Post An2TLeAdE2LUC0HEv2 by lanodan@queer.hacktivis.me
(DIR) More posts by lanodan@queer.hacktivis.me
(DIR) Post #AdWFciq6qyogjP12dU by wolf480pl@mstdn.io
2024-01-05T00:15:06Z
4 likes, 1 repeats
I've said this before butSoftware freedom is not when the source code for the program you use is somewhere on github, has 5000 dependencies and doesn't build outside of CISoftware freedom is when you have the source on your computer, modify it, build it, and run a modified versionHow much of the software you use on a daily basis would you be able to build from source? How many urls does that require fetching, and how many of these can stop working any time without prior notice?1/
(DIR) Post #AdWFcloRncGlx7GFxg by wolf480pl@mstdn.io
2024-01-05T00:18:51Z
1 likes, 0 repeats
I remember my dad's RedHat came on 4 CDs: 2 Binary Discs, one Source Disc and one Documentation Disc.If it worked the way I think, you could take it to a desert island and rebuild everything from source, with just those 4 CDs and an x86 computer.Today a Debian mirror has 100+ GB of source packages and 600+ GB of binaries just for amd64.But at least it's one place, heavily replicated. And IIRC it's supposed to work on a desert island.2/
(DIR) Post #AdWFcnxNpMbcbPSQAS by wolf480pl@mstdn.io
2024-01-05T00:27:40Z
1 likes, 0 repeats
But also, it's very accessible:apt-get source -> apt-get builddeps -> make changes -> dpkg-buildpackage -> dpkg -i your-freshly-built.debI'm sure many other distros provide a similar solution. Some default to downloading sources as part of building the package, but AFAIK most still require that the actual build doesn't rely on internet.Can you say the same about your average docker image? Flatpak? Android app? Rust crate? Golang module?3/
(DIR) Post #AdWFcq9VfFUhPb98LY by wolf480pl@mstdn.io
2024-01-05T00:32:41Z
2 likes, 0 repeats
Most of these things can be packaged by distros up to the desert island standards, albeit with great effort.So it can be done.It's just that people who write that software, and the tooling, rarely care. Which makes things harder for everyone else. Harder than it could be.t. spent 8h on something that should've been 2 commands4/4
(DIR) Post #AdXE9Daq2f8Ad2CTwW by nul@bark.lgbt
2024-01-05T04:59:41Z
0 likes, 0 repeats
@vertigo @wolf480pl You can also use the patch section of Cargo.toml to override that crate for all dependancies, including transitive, to ensure your changes are made across them all. Very useful if you’re trying to test changes to a library you’re intending to contribute to.
(DIR) Post #AdXE9EQwuuoZEea6AS by wolf480pl@mstdn.io
2024-01-05T08:23:13Z
1 likes, 0 repeats
@nul @vertigoYeah, distributing libraries as source is already a good start.Does cargo have a nice way to make a tarball with the source code of all the dependencies of your crate that can then be build offline?Also, I think I heard of crates that download stuff from arbitrary internet locations during build - is that something that can happen, or am I confusing it with another language?
(DIR) Post #AkKqNzu65wocBE660O by gentoobro@shitpost.cloud
2024-07-26T21:39:29.341639Z
1 likes, 0 repeats
There are far too many needless dependencies these days. I swear, people have become allergic to actually writing code. It's especially bad in languages with standard or semi-standard package managers. Is a simple wrapper arounf print() too hard for you? Gotta pull in a "logging library" that itself has a few dozen deps. Fucking pad a string? npm install lpad.The needless deps make everything brittle.
(DIR) Post #An2QG56NskqI7RwdrE by lispi314@udongein.xyz
2024-01-05T04:08:48.674531Z
0 likes, 0 repeats
@wolf480pl @nytpu That last one is one reason why Guix's work on alternate download sources is quite important, I think.
(DIR) Post #An2QG5zKaSnKrreWVE by wolf480pl@mstdn.io
2024-01-05T08:32:26Z
0 likes, 0 repeats
@lispi314 @nytpu I think another way to become resilient against link rot is to have all the source code of the packages you use in one place.There used to be source CDs but most distros don't fit on a CD or a DVD anymore. So either mirrors like Debian does, or keeping the source code of everything you install on your local disk (or a NAS).A while ago I was of the opinion that Gentoo users are uniquely well prepared for an apocalypse, but that may've changed recently
(DIR) Post #An2QG6kTlAVbE5iAzY by lanodan@queer.hacktivis.me
2024-10-15T17:58:44.127286Z
0 likes, 0 repeats
@wolf480pl @lispi314 @nytpu Gentoo is still prepared for an internet-apocalypse.In fact I ended up discovering some weeks ago that the dev-util/yacc package could easily mean having the last easily available copy (short of hunting for source CD/tapes/…) of what seems to be the original yacc.
