Mail Archives: cygwin/2025/08/02/13:17:09

Jon Turney via Cygwin <cygwin AT cygwin DOT com> · Sat, 2 Aug 2025 13:17:06 +0100

On 02/08/2025 11:43, Bruno Haible via Cygwin wrote:
> The essence of the GPL is:
> 
>    When someone distributes binaries,
>    they must distribute the corresponding source code too.
> 
> This is
>    1. a legal requirement,
>    2. the mechanism that holds the Free Software community together,
>    3. what allows the public to trust these binaries.
> 
> Now, for several days (at least since 2025-07-28), the Cygwin
> setup-x86_64.exe (in its default configuration) distributes
> binaries of a package copyrighted by the FSF and under the GPL,
> 
>    * that is obviously modified,
> 
>    * for which no source code is available in the corresponding
>      git repository under https://cygwin.com/cgit/cygwin-packages/.
> 
> I contacted the Cygwin maintainer of that package, and they tell me that
>    - it is not an accidentally forgotten "git push" to the git repository,
>    - they need a few more days before they can push the corresponding source
>      code to that repository.
> 
> So, the corresponding source code is sitting solely on the Cygwin
> maintainer's disk. If they experience a hard disk crash or if the directory
> with that corresponding source code gets lost through an accidental
> "rm -rf", the corresponding source cannot be distributed any more, ever.
> 
> This is a major shortcoming in the Cygwin packaging system. A packaging
> system that distributes more than 9000 packages [1], many of them under GPL
> or LGPL, should not make it so easy to distribute binaries while withholding
> the corresponding source code. In particular:

I feel there must be some miscommunications here, as I am mystified that 
the maintainer in question hasn't directed to you to the corresponding 
source package.

(These can be installed into /usr/src/ using the setup tool, by 
selecting "src?" checkbox after locating the appropriate package and 
version)

For the exactly reasons you lay out, it is absolutely mandatory that 
those packages exist, are accurate and be provided along with the 
install package.

(To quote from [1], "Source tar files should contain the source files, 
patches and scripts needed to rebuild the package. [...] As an open 
source project, providing this tar file is not optional.")

Given that, if you still think we are not complying with our obligations 
under the GPL, can you explain why?

> 
>    * It ought to prevent an accidentally forgotten "git push" to the git
>      repository.
> 
>    * It ought to prevent a maintainer's decision — for whatever reason —
>      to withhold the sources for one week, because
>        - that one week may turn into an indefinite duration, as mentioned
>          above,
>        - this resembles too much the behaviour of Google regarding the Android
>          sources [2], whose purpose it is to limit the influence of the
>          FOSS community. It's a slippery slope, at which end there is
>          proprietary software.
> 
> In each https://cygwin.com/packages/summary/<package>-src.html page there is a
> per-version table of the list of source files. I am suggesting that this
> reference gets replaced with a reference to a commit in the source code
> repository (under https://cygwin.com/cgit/cygwin-packages/), that contains
> the _actual_ source files, not only their names. And that a package maintainer
> *cannot* upload binaries for a version without having provided that commit.
> 
> Btw, as a user I am thankful for the packaging work that the Cygwin package
> maintainers do. And I understand that a mechanism that limits what they can do
> could be annoying to them. But I think that a mechanism that helps fulfilling
> the legal requirements of the GPL can only be beneficial to the Cygwin project.
  Nevertheless, I am fully aware that our existing packaging system has 
many shortcomings, and I would very much like to evolve it into a system 
which reduces the scope for maintainer error and where the sources used 
to build a package are more transparently and easily located.

You can see some of the ongoing discussion on that topic at [2].

[1] https://cygwin.com/packaging-package-files.html#files
[2] https://cygwin.com/pipermail/cygwin-apps/2025-July/044394.html

