Skip to content
Snippets Groups Projects

T7832: Add documentation about remaining GPL-3 deltas from Debian

Merged T7832: Add documentation about remaining GPL-3 deltas from Debian
wip/wlozano/gpl3_free_deltas into master
Merged Walter Lozano requested to merge wip/wlozano/gpl3_free_deltas into master
Compare
and
1 file
+ 404
0
Compare changes
  • Side-by-side
  • Inline
content/concepts/gpl3_free_deltas.md 0 → 100644
+ 404
0
+++
title = "GPL-3 Deltas Assessment"
weight = 100
outputs = [ "html", "pdf-in",]
date = "2021-06-03"
+++
Apertis as distribution is derived from Debian, from which it takes its philosophy, tools, workflows and
packages. This provides a solid base on which to build a robust, friendly and mature distribution to suite the needs of very
demanding markets such as the automotive industry.
One big difference between Apertis and Debian is that [Apertis avoids certain licenses]({{< ref "license-expectations.md" >}}), in order to allow its target market to
avoid legal issues. Several licenses are consider not friendly to Apertis, GPL-3 being the most important
one.
As a consequence of this, Apertis adopts a number of strategies to ensure packages meant to
be installed on target devices comply with these license restrictions.
Several documents already cover specific cases or scenarios, which present the biggest licensing
challenges:
- [GPL-3-free replacements of coreutils]( {{< ref "coreutils-replacement.md" >}} )
- [License-compliant TLS stack for Apertis targets]( {{< ref "tls-stack.md" >}} )
- [GPL-3-free replacements of GnuPG]( {{< ref "gnupg-replacement.md" >}} )
Besides the topics covered by the above documents, Apertis implements different strategies to avoid
such problems. In the cases where package license changed from GPL-2 to GPL-3, Apertis continues
shipping the last license friendly version of the package, appending the suffix `-gplv2` if it is needed
to differentiate from the latest version
- readline5
- cpio-gplv2
- diffutils-gplv2
- findutils-gplv2
- grep-gplv2
- gzip-gplv2
- sed-gplv2
- tar-gplv2
In other cases, where the license issues was not in the package itself, but in one of its dependencies, Apertis
tries to avoid the problem by either using a different equivalent dependency or using the last license friendly
version of it. In those cases where the functionality provided by the dependency is not really required, Apertis
opts for removing such functionality and in that way dropping the dependency.
# Impact
As discussed in the introduction, depending on the situation the impact of a delta is different. Based on the
type of delta we can enumerate the following scenarios:
- Delta causes outdated package to be shipped
- Delta causes alternative package dependency to be used when compared to Debian
- Delta causes functionality to be disabled
Additionally the following aspects should be taken into account
- Possibility of delta increment across time
- Number of packages in the dependency change
## Delta causes outdated package to be shipped
Since Apertis derives from Debian, generally it ships the same version, but as mentioned, in some cases it keeps
shipping a specific version of a package for the `target` component, while keeping the latest in the `development`
suite.
In general the impact of this kind of delta is high, since Apertis carries an old version of a package without
updates and security bugfixes. For this reason deltas under this category should be examined closely, specially
taking into account the aspects previously mentioned.
Below is a list of packages that are frozen at a specific version previous to the license change
and the packages that depend on them in the `target` component.
- readline5 (version 5.2)
bluez
connman
- cpio-gplv2 (version 2.8)
initramfs-tools-core
- diffutils-gplv2 (version 2.8.1)
- findutils-gplv2 (version 4.2.31)
- grep-gplv2 (version 2.5.1a)
- gzip-gplv2 (version 1.3.12)
- sed-gplv2 (version 4.1.2)
- tar-gplv2 (version 1.17)
- dpkg
From the list above it clear that `readline5` `cpio-gplv2` and `tar-gplv2` are the package with higher impact in
the system as they are used by other packages.
## Delta causes alternative package dependency to be used
When it is possible to find an alternative to a package without license issues which provides similar functionality
and it is present in Debian, the approach used is to switch to it, causing a delta. However, since the functionality
is kept, the impact of the delta is considered lower than previous cases.
