I am really fan of GuixSD and I consider it future of computing. Today I have tried to find the source code for packages, but I could not find it in such way to conform to GPL 2 license. I did not verify other versions of licenses.
I woke up, and realized, that each package description contains direct link to the original source code, like from the author of software or from other, third party websites. But they miss to provide the modified corresponding source codes. There are some important matters that have to be implemented basically as fast as possible, to conform to GPL 2 and other GPL versions. And if GPL is in fact violated, by the design of guix packaging, then maybe also other licenses have to be reviewed if they are also disrespected in similar manner. The GPL2 license is here: http://www.gnu.org/licenses/gpl-2.0.html Let us take one example of packages that violate the GPL2 license: ## Pulseaudio Package: pulseaudio, licensed under GPL2+, there are patches for it in gnu/packages/patches, for example following patches: pulseaudio-fix-mult-test.patch pulseaudio-longer-test-timeout.patch As with my understanding the substitute on hydra server is like binary. When user makes: guix package -i pulseaudio, the substitute is downloaded from hydra server. The substitute is the patched or modified version. In accordance with the GPL2+, here are violations: - the above mentioned patches applied, violate GPL, by the section 2 (a) "You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change." -- because packages are built on the fly on hydra, so the date of change is probably modified each time at time of building or modifiying the package. Further there are no prominent notices, as there is no source code to it! - it is in violation of section 3. as none of the points (a), (b), (c) are satisfied, because the substitute that is copied and distributed is not accompanied with the corresponding source code, neither it is accompanied with the written offers to provide source code, valid for at least three years. - the substitute for the package (binary) is not accompanied with the GPL2 license, as GPL2+ license requires it in the section 1. " You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program." And when there is binary distribution (Section 3), such binary distribution (substitute distribution) must be done under terms of Sections 1 and 2, which means that with the program, there must be License as well, which is not in the package. It is not in my system, I have searched for license in /gnu/store/f455aa8rar4a50z7bpl8qmc5ffhqv5zd-pulseaudio-8.0/bin/pulseaudio A simple reference to GPL in the man page is not a license. I do not want to provide other examples, as it seems it was by design forgotten to comply to the GPL 2 license. SUMMARY OF VIOLATIONS: ---------------------- 1. FORGETTING TO INCLUDE THE LICENSE: In violation of the section 1. of the GPL2, the distribution of substitutes do not make sure to give with the program the copy of the License. This is also the case with the pacakge aria2 and I can only assume by indications that this maybe the case with many other GPL2 packages in GuixSD. 2. MODIFICATIONS NOT APPROPRIATELY APPLIED In violation of the section 2, (a) modified files do not carry prominent notices, and WHO changed the files. If the files were changed by Hydra, that shall be explained in such modifications IMHO. It cannot be said that files were changed on Hydra server by the author of the patch. Such author may not have any relations to GuixSD. So who is changing it? There must be prominent notice on that, and the exact date of change. One cannot just fake dates and say that day of change is the day when patch was made by some author. The day of change is the exact date when it was changed on Hydra. This should also apply to all the patches that GuixSD is doing on packages automatically. 3. DISTRIBUTION OF OBJECT OR EXECUTABLE CODE WITHOUT SOURCE CODES In violation of the section 3. of the license GPL2, (others I did not review), the substitutes are offered from Hydra in object or executable form, without accompanying complete corresponding source code. I could not find it here: http://hydra.gnu.org/job/gnu/core-updates/pulseaudio-6.0.x86_64-linux I have asked on IRC chat #guix but nobody could give me a single link to the modified source code on Hydra. It was not that easy. EXCUSES FOR THE ABOVE VIOLATIONS ARE FOLLOWING: - that each user, can, by using commands, such as: guix build --source packagename, receive the package from the distribution's servers, patch it by programmatical way, and receive the corresponding source code in that manner. - however, the same could be said for the License, one could distribute the program, without the License, and give to users script to run to receive the License. This is still contrary to what GPL2 requires, it requires that License is distributed with the program, and user need not run any script to get it. Further, how is distributor to assume at all that user "must have Internet" to receive the license. If user received object code, he shall get the license along with the object code. He maybe have no further access to Internet. License shall be there. FOLLOWING TESTS I HAVE DONE TO VERIFY IF THERE IS CORRESPONDING SOURCE CODE: For the package: nvi, I have done following: guix build --source nvi And I could see that package was distributed from Internet location: https://mirror.hydra.gnu.org/nar/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz I have downloaded the package by using wget. The MD5SUM of the package was: 406b0ec7f6af1923437561a40d3148f4 lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz After that I have asked guix package manager to show me the corresponding source code: guix build --source nvi /gnu/store/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz And the MD5SUM of that package: /gnu/store/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz is: 3b158f28ba27e4f1449bd429805abe12 /gnu/store/lw20jhpl4dgsl3hrin71lnq9wga2yfr9-nvi-1.81.6.tar.xz which tells me that the corresponding source code WAS NOT ACCOMPANIED with the object/executable form on Hydra server (distribution's servers). The corresponding source code is rather created, constructed, patched or generated on the user's computer. When an object code/executable form, named substitute is available at Hydra server, there must be available the corresponding source code too, or otherwise offers to provide it in the future (for 3 years) or at option 3. (c) in the GPL2. One cannot just assume or force anyone to use Guix command to receive the corresponding source code (even though this is convenient for Guix users). Please read GPL2, http://www.gnu.org/licenses/gpl-2.0.html, sections 1, 2, 3, 4 -- and I hope that this matter is improved or solved. I speak of general design in Guix packaging. That means that many many packages are affected by my assumptions above. Jean Louis
