Re: Spam message when using CVS for webpages
Ineiev wrote: > Savane is the free software hosting system savannah.gnu.org runs. > > sv_membersh is the restricted shell used as the login shell for Savane users > when they connect via SSH. > > Savane released under the AGPL; offering the corresponding source code > is a requirement of the AGPL. I spent some time looking at this issue and my assessment is that sv_membersh is only a peripheral part of Savannah at best. It isn't needed for Savannah to operate. It's a security gate that we use to protect the host from potentially malicious activity or potentially accidental harm. It does not need to be savane software and might be any suitable component program. Even though Savannah as a whole is distributed under the AGPL Savannah makes use of many programs which are licensed under other licenses such as the other various GPL versions and other permissive licenses. That the whole of Savannah is available under the AGPL does not make a requirement that every component used in Savannah be forced into the AGPL. For example in Savannah cron is used. If that were true then it would be required to re-license cron from GPLv2+ to the AGPL. Savannah uses git and git is licensed under the GPLv2. Savannah uses Subversion is licensed under the Apache-2.0 license. And so on and so forth. Simply using these components does not require that the license always be advertised. For example GNU ls does not emit its license upon every invocation. That would interfere with its primary function. But ls will emit its license information when this is asked for with ls --version. I join our fellow colleagues asking to remove this license advertisement as being harmful to the primary function of the site. Thanks! Bob
Re: Spam message when using CVS for webpages
On Okt 18 2023, Ian Kelling wrote: > I definitely admire the ingenuity to offer source code in more > places. However, I'm pretty confident Savannah webpages are a sufficient > place to satisfy the AGPL requirement of offering source, and adding > output like this to command line operations where the only expected > output is information related to the operation is undesirable for > various reasons and will very likely cause breakage for scripts and > tools which make calls to Savannah. I think the message should only be printed when accessing the server interactively. While Savannah servers are not meant for interactive use, you _can_ access them with plain ssh, which gives you the login banner, and adding the blurb from sv_membersh here would not disturb any valid use. -- Andreas Schwab, sch...@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
Re: Spam message when using CVS for webpages
Ineiev writes: > The problem is, we don't deploy the exactly same version for all > Savannah hosts at once, we update them one by one, so you hardly > would be able to tell which Git commit corresponds to software > running on the particular host; this feature makes sure the users > can download the right version. I definitely admire the ingenuity to offer source code in more places. However, I'm pretty confident Savannah webpages are a sufficient place to satisfy the AGPL requirement of offering source, and adding output like this to command line operations where the only expected output is information related to the operation is undesirable for various reasons and will very likely cause breakage for scripts and tools which make calls to Savannah. For the problem of different machines having different source, the link for source at the bottom of savannah webpages could say something like: "Savannah source repository is here: http://. Savannah is split onto several machines, and the code running on some machines can lag behind what is in our repository. Here is how to get the exact versions being run: To get the source code on the machine handling cvs requests, run rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . To get the source code on the machine doing X, run ... (fill in more here)" Especially because this is likely to break other tools and annoy people, I think it should be reverted until there is some consensus among savannah hackers on the right solution.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 03:32:44PM +, Ineiev wrote: > On Wed, Oct 18, 2023 at 03:46:55PM +0100, Gavin Smith wrote: > > I am trying to update a project's webpages after a new release, but > > every time I issue a cvs command the message is printed: > > > > > sv_membersh is part of Savane. > > > In order to download the corresponding source code of Savane, run > > > > > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . > > > > I don't know what sv_membersh or Savane is or why I should care. > > Savane is the free software hosting system savannah.gnu.org runs. > > sv_membersh is the restricted shell used as the login shell for Savane users > when they connect via SSH. > > Savane released under the AGPL; offering the corresponding source code > is a requirement of the AGPL. > > Do you think the message should elaborate on these points? I don't know; if it is truly a requirement of the AGPL then it could be more clear that this is why the message is being printed. It looks too much like an error message. Maybe it could be prefixed with "Affero GPL notice: "? I had never chosen to run "sv_membersh" - the command I was running was "cvs". The fact that messages are being printed with details about internal workings make it look like something is broken. Even if it uses SSH internally, I am not really thinking about SSH when I run cvs. Perhaps the message could also contain clear instructions on how to turn it off, too. > The problem is, we don't deploy the exactly same version for all > Savannah hosts at once, we update them one by one, so you hardly > would be able to tell which Git commit corresponds to software > running on the particular host; this feature makes sure the users > can download the right version. Could you put instructions on the Savannah web portal for checking versions of software and getting corresponding source code for different hosts, which users could refer to instead of sending them the message? I am not familiar with the Affero GPL but I looked at section 13 "Remote Network Interaction") (at https://www.gnu.org/licenses/agpl-3.0.en.html). "... your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version" I don't know if I really could have been said to be "interacting" with sv_membersh. It was running as a back-end service for one-off commands that I was running from the command line. Another suggestion is to ensure that anybody running these command line commands also has access to the Savannah web portal. Then the "offer" could be provided through the web portal, rather than by printing output to the terminal. > > Can this unnecessary and annoying message please be removed? > > You can disable that message in your Savannah account configuration > (the 'Quiet SSH member shell' checkbox). Thanks, I will do that.