## Delta causes functionality to be disabled
Under some circumstances, Apertis chooses to disable functionality to avoid a license issue. This approach is only
valid if the functionality is not important, which requires an evaluation. Once it has been decided that the
functionality is not a strong requirement a delta is introduced to disable it and drop dependencies which use
unfriendly licenses.
# Package summary
Based on the above comments the following table shows the packages which include delta regarding licensing categorized with
the following criteria
- DF0 "Disable functionality"
- DF1 "Disable minor functionality"
- OP "Outdated package"
- AP0 "Use alternative outdated package"
- AP1 "Use alternative package"
Package |Category |Information
------- |-------- |-----------
base-files |DF0 |Remove license information for GPL-3 LGPL-3 and MPL-1.1
bind9 |DF0 |Disable libidn2
bluez |AP0 |Use of libreadline-gplv2-dev
connman |AP0 |Use of libreadline-gplv2-dev
coreutils-gplv2 |OP |Outdated GPL-3 free version
cpio-gplv2 |OP |Outdated GPL-3 free version
curl |DF0 |Disable libidn2 librtmp
cyrus-sasl2 |DF0 |Disable saslfinger libdes and krb4
diffutils-gplv2 |OP |Outdated GPL-3 free version
findutils-gplv2 |OP |Outdated GPL-3 free version
flatpak |DF0 |Disable gpg
gnupg2 |XXX |XXX
gpgme1.0 |XXX |XXX
grep-gplv2 |OP |Outdated GPL-3 free version
gstreamer1.0 |DF1 |Disable libdw
gtk+3.0 |DF1 |Disable cups
gvfs |DF0 |Disable trashlib
gzip-gplv2 |OP |Outdated GPL-3 free version
initramfs-tools |AP0 |Use coreutils-gplv2
libblockdev |DF0 |Disable parted
libcanberra |DF0 |Disable tdb
mesa |DF0 |Disable libefl
mktemp |XXX |Empty package, implemented in coreutils
openssh |XXX |libfido2 libwrap0 ???
ostree |DF0 |Disable libgpgme
pam |DF0 |Replace pam-auth-update, disable NIS
pipewire |DF0 |Disable libsdl2, libjack???
pulseaudio |DF0 |Disable libtdb
readline5 |OP |Outdated GPL-3 free version
sed-gplv2 |OP |Outdated GPL-3 free version
systemd |DF0 |Disable libdw, gnutls, libmicrohttpd
tar-gplv2 |OP |Outdated GPL-3 free version
totem-pl-parser |DF1 |Disable libquvi
traprain |XXX |Not in Debian
tumbler |DF0 |Disable gnutls
udisks2 |DF0 |Disable parted
util-linux |DF1 |Disable parse_date
v4l-utils |DF1 |Disable gettext
webkit2gtk |DF1 |Disable libenchant-2
wpa |AP0 |Use of libreadline-gplv2-dev
# Required Action
We believe that the following actions are required to reduce the impact of this deltas. We have proposed different strategies depending on the impact of delta.
## Delta causes outdated package to be shipped
This type of delta is the most problematic and requires immediate action as these
packages are currently not receiving security updates and thus present a security risk.
### Package readline5
**Source**: https://tiswww.case.edu/php/chet/readline/rltop.html
The readline5 package ships version 5.2 of GNU readline. It provides a set of functions for use by applications that allow users
to edit command lines as they are typed in. This same functionality can be provided by:
- [libedit](https://www.thrysoee.dk/editline/): This is an autotool- and libtoolized port of the NetBSD Editline library (libedit). This Berkeley-style
licensed command line editor library provides generic line editing, history, and tokenization functions, similar
to those found in GNU Readline.
- License: BSD-3-Clause
- Debian: Present
- Apertis: Present (target)
- [replxx](https://github.com/AmokHuginnsson/replxx): A small, portable GNU readline replacement for Linux, Windows and MacOS which is capable of handling UTF-8
characters. Unlike GNU readline, which is GPL, this library uses a BSD license and can be used in any kind of program.
