On Mon, 10 Jul 2023 02:02:21 -0400 bill-auger <bill-auger@peers.community> wrote:
> On Mon, 10 Jul 2023 03:41:59 +0200 Denis wrote: > > That same paper from 2019 has some numbers: > > +---------------+-----------------------+ > > | Debian | over 59 000 packages | > > | Maven Central | over 290 000 packages | > > | RubyGems | over 150 000 packages | > > +---------------+-----------------------+ > > there is one hugely important factor missing from that numerical > comparison - debian repos are curated/audited/vetted, all are built > from source, and all source code is provided - simply "adding" 150,00 > packages to guix sounds like a big deal? - consider that _none_ of > them have yet been audited by anyone who cares about licensing If the repository has strict licensing criteria, then we can count it as audited, but only for licensing (not for security, code quality, if the package really works, etc). But then precisely because distributions repositories are audited for more than just licensing, it might not be feasible to package 150 000 ruby packages. Then remains our disagreement (as I understand it): - I'd like users to be able to use the 100% free subset of the programming language packages (so without necessarily other auditing than freedom) even if this is discouraged due to other concerns, because some use cases really require them. - You'd most likely prefer if nobody used these packages at all because they don't have the guarantees usual distributions provide. Note that if replacements are made for CRAN (R repository) or cargo (Rust repository) we can still warn about what is and isn't handled by the fully free repositories (because upstream doesn't handle that as well). Denis.
pgpjl6pMxa7pL.pgp
Description: OpenPGP digital signature