(DIR) Post #An2RysHIVYedKcyLaq by lanodan@queer.hacktivis.me
2024-10-15T18:18:34.606145Z
0 likes, 0 repeats
@wolf480pl @lispi314 @nytpu And one thing I quite like with Gentoo is not having to deal with build-essentials or -dev packages, all you need is the stage3 as a binary seed, portage tree (git repo also available as tarball snapshots) and then it's upstream tarballs.And given the recipes+patches are all in one place, even if Gentoo would get compromised somehow, you could still recover. While Debian… ouch.
(DIR) Post #An2T3XNDl29HtqWw88 by wolf480pl@mstdn.io
2024-10-15T18:24:31Z
0 likes, 0 repeats
@lanodan @nytpu @lispi314 IIRC (some?) Debian source packages use an upstream source tarball + -debian tarball (containing the debian/ directory, including patches and buildscripts) that gets extracted on top of it, and then patches get applied.It's not as clean as I would like, but in principle the stuff authored by Debian is separate from upstream code.You just need pre-compromise build-essential, upsteram tarballs, and audited *-debian tarballs.
(DIR) Post #An2T3Yh6qZeTzoqKlk by wolf480pl@mstdn.io
2024-10-15T18:25:04Z
0 likes, 0 repeats
@lanodan @nytpu @lispi314 (assuming by compromise you mean "someone tried to put a backdoor in the source packages")
(DIR) Post #An2T3ZbTT0jqodDLcm by lanodan@queer.hacktivis.me
2024-10-15T18:30:36.225554Z
0 likes, 0 repeats
@wolf480pl @nytpu @lispi314 That or "woups, backups weren't made properly and we lost part of our infra".A rogue debian developer would mean at least few lost packages as I doubt most debian developers have enough of a local copy to recover the whole distro.
(DIR) Post #An2TLeAdE2LUC0HEv2 by lanodan@queer.hacktivis.me
2024-10-15T18:33:53.738593Z
0 likes, 0 repeats
@wolf480pl @lispi314 @nytpu Which also incidentally means that one doesn't simply forks Debian.
(DIR) Post #An2TjI7oqDAQloEh4C by iska@catposter.club
2024-10-15T18:38:09.762Z
0 likes, 0 repeats
@lanodan@queer.hacktivis.me @wolf480pl@mstdn.io @lispi314@udongein.xyz @nytpu@tilde.zone while debian... ouch.Doesn't every release include a massive download with all of the software?
(DIR) Post #An2UiRfvwq0A3QLy40 by wolf480pl@mstdn.io
2024-10-15T18:39:36Z
0 likes, 0 repeats
@lanodan @nytpu @lispi314 yeah, you typically become a debian downstream instead of forking it
(DIR) Post #An2UiT6CeeboTBeSeG by wolf480pl@mstdn.io
2024-10-15T18:40:05Z
1 likes, 0 repeats
@lanodan @nytpu @lispi314 also being a debian downstream distro is one of the sanest ways of doing infrastructure-as-code with Debian
(DIR) Post #An2eunvo1eDW63JExc by wolf480pl@mstdn.io
2024-10-15T18:31:43Z
0 likes, 0 repeats
@lanodan @nytpu @lispi314 oh, in the sense that it's not a single git repo everyone has - yes, that would be a problem.I wish they were still doing source CDs :/
(DIR) Post #An2euoyK9lpFK9UlWa by lispi314@udongein.xyz
2024-10-15T20:38:06.751483Z
0 likes, 0 repeats
@wolf480pl @nytpu @lanodan There are a few packages for repository mirroring.It definitely doesn't fit on anything except BD-XL discs.
(DIR) Post #An2eupyMR7RuQYWJDk by lanodan@queer.hacktivis.me
2024-10-15T20:43:28.373198Z
0 likes, 0 repeats
@lispi314 @wolf480pl @nytpu Well neither do current AAA video games either, so fair enough if the much more useful thing that is a full distro mirror takes something like a few hundred gigs.And I think the best you can currently get on Debian side is a mirror of what's basically ftpmaster@ uploads rather than source repos?
