Re: [gentoo-user] binary packages: how to ...
On Wed, Jul 15, 2020 at 07:52:27PM +0200, David Haller wrote: > dev-python/rarfile/rarfile-3.1.ebuild > RDEPEND="compressed? ( || ( app-arch/unrar app-arch/rar ) )" > This USE-flag strikes me as slightly nondescript: $ ash-euses rarfile:compressed dev-python/rarfile:compressed - Enables the module to support compressed v3 archives by calling the app-arch/unrar. Does this mean that rarfile is compatible with pre-version#3 archives without the `compressed` flag ? Regardless, the point remains that RAR is a proprietary format, which inevitably is locked to similarly proprietary (or non-free to some extent) software. According to [1] and [2], there does exist an attempt at a GPL'd implementation of RAR, however its development has since ceased, and it only supports up to v2 archives. It seems like every reasonably modern archiving software supporting RAR does so via E. Roshal's `unrar`, disallowing the creation of a RAR-creation utility [3]. [1] https://en.wikipedia.org/wiki/RAR_(file_format)#Third-party_software_for_extracting_RAR_files [2] http://www.unrarlib.org/ [3] https://en.wikipedia.org/wiki/PeaZip#Third-party_technologies -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
Re: [gentoo-user] binary packages: how to ...
Hello, On Wed, 15 Jul 2020, Matt Connell (Gmail) wrote: >It seems that in order to un-rar something in a fully free-software- >compatible way, I believe options are limited to using a programming >language library. dev-python/rarfile is available under the ISC >license, which is listed as GPL compatible. dev-python/rarfile/rarfile-3.1.ebuild RDEPEND="compressed? ( || ( app-arch/unrar app-arch/rar ) )" -dnh -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform.-- bugtraq
Re: [gentoo-user] binary packages: how to ...
On Wed, 2020-07-15 at 17:14 +0100, Ashley Dixon wrote: > This forces the "unRAR" LICENSE on p7zip Good point. It should be noted that app-arch/unrar (suggested elsewhere in the thread) and some other packages for working with rar achives also require accepting this license. It seems that in order to un-rar something in a fully free-software- compatible way, I believe options are limited to using a programming language library. dev-python/rarfile is available under the ISC license, which is listed as GPL compatible.
Re: [gentoo-user] binary packages: how to ...
On Wed, Jul 15, 2020 at 09:29:03AM -0500, Matt Connell (Gmail) wrote: > On Wed, 2020-07-15 at 12:13 +0200, n952162 wrote: > > Is there an open-source way to view the contents of a rar archive? > > The p7zip package, if compiled with the "rar" USE flag, can handle > this, in case you have it already. This forces the "unRAR" LICENSE on p7zip, as opposed to the Lesser GPL: app-arch/p7zip ebuild: LICENSE="LGPL-2.1 rar? ( unRAR )" Unfortunately, as [1] describes, this licence is non-free and GPL-incompatible. The full text is at `$(q -Ce PORTDIR)/licenses/unRAR`, for your viewing displeasure. [1] https://fedoraproject.org/wiki/Licensing:Unrar -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
Re: [gentoo-user] binary packages: how to ...
On Wed, 2020-07-15 at 12:13 +0200, n952162 wrote: > Is there an open-source way to view the contents of a rar archive? The p7zip package, if compiled with the "rar" USE flag, can handle this, in case you have it already.
Re: [gentoo-user] binary packages: how to ...
On Wed, Jul 15, 2020 at 4:06 AM Neil Bothwick wrote: > > As Andreas mentioned, the LICENSE setting is probably a more reliable way > of excluding such packages. By only allowing open source licences you > prevent the installation of proprietary binary packages. You can still > install the *-bin packages as they are mostly convenience packages to > save you lengthy compilation by using the developer's provided binary > packages of open source software. There might be the really odd case of something that has an FOSS license but which is available binary-only, either because it was never packaged for Gentoo in source form, or because it actually is a binary by nature. These are pretty rare and honestly I'm not sure if we have any in our repos. I do remember seeing the odd case of some project that uses GPL for its license but there is no source. It wasn't that there wasn't source code available - the project didn't have any source. Such as using a GPL license for a photograph or something (not what it was intended for, but probably not illegal). In any case, if you set your license filters appropriately, and bindist appropriately, you will end up with a system that completely complies with your license requirements, binary packages or otherwise, so you won't get in trouble for redistribution/etc. -- Rich
Re: [gentoo-user] binary packages: how to ...