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 10:07 AM Gavin Smith wrote: > On Wed, Oct 18, 2023 at 09:56:17AM -0500, Corwin Brust wrote: > > Thanks for raising this issue. FWIW it has also been brought up by > > others. We are planning on discussing with FSF today, at the regular > > "volunteers" meeting, where most weeks svh and fsf sysop staff connect. > > > > We'll update you assuming this topic does get discussed and there is some > > conclusion to share (or when there is). > > > > Kind regards, > > Corwin > > That's good to hear! Thank you for your quick response. > Hi Gavin, I wanted to write back just to quickly confirm that this was discussed with FSF staff. Per my understanding, I believe others of the Savannah Hackers are planning to weigh in on this discussion as well. (If that happens in another thread/ticket I'll be sure to CC you if I spot you in the copy-trail.) I also plan to make another reply myself to clarify my own position (granted, as the newest member of the team), in brief: that this notification is above and beyond the plain requirements of hosting an AGPL program and should be either removed/rolled-back or else perhaps we could consider setting the QUIET flag en-mass. Meanwhile, as the team works to invite discussion and socialize a consensus, I think Ineiv has already provided instruction for turning this off within the Savannah web interface. Don't hesitate to reach out if you have any trouble with that or other thoughts you may have. Thanks again for writing. Corwin
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 03:46:55PM +0100, Gavin Smith wrote: > I am trying to update a project's webpages after a new release, but > every time I issue a cvs command the message is printed: > > > sv_membersh is part of Savane. > > In order to download the corresponding source code of Savane, run > > > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . > > I don't know what sv_membersh or Savane is or why I should care. Savane is the free software hosting system savannah.gnu.org runs. sv_membersh is the restricted shell used as the login shell for Savane users when they connect via SSH. Savane released under the AGPL; offering the corresponding source code is a requirement of the AGPL. Do you think the message should elaborate on these points? > This message was not printed before and is distracting and confusing. I > have updated GNU webpages using CVS many times over several years and never > had this message before. That was an omission. > Using CVS from the command line is fiddly enough as it is (as I only > use CVS infrequently to update GNU webpages I don't use it enough to be > comfortable with it) without having extra messages to worry about. > This message looks like an advert to me and isn't helpful. If I wanted > to download the source code of Savane I would look for it myself, without > having it shoved in my face. The problem is, we don't deploy the exactly same version for all Savannah hosts at once, we update them one by one, so you hardly would be able to tell which Git commit corresponds to software running on the particular host; this feature makes sure the users can download the right version. > Can this unnecessary and annoying message please be removed? You can disable that message in your Savannah account configuration (the 'Quiet SSH member shell' checkbox). signature.asc Description: PGP signature
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 09:56:17AM -0500, Corwin Brust wrote: > Thanks for raising this issue. FWIW it has also been brought up by > others. We are planning on discussing with FSF today, at the regular > "volunteers" meeting, where most weeks svh and fsf sysop staff connect. > > We'll update you assuming this topic does get discussed and there is some > conclusion to share (or when there is). > > Kind regards, > Corwin That's good to hear! Thank you for your quick response.
Re: Spam message when using CVS for webpages
On Wed, Oct 18, 2023 at 9:46 AM Gavin Smith wrote: > I am trying to update a project's webpages after a new release, but > every time I issue a cvs command the message is printed: > > > sv_membersh is part of Savane. > > In order to download the corresponding source code of Savane, run > > > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane > . > > I don't know what sv_membersh or Savane is or why I should care. [SNIP] > > This message looks like an advert to me and isn't helpful. Thanks for raising this issue. FWIW it has also been brought up by others. We are planning on discussing with FSF today, at the regular "volunteers" meeting, where most weeks svh and fsf sysop staff connect. We'll update you assuming this topic does get discussed and there is some conclusion to share (or when there is). Kind regards, Corwin
Spam message when using CVS for webpages
I am trying to update a project's webpages after a new release, but every time I issue a cvs command the message is printed: > sv_membersh is part of Savane. > In order to download the corresponding source code of Savane, run > > rsync -avz --cvs-exclude ga...@cvs.savannah.nongnu.org:/opt/src/savane . I don't know what sv_membersh or Savane is or why I should care. This message was not printed before and is distracting and confusing. I have updated GNU webpages using CVS many times over several years and never had this message before. Using CVS from the command line is fiddly enough as it is (as I only use CVS infrequently to update GNU webpages I don't use it enough to be comfortable with it) without having extra messages to worry about. This message looks like an advert to me and isn't helpful. If I wanted to download the source code of Savane I would look for it myself, without having it shoved in my face. Can this unnecessary and annoying message please be removed? Thank you for your work on Savannah.