- License: BSD-3-Clause
- Debian: Not present
- Apertis: Not present
**Conclusion**
Since `libedit` is a mature package, based on NetBSD Editline library and is already present in Apertis, it is the primary candidate
as a replacement. The approach in this case is to add support for it as alternative for `readline` in the packages
which depend on it (`bluez` and `connman`).
### Package tar-gplv2
**Source**: https://www.gnu.org/software/tar/
Package tar-gplv2 ships GNU tar which provides the ability to create and manipulate tar
archives. There is the following alternative with the same functionality:
- [libarchive](https://www.libarchive.org/): Multi-format archive and compression library, which includes the `libarchive` library, the `bsdtar` and
`bsdcpio` command-line programs, full test suite, and documentation.
- License: BSD-2-clause
- Debian: Present
- Apertis: Present (target)
- GNU compatibility: Medium, basic set of features
- [busybox tar](https://busybox.net/): BusyBox combines tiny versions of many common UNIX utilities into a single small executable, `tar` among them.
- License: GPLv2
- Debian: Present
- Apertis: Present
- GNU compatibility: Low, only minimum set of features
- [tar-rs](https://github.com/alexcrichton/tar-rs): Rust library to manage TAR archives.
- License: Apache
- Debian: Not present
- Apertis: Not present
**Conclusion**
The package `libarchive` is mature and already in Apertis. It provides `bsdtar` which gives a good basement to build a replacement for
`tar`. The approach in this case is to test the use case of interest for `target` images, to install packages
with `dpkg`.
Initial tests replacing `tar` with `bsdtar` or `busybox tar` and installing a package
```
$ sudo apt reinstall libc6
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
libcolord2 libegl1-mesa libsys-cpuaffinity-perl libxdelta2 pbzip2 pixz xdelta xdelta3
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 2,831 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 https://repositories.apertis.org/apertis v2022dev2/target amd64 libc6 amd64 2.31-9apertis2bv2022dev2b1 [2,831 kB]
Fetched 2,831 kB in 3s (887 kB/s)
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 76, <> line 1.)
debconf: falling back to frontend: Readline
Preconfiguring packages ...
-x -f - --warning=no-timestamp
-x -f -
bsdtar: Option --warning=no-timestamp is not supported
Usage:
List: bsdtar -tf <archive-filename>
Extract: bsdtar -xf <archive-filename>
Create: bsdtar -cf <archive-filename> [filenames...]
Help: bsdtar --help
dpkg-deb: error: tar subprocess returned error exit status 1
dpkg: error processing archive /var/cache/apt/archives/libc6_2.31-9apertis2bv2022dev2b1_amd64.deb (--unpack):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
/var/cache/apt/archives/libc6_2.31-9apertis2bv2022dev2b1_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
After ommiting the argument the process finish without issues.
### Package cpio-gplv2
**Source**: https://www.gnu.org/software/cpio/
Package cpio-gplv2 ships GNU cpio which is used to copies files into or out of a cpio or tar archive. The archive
can be another file on the disk, a magnetic tape, or a pipe. This same functionality can be provided by:
- [libarchive](https://www.libarchive.org/): Multi-format archive and compression library, which includes the `libarchive` library, the `bsdtar` and
`bsdcpio` command-line programs, full test suite, and documentation.
- License: BSD-2-clause
- Debian: Present
- Aperts: Present
- GNU compatibility: Medium, basic set of features
- [busybox cpio](https://busybox.net/): BusyBox combines tiny versions of many common UNIX utilities into a single small executable, `cpio` among them.
- License: GPLv2
- Debian: Present
- Apertis: Present
- GNU compatibility: Low, only minimum set of feature
- [cpio-rs](https://github.com/jcreekmore/cpio-rs): Rust library to manage CPIO archives.
- License: MIT License
- Debian: Not present
- Apertis: Not present
**Conclusion**
The package `libarchive` is mature and already packaged in Apertis. This provides `bsdcpio` as a good base to build a replacement for
`cpio`. In this case we need to test to see if it can successfully used to build the initramfs used in Apertis.
Initial test replacing `cpio` with `bsdcpio` and `busybox cpio` running `update-initramfs` showed not error
### Package diffutils-gplv2
**Source**: https://www.gnu.org/software/diffutils/
- [ccdiff](https://metacpan.org/pod/App::ccdiff): Perl script to achieve same functionality than `diff` but improving the visual output with colors.
