1. When possible, avoid adding package repositories (be it by using
APT's "add repository" command, by editing the "/etc/apt/sources.list"
directly, by using your graphical package sources editor, and so on),
just avoid it when possible. Even if the project which owns the
repository is related to a free software, because there's no way to
guarantee that the future versions of that package that come from that
repository will still be free software, even after checking the
licenses, that is because they are already provided to you in compiled
form, and as such, there's no user-friendly way to know if obfuscated
source code was used to make that binary available for you, other than
downloading the source code yourself to check every single line of it
making sure that there are no strangely-numbered phrases like
"\123\325\123", "(123, 325, 123)", or "123 325 123" (the numbers are
just examples). Note that the source code that you download must come
from the same place where you would download the compiled package and as
you see: all this procedure is no way user-friendly. Exceptions from
this case are repositories of other free software distributions approved
as such by the FSF, like GuixSD, GNewSense, Parabola, LibreCMC,
ProteanOS, Replicant, Ututo, BLAG, Musix, and so on, and repositories
from people who are really known to be trusted here, and that are
following the philosophy successfully.
2. An addendum for the item above: You can try to download the compiled
package manually/by yourself from the same repository that was
originally suggested to be added to your system's package sources. You
should be able to download the package from any web browser, and you'll
probably be asked by the web browser where to save the package file.
This way, you'll have a chance to add just the needed versions, not
corrupting your whole system, not receiving upgrades for that package
blindly, and if you're an advanced user, you'll also have the chance to
download the corresponding source code to check for obfuscated code.
3. Use the Free Software Directory[1] to check if things are free
software. Hint: Go to the Free Software Directory and at the search
field of your browser (the one on the right of the address/URI/link
field), click on the small button that's on the left and click on Add
"Free Software Directory". And now you have the Free Software Directory
there, available as a search engine. Note that, even though your browser
has a home page ("about:icecat" or "about:abrowser") and this home page
has a search field that takes the search engine currently selected on
the search field at the top, this search field doesn't seen to work, as
it just takes you to the homepage of the search engine, at least for me.
The only field that works is the search field at the top of the window.
If the package version found in the Free Software Directory matches the
one you want, then you're safe. Otherwise, not, and you'll have to pass
through (1) and (2).
4. Check if the same packages exist in Trisquel's repositories. You can
either use your package manager, or visit the web search[2]. By using
your system's package manager, you can check for the existence of older
versions of the same package in Trisquel's repositories. If the package
version found in Trisquel's repository matches the one you want, then
you're safe. Otherwise, not, and you'll have to pass through (1) and (2).
5. When a computer program is free software, it means that the programs
that it depends, recommends and suggests must also be free software, and
so all the items above apply to the dependencies, recommendations and
suggestions. Exceptions for this case are in cases where the computer
program is a reverse engineering effort based on a non-free program, or
when the program's purpose is to provide a free implementation of the
non-free one.
REFERENCES
[1] https://directory.fsf.org/
[2] http://packages.trisquel.info/