On Wed, 15 Jul 2020 12:13:44 +0200, n952162 wrote: > Is there an open-source way to view the contents of a rar archive? app-arch/unrar -- Neil Bothwick Hospitality: making your guests feel like they're at home, even if you wish they were. pgpkfH9jgNB0Z.pgp Description: OpenPGP digital signature
Re: [gentoo-user] binary packages: how to ...
On 07/15/20 07:01, Andreas Fink wrote: ... Searching for -bin does not help to find binary only packages. Two more examples, which are binary only: zoom, skypeforlinux Searching for -bin mostly (if not always) implies that there would be a possibility to compile it from source. In my experience so far, every binary-only package does not have an open source license. So mostly you'll hit a license issue and you have to accept the license (/etc/portage/package.license) before you will be able to merge the package. Any license issue should start make you thinking what is going on, since it is a potential binary-only package. Installation of these packages is inhibited by emerge, because you have to accept the license first ;) When I look into my /etc/portage/package.license file I get a good idea of which packages are binary only. Not all of them are pure binary packages, but it is a superset as far as I can tell. To conclude: You cannot find out if a package is binary only with emerge. You have to do the research yourself, but /etc/portage/package.license is a good starting point to find potential candidates. Cheers Andreas Yes, the license issue came up, and I pavlov-wise put the exception in. I repressed the suspicion that I shouldn't be doing that. Thank you. Is there an open-source way to view the contents of a rar archive?
Re: [gentoo-user] binary packages: how to ...
On 07/15/20 01:46, Ashley Dixon wrote: On Tue, Jul 14, 2020 at 11:24:31PM +0200, n952162 wrote: binary packages: how to: 1. find out if a package is binary before you install it (e.g. where on app-arch/rar does it say it's a binary package) RAR is an unusual case, with both the "mirror" and "bindist" flags set in the RESTRICT variable (i.e., Gentoo cannot legally mirror the package, and you're not allowed to redistribute binaries either). I couldn't find anything in the ebuild which suggests it is a binary package; perhaps this is something that should be reviewed by the Gentoo developers, as most packages supporting a binary distribution provide a separate package with the `-bin` suffix, although I suppose this doesn't make much sense when there is no source package. The entire RAR business model of free decompression and paid compression has caused confusion for many people over many decades. I'd always stick to 7zip or one of the classic UNIX compression utilities, if I had a choice. 2. inhibit their installation Don't install them. ;-) More seriously: there's not that many of them, so it's probably not a process worth automating, unless you're on a multi-user machine, in which untrusted users can install packages - although I think you'd have more significant problems at that point. As you've unfortunately discovered, there isn't much of a concrete framework in place to automatically detect binary packages, which also makes Point (3) difficult. 3. get a list of the ones installed on a system `EIX_LIMIT=0 eix --only-names -I *-bin`, perhaps ? Unfortunately, this won't catch the unusual cases, as seen with `app-arch/rar`. Any ideas about that are appreciated. [1] might be worth a read; it's quite comprehensive, and gives you a glimpse into the inner-workings of Portage, allowing you to fix these issues yourself. Something to note: "bindist", as the USE-flag and RESTRICT option, does not mean "use a binary distribution", but rather "compile the package in such a way that I can redistribute my build without putting myself in a legal problem with the package authors" (this commonly is synonymous with disabling official branding): $ ash-euses -sk bindist dev-libs/openssl:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI dev-libs/openssl-compat:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI dev-qt/qtnetwork:bindist - Disable EC support via dev-libs/openssl mail-client/thunderbird:bindist - Disable official Firefox/Thunderbird branding (icons, name) which are not binary-redistributable according to upstream. media-libs/freetype:bindist - Disable ClearType support (see http://freetype.org/patents.html) net-libs/liboauth:bindist - Alias for the nss USE flag, since there are license compliancy trouble when using OpenSSL. net-misc/openssh:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons. sys-apps/ucspi-ssl:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons. www-client/firefox:bindist - Disable official Firefox branding (icons, name) which are not binary-redistributable according to upstream. Hope this helps, Ashley. [1] https://wiki.gentoo.org/wiki/Binary_package_guide Yes, excellent overview. Thank you.