- License: Artistic-2.0
- Debian: Present
- Apertis: Not present
- GNU compatibility: High
- Runtime dependencies:
- libalgorithm-diff-xs-perl (not in Apertis - Artistic)
- libalgorithm-diff-perl (development - Artistic)
- libscalar-list-utils-perl (development - Artistic)
- [busybox diff](https://busybox.net/): BusyBox combines tiny versions of many common UNIX utilities into a single small executable, `diff` among them.
- License: GPLv2
- Debian: Present
- Apertis: Present
- GNU compatibility: Low, only minimum set of feature
**Conclusion**
Initial tests shows same funcionality, very similar arguments and similar output (adds colors) to `diff`. Additionally it was found that `diff` is used
on package install by `dpkg` but the process runs smoothly with `ccdiff` and also with `busybox diff`. The features of `diff3` and `sdiff` are not supported,
however there is not much value in `target` images.
### Package findutils-gplv2
**Source**: https://www.gnu.org/software/findutils/
Package `findutils-gplv2` ships `GNU findutils` a set of basic directory searching utilities. Alternatives to this package can be
- [uutils-findutils](https://github.com/uutils/findutils): A rust implementation of `findutils`
- License: MIT License
- Debian: Not present
- Apertis: Not present
- GNU compatibility: High
**Conclusion**
The package `uutils-findutils` is being developed by the same community which develops `uutil-coreutils`, which has been chosen by Apertis
as a replacement for `coreutils` based on its pros
- High GNU compatibility
- High community support
- High community impact
- Portability in mind
- Ongoing development
- Implemented in a modern memory safe language
### Package grep-gplv2
**Source**: https://www.gnu.org/software/grep/
Package `grep-gplv2` ships GNU grep searches one or more input files for lines containing a match to a specified pattern. By default,
`grep` outputs the matching lines.
- [ugrep](https://github.com/Genivia/ugrep): A faster grep with an interactive query UI Universal grep: ultra fast searcher of file systems, text and binary files, source code, archives, compressed files, documents, and more.
- License: BSD-3-Clause License
- Debian: Present
- Apertis: Not present
- GNU compatibility: High
- Runtime dependencies:
- libbz2-1.0 (target)
- libc6 (target)
- libgcc-s1 (target)
- liblz4-1 (target)
- liblzma5 (target)
- libpcre2-8-0 (target)
- libstdc++6 (target)
- libzstd1 (target)
- zlib1g (target)
- [busybox grep](https://busybox.net/): BusyBox combines tiny versions of many common UNIX utilities into a single small executable, `grep` among them.
- License: GPLv2
- Debian: Present
- Apertis: Present
- GNU compatibility: Low, only minimum set of feature
**Conclusion**
Since package `ugrep` is already in Debian, all their dependencies are already in `target`, it tries to be
compatible with standard `grep` it is a good candidate as replacement.
Initial tests shows same functionality, very similar arguments and same output than `grep`
### Package gzip-gplv2
**Source**: https://www.gnu.org/software/gzip/
- [flate2-rs](https://github.com/rust-lang/flate2-rs): Rust library to manage ZIP archives.
- License: Apache
- Debian: Not present
- Apertis: Not present
**Conclusion**
In order to replace `gzip` a tool based on `flate2-rs` should be developed.
TODO
- Look for additional tools, maybe something from BSD?
### Package sed-gplv2
**Source**: https://www.gnu.org/software/sed/
Package `sed-gplv2` ships `GNU sed` a non-interactive command-line text editor.
- [busybox sed](https://busybox.net/): BusyBox combines tiny versions of many common UNIX utilities into a single small executable, `sed` among them.
- License: GPLv2
- Debian: Present
- Apertis: Present
- GNU compatibility: Medium, only minimum set of feature, but there are not much difference
**Conclusion**
In order to provide a replacement for `sed-gplv2` the use of `busybox sed` is recomended since no other package depends on and the
basic functionality provided by `busybox sed` covers most common use cases.
Apertis Website Terms of Use Privacy Policy