parabola has been broken in 3-4 rather serious ways this month - probably every parabola user hit at least one snag this month over-all, some "Parabola 101" primer would be helpful - eg: to update the obsolete "beginners guide" - ie: "what parabola can do for users" is a much shorter list and is less important than "what parabola users can (and must) do each for oneself" On Thu, 22 Dec 2022 05:34:26 +0100 Denis wrote: > Personally I would prefer if we keep FSDG compliant repositories the difficulty is in how to determine which repos are FSDG compliant repositories, when none of them have that as a goal - the haskell repo strive to be OSI-compliant - that is perhaps close enough - but i expect a very short list in the end: * debian * guix * haskell * hyperbola * pureos * trisquel that could be the complete list already _______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