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 572HH8Q9415486
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 572HH8Q9415486
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=rqe325zH
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 9EF063858410
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1754137060;
	bh=JkMhPwP8UiEgEm6VtHyV/NpJhbnc673i+J1YVPFGHS4=;
	h=Date:Subject:To:References:Cc:In-Reply-To:List-Id:
	List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	From:Reply-To:From;
	b=rqe325zHpZCbeMtRfumiVy8ooJdCdylhDidvvHYdgURj7V0KgBpX/YUgbKEyuKWYS
	DrjxrGwjhYnRaRSIrK91jP6bn52ZsiwvA2dkg7pSULS3wUlxAYQKYvlrHgGwexR/Xr
	zrw8jXJYJqq3D53sMpiK0v7NYDxgcjPRW8eTwgTs=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org B27CB3858D32
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org B27CB3858D32
ARC-Seal:	i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1754137032; cv=none;
	b=fxQlMbOuIcX0BP+qDt+QZGf0ez4YW8mZJL6UHSUqvyg2YD7CZ8sd1YdEaRVF9hDHzuu2Ix94fXHj/pqZjqDtsHXI2WR8FBRQvL2RGg+edxj6RSw5gy6qTZlI7CQVTahF/0eqVbN4/JLENAnhIO93rKoII7TN7/nMgsPi39mdTRk=
ARC-Message-Signature:	i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1754137032; c=relaxed/simple;
	bh=96TP0zlIgM8gedxijRKF7aMTassOta4r6+5L1LJTK3A=;
	h=Message-ID:Date:MIME-Version:Subject:To:From;
	b=RIfWkVdExp4v88LleVrrHUguarZ6Nx1PVoVSn4AbKfxAu4V9X1WhISoGFKqEyca3zyGl61tChpLzKauc9IkGq08BchkB4ku2zhaAUUyBArgkBeyHBZYryAMClUOQz/4q65akmjBw3WkVmtMICnCkqtdWzsUnDZoEEHnJXd+tjSU=
ARC-Authentication-Results:	i=1; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org B27CB3858D32
X-SNCR-Rigid:	6863674E03996AFC
X-Originating-IP:	[86.144.41.51]
X-OWM-Source-IP:	86.144.41.51
X-OWM-Env-Sender:	jon DOT turney AT dronecode DOT org DOT uk
X-RazorGate-Vade:	gggruggvucftvghtrhhoucdtuddrgeeffedrtdefgddutdeiheehucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkffggfgfuvfhfhfevjggtgfesthekredttddvjeenucfhrhhomheplfhonhcuvfhurhhnvgihuceojhhonhdrthhurhhnvgihsegurhhonhgvtghouggvrdhorhhgrdhukheqnecuggftrfgrthhtvghrnhepffehleejveegieegleegtedtheffkeeutefhgffhveelvdehjeduveefffevgfeinecuffhomhgrihhnpegthihgfihinhdrtghomhenucfkphepkeeirddugeegrdeguddrhedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplgduledvrdduieekrddurddutdelngdpihhnvghtpeekiedrudeggedrgedurdehuddpmhgrihhlfhhrohhmpehjohhnrdhtuhhrnhgvhiesughrohhnvggtohguvgdrohhrghdruhhkpdhrvghvkffrpehhohhsthekiedqudeggedqgeduqdehuddrrhgrnhhgvgekiedqudeggedrsghttggvnhhtrhgrlhhplhhushdrtghomhdprghuthhhpghushgvrhepjhhonhhtuhhrnhgvhiessghtihhnthgvrhhnvghtrdgtohhmpdhgvghokffrpefiuedpoffvtefjohhsthepsghtphhrughrghhotddtjedpnhgspghrtghpthhtohepvddprhgtphhtthhopegs
	rhhunhhosegtlhhishhprdhorhhgpdhrtghpthhtoheptgihghifihhnsegthihgfihinhdrtghomh
X-RazorGate-Vade-Verdict:	clean 0
X-RazorGate-Vade-Classification:	clean
X-VadeSecure-score:	verdict=clean score=0/300, class=clean
Message-ID:	<16e52bd1-50bd-49a0-8fbc-721cb1388e8c@dronecode.org.uk>
Date:	Sat, 2 Aug 2025 13:17:06 +0100
MIME-Version:	1.0
User-Agent:	Mozilla Thunderbird
Subject:	Re: the Cygwin packaging system and the GPL
To:	Bruno Haible <bruno AT clisp DOT org>
References:	<4993324 DOT vzjCzTo3RI AT nimes>
Cc:	cygwin AT cygwin DOT com
In-Reply-To:	<4993324.vzjCzTo3RI@nimes>
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe:	<https://cygwin.com/mailman/options/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Jon Turney via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Jon Turney <jon DOT turney AT dronecode DOT org DOT uk>
Errors-To:	cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 572HH8Q9415486

webmaster	delorie software privacy
Copyright � 2019 by DJ Delorie	Updated Jul 2019