Re: [gentoo-user] binary packages: how to ...
On Wed, 15 Jul 2020 00:46:58 +0100, Ashley Dixon wrote: > > 1. find out if a package is binary before you install it (e.g. where > > on app-arch/rar does it say it's a binary package) > > RAR is an unusual case, with both the "mirror" and "bindist" flags set > in the RESTRICT variable (i.e., Gentoo cannot legally mirror the > package, and you're not allowed to redistribute binaries either). I > couldn't find anything in the ebuild which suggests it is a binary > package; src_compile() { :; } This is setting the compile to a NOP, which is a bit of a giveaway. However, it's not a consistent way of checking, for example skypeforlinux doesn't specify src_compile at all, which I thought meant it used the default of running emake(). As Andreas mentioned, the LICENSE setting is probably a more reliable way of excluding such packages. By only allowing open source licences you prevent the installation of proprietary binary packages. You can still install the *-bin packages as they are mostly convenience packages to save you lengthy compilation by using the developer's provided binary packages of open source software. -- Neil Bothwick Help put the "fun" back in "dysfunctional" ! pgpcMEY9nkZF4.pgp Description: OpenPGP digital signature
Re: [gentoo-user] binary packages: how to ...
On Wed, 15 Jul 2020 00:46:58 +0100 Ashley Dixon wrote: > On Tue, Jul 14, 2020 at 11:24:31PM +0200, n952162 wrote: > > binary packages: how to: > > > > 1. find out if a package is binary before you install it (e.g. where on > >app-arch/rar does it say it's a binary package) > > RAR is an unusual case, with both the "mirror" and "bindist" flags set in > the > RESTRICT variable (i.e., Gentoo cannot legally mirror the package, and > you're > not allowed to redistribute binaries either). I couldn't find anything in > the > ebuild which suggests it is a binary package; perhaps this is something > that > should be reviewed by the Gentoo developers, as most packages supporting > a > binary distribution provide a separate package with the `-bin` suffix, > although > I suppose this doesn't make much sense when there is no source package. > > The entire RAR business model of free decompression and paid compression > has > caused confusion for many people over many decades. I'd always stick to 7zip > or > one of the classic UNIX compression utilities, if I had a choice. > > > 2. inhibit their installation > > Don't install them. ;-) > > More seriously: there's not that many of them, so it's probably not a > process > worth automating, unless you're on a multi-user machine, in which > untrusted > users can install packages - although I think you'd have more > significant > problems at that point. As you've unfortunately discovered, there isn't much > of > a concrete framework in place to automatically detect binary packages, > which > also makes Point (3) difficult. > > > 3. get a list of the ones installed on a system > > `EIX_LIMIT=0 eix --only-names -I *-bin`, perhaps ? Unfortunately, this > won't > catch the unusual cases, as seen with `app-arch/rar`. > > > Any ideas about that are appreciated. > > [1] might be worth a read; it's quite comprehensive, and gives you a > glimpse > into the inner-workings of Portage, allowing you to fix these issues > yourself. > > Something to note: "bindist", as the USE-flag and RESTRICT option, does not > mean > "use a binary distribution", but rather "compile the package in such a way > that > I can redistribute my build without putting myself in a legal problem with > the > package authors" (this commonly is synonymous with disabling official > branding): > > $ ash-euses -sk bindist > > dev-libs/openssl:bindist - Disable/Restrict EC algorithms (as they seem to be > patented) -- note: changes the ABI > dev-libs/openssl-compat:bindist - Disable/Restrict EC algorithms (as they > seem to be patented) -- note: changes the ABI > dev-qt/qtnetwork:bindist - Disable EC support via dev-libs/openssl > mail-client/thunderbird:bindist - Disable official Firefox/Thunderbird > branding (icons, name) which are not binary-redistributable according to > upstream. > media-libs/freetype:bindist - Disable ClearType support (see > http://freetype.org/patents.html) > net-libs/liboauth:bindist - Alias for the nss USE flag, since there are > license compliancy trouble when using OpenSSL. > net-misc/openssh:bindist - Disable EC/RC5 algorithms in OpenSSL for patent > reasons. > sys-apps/ucspi-ssl:bindist - Disable EC/RC5 algorithms in OpenSSL for patent > reasons. > www-client/firefox:bindist - Disable official Firefox branding (icons, name) > which are not binary-redistributable according to upstream. > > Hope this helps, > Ashley. > > [1] https://wiki.gentoo.org/wiki/Binary_package_guide > Searching for -bin does not help to find binary only packages. Two more examples, which are binary only: zoom, skypeforlinux Searching for -bin mostly (if not always) implies that there would be a possibility to compile it from source. In my experience so far, every binary-only package does not have an open source license. So mostly you'll hit a license issue and you have to accept the license (/etc/portage/package.license) before you will be able to merge the package. Any license issue should start make you thinking what is going on, since it is a potential binary-only package. Installation of these packages is inhibited by emerge, because you have to accept the license first ;) When I look into my /etc/portage/package.license file I get a good idea of which packages are binary only. Not all of them are pure binary packages, but it is a superset as far as I can tell. To conclude: You cannot find out if a package is binary only with emerge. You have to do the research yourself, but /etc/portage/package.license is a good starting point to find potential candidates. Cheers Andreas
Re: [gentoo-user] binary packages: how to ...