(DIR) Post #AvUXAyalakktIpom4e by SuperDicq@minidisc.tokyo
2025-06-25T14:25:33.844Z
1 likes, 0 repeats
@wolf480pl@mstdn.io This is one of my main issues I have with Rust actually. Building most Rust software depends on an active internet connection.
(DIR) Post #AvUXbN8gwryUxoGy5Q by Pi_rat@freesoftwareextremist.com
2025-06-25T14:30:22.307016Z
0 likes, 0 repeats
@SuperDicq @wolf480pl That is extremely shit design if it requires constant internet connection
(DIR) Post #AvUXyrqewGH4ro2dlI by SuperDicq@minidisc.tokyo
2025-06-25T14:34:33.979Z
1 likes, 0 repeats
@Pi_rat@freesoftwareextremist.com @wolf480pl@mstdn.io This is indeed the case with many Rust software you download from the internet.In order to fix this you have to manually edit your .cargo/config to explicitly say to use your local version of the library (or "crate" as rust calls them, ugh) instead of the one from the internet.For example Debian has patched all the Rust software available in their repository to be buildable offline in this way, as Debian does not allow software that can not be built without an internet connection.It is described here: https://wiki.debian.org/Rust
(DIR) Post #AvUYdLf5VqPsulvqCW by Pi_rat@freesoftwareextremist.com
2025-06-25T14:41:56.397665Z
0 likes, 0 repeats
@SuperDicq @wolf480pl Common debian W, I have needed some dpkgs and love them for being hassle free. I liked rust until suiseiseki pointed out it was not completely source available even.
(DIR) Post #AvUYhL3PiJdcBkDFuS by SuperDicq@minidisc.tokyo
2025-06-25T14:42:36.714Z
0 likes, 0 repeats
@Pi_rat@freesoftwareextremist.com @wolf480pl@mstdn.io it was not completely source available even.Wait what?
(DIR) Post #AvUYoNXcrertvhhXX6 by Pi_rat@freesoftwareextremist.com
2025-06-25T14:43:56.180077Z
0 likes, 0 repeats
@SuperDicq @wolf480pl It cannot be bootstrapped without a blob iirccc @Suiseiseki
(DIR) Post #AvUZOkxpG0huzyInwW by SuperDicq@minidisc.tokyo
2025-06-25T14:50:27.346Z
0 likes, 0 repeats
@Pi_rat@freesoftwareextremist.com @wolf480pl@mstdn.io @Suiseiseki@freesoftwareextremist.com I don't think that's true?
(DIR) Post #AvVo83w3A6CLNuvgPo by r@freesoftwareextremist.com
2025-06-26T05:10:14.864530Z
1 likes, 0 repeats
@Pi_rat @SuperDicq @Suiseiseki @wolf480pl That's a chicken egg problem and applies to all the self-hosting compilers, not just the rustc.
(DIR) Post #AvVp1R0h4Uk0sSVMm0 by Pi_rat@freesoftwareextremist.com
2025-06-26T05:20:17.202389Z
1 likes, 0 repeats
@r @Suiseiseki @SuperDicq @wolf480pl Trusting trust eh, https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdfI would like Suiseiseki to clarify this because he was very sure about this(but when is he not about anything), he could have meant they did not share the code for the blob. Ill defer from posting furthur as Im confused.
(DIR) Post #AvVy1e7lDHSL8YzCDo by wolf480pl@mstdn.io
2025-06-26T07:01:09Z
1 likes, 0 repeats
@Pi_rat @Suiseiseki @r @SuperDicq possibly related: https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
(DIR) Post #AvWU1cVaPwWkewA5s8 by Suiseiseki@freesoftwareextremist.com
2025-06-26T12:59:42.070051Z
2 likes, 0 repeats
@Pi_rat @r @SuperDicq @wolf480pl I didn't claim that rustc "couldn't be compiled without a blob".I previously pointed out that the compilation process from source is insane, with it being required that you first bootstrap a C++ compiler, then compiling a C++ rust implementation of an old version and then compiling every single rust version in sequence, with hundreds of gigabytes of source files and days of compilation required.It is extremely likely that rustc has had multiple backdoors inserted into it at different times, as good luck finding them out of the hundreds of gigabytes of source files and the ridiculous amounts of object code output.If there was a working gcc implementation of rust, there could be some confidence that there isn't a backdoor, but rust is such a rusting dumpster of a language that gccrs still cannot compile hello world after 7+ years of work.
