Open thesamesam opened 2 years ago
thesamesam
commented
2 years ago A quick way of making a bad ebuild which breaks the tree:
sys-apps/foo with LICENSE="all-rights-reserved"@system in profiles/
arthurzam
commented
2 years ago I can perform the check, by each package checking it sub packages. But, what should be the correct behavior here? In theory I see no issue with a free software depending on non-free software (of course not in "base" profile system). Or am I wrong? I'm asking about "false report" cases here.
Also, if we say we should go with it, what level should it be? Should it be error and fail croacker?
ajakk
commented
2 years ago https://bugs.gentoo.org/872119 is one such example of an issue resulting from this.
thesamesam
commented
2 years ago I can perform the check, by each package checking it sub packages. But, what should be the correct behavior here? In theory I see no issue with a free software depending on non-free software (of course not in "base" profile system). Or am I wrong? I'm asking about "false report" cases here.
Also, if we say we should go with it, what level should it be? Should it be error and fail croacker?
Maybe it could be like RequiredUseDefaults where we shouldn't have it be by default. This minimises the impact to users from such incidents like the linked bugs (it should hopefully pick them up). In such cases, it should be a warning.
Additionally, I think we may want a general warning for something with @FREE depending on non-@FREE, but this could be a 'style' level warning to avoid noise. I think it's useful for someone to know when packaging/adding a new dep that something is non-free, so they can inform upstream, etc.
arthurzam
commented
2 years ago Maybe it could be like
RequiredUseDefaultswhere we shouldn't have it be by default. This minimises the impact to users from such incidents like the linked bugs (it should hopefully pick them up). In such cases, it should be a warning.
OK, but this will notify for all non free packages in tree. I think we need to define which set of packages to scan.
Additionally, I think we may want a general warning for something with
@FREEdepending on non-@FREE, but this could be a 'style' level warning to avoid noise. I think it's useful for someone to know when packaging/adding a new dep that something is non-free, so they can inform upstream, etc.
This one is understood and would be added.
thesamesam
commented
2 years ago Maybe it could be like
RequiredUseDefaultswhere we shouldn't have it be by default. This minimises the impact to users from such incidents like the linked bugs (it should hopefully pick them up). In such cases, it should be a warning.OK, but this will notify for all non free packages in tree. I think we need to define which set of packages to scan.
It's okay if the leaf package is non-free. It's not okay if a package with LICENSE only consisting of @FREE has a dependency which isn't.
I don't think we need to worry about non-free depending on non-free.
It's possible for the tree to become "broken" by a package that has
@FREElicenses suddenly gaining a dependency which is not in@FREE.Example (covered at https://bugs.gentoo.org/832778).
@FREEset) for accessibility supportWe should have some way of detecting this via pkgcheck, as it's just as valid as dependencies otherwise being unresolvable (e.g. via keyword), and more serious even than RequiredUseDefaults IMO.