Walter Lozano · 74bd30cf · 3df5db0b · 6c66a223 · 076dbb51 · f44512a7
--- a/content/concepts/gpl3_free_deltas.md 0 → 100644

+ 220

− 0
+++ b/content/concepts/gpl3_free_deltas.md 0 → 100644

+ 220

− 0
+++
+title = "GPL-3 Deltas Assessment"
+weight = 100
+outputs = [ "html", "pdf-in",]
+date = "2021-06-03"
+++
+
+Apertis as distribution is derived from Debian, from which it takes its philosophy, tools, workflows and
+packages. This provides a solid base on which to build a robust, friendly and mature distribution to suite the needs of very
+demanding markets such as the automotive industry.
+
+One big difference between Apertis and Debian is that [Apertis avoids certain licenses]({{< ref "license-expectations.md" >}}), in order to allow its target market to
+avoid legal issues. Several licenses are consider not friendly to Apertis, GPL-3 being the most important
+one.
+
+As a consequence of this, Apertis adopts a number of strategies to ensure packages meant to 
+be installed on target devices comply with these license restrictions.
+
+Several documents already cover specific cases or scenarios, which present the biggest licensing
+challenges:
+- [GPL-3-free replacements of coreutils]( {{< ref "coreutils-replacement.md" >}} )
+- [License-compliant TLS stack for Apertis targets]( {{< ref "tls-stack.md" >}} )
+- [GPL-3-free replacements of GnuPG]( {{< ref "gnupg-replacement.md" >}} )
+
+Besides the topics covered by the above documents, Apertis implements different strategies to avoid
+such problems. In the cases where package license changed from GPL-2 to GPL-3, Apertis continues
+shipping the last license friendly version of the package, appending the suffix `-gplv2` if it is needed
+to differentiate from the latest version
+
+- readline5 5.2
+- cpio-gplv2 2.8
+- diffutils-gplv2 2.8.1
+- findutils-gplv2 4.2.31
+- grep-gplv2 2.5.1a
+- gzip-gplv2 1.3.12
+- sed-gplv2 4.1.2
+- tar-gplv2 1.17
+
+In other cases, where the license issues was not in the package itself, but in one of its dependencies, Apertis
+tries to avoid the problem by either using a different equivalent dependency or using the last license friendly
+version of it. In those cases where the functionality provided by the dependency is not really required, Apertis
+opts for removing such functionality and in that way dropping the dependency.
+
+# Impact
+
+As discussed in the introduction, depending on the situation the impact of a delta is different. Based on the
+type of delta we can enumerate the following scenarios:
+
+- Delta causes outdated package to be shipped
+- Delta causes alternative package dependency to be used when compared to Debian
+- Delta causes functionality to be disabled
+
+Additionally the following aspects should be taken into account
+- Possibility of delta increment across time
+- Number of packages in the dependency change
+
+## Delta causes outdated package to be shipped
+
+Since Apertis derives from Debian, generally it ships the same version, but as mentioned, in some cases it keeps
+shipping a specific version of a package for the `target` component, while keeping the latest in the `development`
+suite.
+
+In general the impact of this kind of delta is high, since Apertis carries an old version of a package without
+updates and security bugfixes. For this reason deltas under this category should be examined closely, specially
+taking into account the aspects previously mentioned.
+
+Below is a list of packages that are frozen at a specific version previous to the license change
+and the packages that depend on them in the `target` component.
+
+- readline5 (version 5.2)
+    bluez
+    connman
+- cpio-gplv2 (version 2.8)
+    initramfs-tools-core
+- diffutils-gplv2 (version 2.8.1)
+- findutils-gplv2 (version 4.2.31)
+- grep-gplv2 (version 2.5.1a)
+- gzip-gplv2 (version 1.3.12)
+- sed-gplv2 (version 4.1.2)
+- tar-gplv2 (version 1.17)
+    - dpkg
+
+From the list above it clear that `readline5` `cpio-gplv2` and `tar-gplv2` are the package with higher impact in
+the system as they are used by other packages.
+
+## Delta causes alternative package dependency to be used
+
+When it is possible to find an alternative to a package without license issues which provides similar functionality
+and it is present in Debian, the approach used is to switch to it, causing a delta. However, since the functionality
+is kept, the impact of the delta is considered lower than previous cases.
+
+## Delta causes functionality to be disabled
+
+Under some circumstances, Apertis chooses to disable functionality to avoid a license issue. This approach is only
+valid if the functionality is not important, which requires an evaluation. Once it has been decided that the
+functionality is not a strong requirement a delta is introduced to disable it and drop dependencies which use
+unfriendly licenses.
+
+# Package summary
+
+Based on the above comments the following table shows the packages which include delta regarding licensing categorized with
+the following criteria
+
+- DF0 "Disable functionality"