(DIR) Post #AvWUBbA2Ha5VNLq7ii by SuperDicq@minidisc.tokyo
2025-06-26T13:01:28.354Z
0 likes, 0 repeats
@Suiseiseki@freesoftwareextremist.com @Pi_rat@freesoftwareextremist.com @r@freesoftwareextremist.com @wolf480pl@mstdn.io Yeah that's exactly how I thought Rust worked. It doesn't require blobs and is not nonfree, but bootstrapping Rust is a lot more complicated than it has to be, especially when compared to GNU C.
(DIR) Post #AvWUneJ91y3C8jFCvg by Suiseiseki@freesoftwareextremist.com
2025-06-26T13:08:21.507097Z
0 likes, 0 repeats
@SuperDicq @r @wolf480pl @Pi_rat >It doesn't require blobs and is not nonfreeIt's hard to arrive at such a conclusion with certainty, as the core language requires a ridiculous amount of "rust crates" (literally rusty crates), even if you want to do something as simple as print "hello world", which seem to be primarily developed on github and some of which possibly containing object code without source code (the number you would need to check to make sure is unreasonable).
(DIR) Post #AvWXGJZ1R1gk6sT2FU by SuperDicq@minidisc.tokyo
2025-06-26T13:35:56.861Z
0 likes, 0 repeats
@Suiseiseki@freesoftwareextremist.com @r@freesoftwareextremist.com @wolf480pl@mstdn.io @Pi_rat@freesoftwareextremist.com The amount of code to check is always unreasonable, this is also the case in GCC. Nobody is going to manually read the entire codebase of GCC from front to back before using it.I mean I probably trust the maintainers of GCC enough that they would never implement proprietary blobs into their compiler's source tree and that is good enough for me to call it free software, unless someone proves. Same can be said for Rustc I think.
(DIR) Post #AvWXboJWIoKjYoSyeW by Suiseiseki@freesoftwareextremist.com
2025-06-26T13:39:51.108795Z
0 likes, 0 repeats
@SuperDicq @r @wolf480pl @Pi_rat The codebase of GCC has been checked thoroughly by the GCC maintainers and it is actually possible for one individual to read the C compiler component.The rust programmers cannot be trusted as like GNU programmers, as they clearly love proprietary software due to their use of github.
(DIR) Post #B0Fe05dYDcp3BwqU6q by wolf480pl@mstdn.io
2024-10-15T20:51:31Z
1 likes, 0 repeats
@lispi314 @lanodan @nytpu I'd argue deb-src is the canonical source and the git repositories are just a mess I'd rather not have to look into.
(DIR) Post #B0Fe5xFiIy2MvQUaUS by wolf480pl@mstdn.io
2024-10-15T19:14:33Z
0 likes, 0 repeats
@Sonic2k there are always dependencies to fetch, but there are ways to make them less of a problem:- have fewer dependencies- have a machine-readable of dependencies to fetch, fetch all of them up-front, and allow the user to provide their own url or pre-downloaded copy- use standardized mechanisms that do the above (eg. your programming language's build system might fit the criteria)- use dependencies already packaged by distros1/
(DIR) Post #B0Fe5yK0KV40F1VWoi by wolf480pl@mstdn.io
2024-10-15T19:17:26Z
1 likes, 0 repeats
@Sonic2k - do vendoring (include copy of upstream source code in your source tree, build it as part of building your project).Not all of them always work, and each can have drawbacks depending on situation, but they all beat a custom buildscript that downloads stuff form hardcoded URLs in the middle of the build (which is something I've unfortunately seen).2/
(DIR) Post #B0Fe63sZfOgfTgihtY by wolf480pl@mstdn.io
2024-10-15T19:24:24Z
0 likes, 0 repeats
@Sonic2k As for ubuntu - not sure if this is your problem, but one thing I know they do, is after they stop support for an old version of Ubuntu, they move the package repository to old-releases.ubuntu.com, so the old repository urls stop working.They write more about this issue and how to fix it here: https://help.ubuntu.com/community/EOLUpgrades