On Tue, Jul 14, 2020 at 11:24:31PM +0200, n952162 wrote: > binary packages: how to: > > 1. find out if a package is binary before you install it (e.g. where on >app-arch/rar does it say it's a binary package) RAR is an unusual case, with both the "mirror" and "bindist" flags set in the RESTRICT variable (i.e., Gentoo cannot legally mirror the package, and you're not allowed to redistribute binaries either). I couldn't find anything in the ebuild which suggests it is a binary package; perhaps this is something that should be reviewed by the Gentoo developers, as most packages supporting a binary distribution provide a separate package with the `-bin` suffix, although I suppose this doesn't make much sense when there is no source package. The entire RAR business model of free decompression and paid compression has caused confusion for many people over many decades. I'd always stick to 7zip or one of the classic UNIX compression utilities, if I had a choice. > 2. inhibit their installation Don't install them. ;-) More seriously: there's not that many of them, so it's probably not a process worth automating, unless you're on a multi-user machine, in which untrusted users can install packages - although I think you'd have more significant problems at that point. As you've unfortunately discovered, there isn't much of a concrete framework in place to automatically detect binary packages, which also makes Point (3) difficult. > 3. get a list of the ones installed on a system `EIX_LIMIT=0 eix --only-names -I *-bin`, perhaps ? Unfortunately, this won't catch the unusual cases, as seen with `app-arch/rar`. > Any ideas about that are appreciated. [1] might be worth a read; it's quite comprehensive, and gives you a glimpse into the inner-workings of Portage, allowing you to fix these issues yourself. Something to note: "bindist", as the USE-flag and RESTRICT option, does not mean "use a binary distribution", but rather "compile the package in such a way that I can redistribute my build without putting myself in a legal problem with the package authors" (this commonly is synonymous with disabling official branding): $ ash-euses -sk bindist dev-libs/openssl:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI dev-libs/openssl-compat:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI dev-qt/qtnetwork:bindist - Disable EC support via dev-libs/openssl mail-client/thunderbird:bindist - Disable official Firefox/Thunderbird branding (icons, name) which are not binary-redistributable according to upstream. media-libs/freetype:bindist - Disable ClearType support (see http://freetype.org/patents.html) net-libs/liboauth:bindist - Alias for the nss USE flag, since there are license compliancy trouble when using OpenSSL. net-misc/openssh:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons. sys-apps/ucspi-ssl:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons. www-client/firefox:bindist - Disable official Firefox branding (icons, name) which are not binary-redistributable according to upstream. Hope this helps, Ashley. [1] https://wiki.gentoo.org/wiki/Binary_package_guide -- Ashley Dixon suugaku.co.uk 2A9A 4117 DA96 D18A 8A7B B0D2 A30E BF25 F290 A8AA signature.asc Description: PGP signature
[gentoo-user] binary packages: how to ...
binary packages: how to: 1. find out if a package is binary before you install it (e.g. where on app-arch/rar does it say it's a binary package) 2. inhibit their installation 3. get a list of the ones installed on a system Any ideas about that are appreciated.