+- DF1 "Disable minor functionality"
+- OP "Outdated package"
+- AP0 "Use alternative outdated package"
+- AP1 "Use alternative package"
+
+|PKG | CATEGORY | INFO|
+|--- | --- | ---|
+|base-files | DF0 | Remove license information for GPL-3 LGPL-3 and MPL-1.1|
+|bind9 | DF0 | Disable libidn2|
+|bluez | AP0 | Use of libreadline-gplv2-dev|
+|connman | AP0 | Use of libreadline-gplv2-dev|
+|coreutils-gplv2 | OP | Outdated GPL-3 free version|
+|cpio-gplv2 | OP | Outdated GPL-3 free version|
+|curl | DF0 | Disable libidn2 librtmp|
+|cyrus-sasl2 | DF0 | Disable saslfinger libdes and krb4|
+|diffutils-gplv2 | OP | Outdated GPL-3 free version|
+|findutils-gplv2 | OP | Outdated GPL-3 free version|
+|flatpak | DF0 | Disable gpg|
+|gnupg2 | ??? | ???|
+|gpgme1.0 | ??? | ???|
+|grep-gplv2 | OP | Outdated GPL-3 free version|
+|gstreamer1.0 | DF1 | Disable libdw|
+|gtk+3.0 | DF1 | Disable cups|
+|gvfs | DF0 | Disable trashlib|
+|gzip-gplv2 | OP | Outdated GPL-3 free version|
+|initramfs-tools | AP0 | Use coreutils-gplv2|
+|libblockdev | DF0 | Disable parted|
+|libcanberra | DF0 | Disable tdb|
+|mesa | DF0 | Disable libefl|
+|mktemp | ??? | Empty package, implemented in coreutils|
+|openssh | ??? | libfido2 libwrap0 ???|
+|ostree | DF0 | Disable libgpgme|
+|pam | DF0 | Replace pam-auth-update, disable NIS|
+|pipewire | DF0 | Disable libsdl2, libjack???|
+|pulseaudio | DF0 | Disable libtdb|
+|realpath | ??? | Not in Debian|
+|sed-gplv2 | OP | Outdated GPL-3 free version|
+|systemd | DF0 | Disable libdw, gnutls, libmicrohttpd|
+|totem-pl-parser | DF1 | Disable libquvi|
+|traprain | ??? | Not in Debian|
+|tumbler | DF0 | Disable gnutls|
+|udisks2 | DF0 | Disable parted|
+|util-linux | DF1 | Disable parse_date|
+|v4l-utils | DF1 | Disable gettext|
+|webkit2gtk | DF1 | Disable libenchant-2|
+|wpa | AP0 | Use of libreadline-gplv2-dev|
+
+# Required Action
+
+We believe that the following actions are required to reduce the impact of this deltas. We have proposed different strategies depending on the impact of delta.
+
+## Delta causes outdated package to be shipped
+
+This type of delta is the most problematic and requires immediate action as these
+packages are currently not receiving security updates and thus present a security risk.
+
+### Package readline5
+
+**Source**: https://tiswww.case.edu/php/chet/readline/rltop.html
+
+The readline5 package ships version 5.2 of GNU readline. It provides a set of functions for use by applications that allow users
+to edit command lines as they are typed in. This same functionality can be provided by:
+
+- [libedit](https://www.thrysoee.dk/editline/): This is an autotool- and libtoolized port of the NetBSD Editline library (libedit). This Berkeley-style
+licensed command line editor library provides generic line editing, history, and tokenization functions, similar
+to those found in GNU Readline.
+
+- [replxx](https://github.com/AmokHuginnsson/replxx): A small, portable GNU readline replacement for Linux, Windows and MacOS which is capable of handling UTF-8
+characters. Unlike GNU readline, which is GPL, this library uses a BSD license and can be used in any kind of program.
+
+**Conclusion**
+
+Since `libedit` is a mature package, based on NetBSD Editline library and is already present in Debian , it is the primary candidate
+as a replacement. The approach in this case is to add support for it as alternative for `readline` in the packages
+which depend on it (`bluez` and `connman`).
+
+### Package cpio-gplv2
+
+**Source**: https://www.gnu.org/software/cpio/
+
+Package cpio-gplv2 ships GNU cpio which is used to copies files into or out of a cpio or tar archive. The archive
+can be another file on the disk, a magnetic tape, or a pipe. This same functionality can be provided by:
+
+- [libarchive](https://www.libarchive.org/): Multi-format archive and compression library, which includes the libarchive library, the bsdtar and
+bsdcpio command-line programs, full test suite, and documentation. 
+
+**Conclusion**
+
+The package `libarchive` is mature and already packaged in Debian. This provides a good base to build a replacement for
+`cpio`. In this case we need to test to see if it can successfully used to build the initramfs used in Apertis.
+
+### Package tar-gplv2
+
+**Source**: https://www.gnu.org/software/tar/
+
+Package tar-gplv2 ships GNU tar which provides the ability to create and manipulate tar
+archives. There is the following alternative with the same functionality:
+
+- [libarchive](https://www.libarchive.org/): Multi-format archive and compression library, which includes the libarchive library, the bsdtar and
+bsdcpio command-line programs, full test suite, and documentation. 
+
+**Conclusion**
+
+The package `libarchive` is a mature and already in Debian, which gives a good basement to build a replacement for
+`tar`. The approach in this case is to test the use case of interest for `target` images, to install packages
+with `dpkg`.
+
+### Package diffutils-gplv2
+
+ver versiones
+
+requiered on package install
+
+ccdiff: could work
+
+colordiff: wrapper