DMARC-Filter: OpenDMARC Filter v1.4.2 delorie.com 572Gp8Ti404140
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5539C3858D1E
To: cygwin@cygwin.com
Subject: the Cygwin packaging system and the GPL
Date: Sat, 02 Aug 2025 12:43:07 +0200
Message-ID: <4993324.vzjCzTo3RI@nimes>
Organization: GNU
MIME-Version: 1.0
From: Bruno Haible via Cygwin <cygwin@cygwin.com>
Reply-To: Bruno Haible <bruno@clisp.org>
Content-Type: text/plain; charset="utf-8"
Sender: "Cygwin" <cygwin-bounces~archive-cygwin=delorie.com@cygwin.com>
Content-Transfer-Encoding: 8bit

The essence of the GPL is:

  When someone distributes binaries,
  they must distribute the corresponding source code too.

This is
  1. a legal requirement,
  2. the mechanism that holds the Free Software community together,
  3. what allows the public to trust these binaries.

Now, for several days (at least since 2025-07-28), the Cygwin
setup-x86_64.exe (in its default configuration) distributes
binaries of a package copyrighted by the FSF and under the GPL,

  * that is obviously modified,

  * for which no source code is available in the corresponding
    git repository under https://cygwin.com/cgit/cygwin-packages/.

I contacted the Cygwin maintainer of that package, and they tell me that
  - it is not an accidentally forgotten "git push" to the git repository,
  - they need a few more days before they can push the corresponding source
    code to that repository.

So, the corresponding source code is sitting solely on the Cygwin
maintainer's disk. If they experience a hard disk crash or if the directory
with that corresponding source code gets lost through an accidental
"rm -rf", the corresponding source cannot be distributed any more, ever.

This is a major shortcoming in the Cygwin packaging system. A packaging
system that distributes more than 9000 packages [1], many of them under GPL
or LGPL, should not make it so easy to distribute binaries while withholding
the corresponding source code. In particular:

  * It ought to prevent an accidentally forgotten "git push" to the git
    repository.

  * It ought to prevent a maintainer's decision — for whatever reason —
    to withhold the sources for one week, because
      - that one week may turn into an indefinite duration, as mentioned
        above,
      - this resembles too much the behaviour of Google regarding the Android
        sources [2], whose purpose it is to limit the influence of the
        FOSS community. It's a slippery slope, at which end there is
        proprietary software.

In each https://cygwin.com/packages/summary/<package>-src.html page there is a
per-version table of the list of source files. I am suggesting that this
reference gets replaced with a reference to a commit in the source code
repository (under https://cygwin.com/cgit/cygwin-packages/), that contains
the _actual_ source files, not only their names. And that a package maintainer
*cannot* upload binaries for a version without having provided that commit.

Btw, as a user I am thankful for the packaging work that the Cygwin package
maintainers do. And I understand that a mechanism that limits what they can do
could be annoying to them. But I think that a mechanism that helps fulfilling
the legal requirements of the GPL can only be beneficial to the Cygwin project.

Best regards,

       Bruno

[1] https://cygwin.com/packages/package_list.html
[2] https://www.androidauthority.com/google-android-development-aosp-3538503/


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple