Arguing about source inputs (Was: Irregular status update about reproducible Debian live ISO images)

kpcyrd kpcyrd at archlinux.org
Fri Mar 28 18:55:08 UTC 2025 

On 3/28/25 7:18 AM, Marc Haber wrote:
> I think that Debian should not let itself be pulled into that argument 
> twice a month.

+1 (although I can't find the other discussion in the mailing list archive).

> If we did remove that firmware from our live images that would 
> cause especially new users to shrug it off like "oh, Debian doesn't 
> work" and move on to an even less free operating system.

A very long time ago when I switched from Windows to Debian as my first 
Linux distro I also had the "why is my wifi not working"-experience (and 
hated it, as this was my only computer because I was too poor to afford 
a second one I could experiment with, and phones weren't what they are 
these days).

> I move that Debian classifies such crossfire from the FSF, Trisquel etc 
> as trolling and not discuss that any more. We just had that argument two 
> weeks ago for the most recent time. It is a waste of time. We are never 
> going to do everything right from the FSF's point of view.

Since this is posted on a list that is mostly used for supply-chain 
security discussion, I think it's unfortunate how blobs are singled out 
as "this build input is difficult to review because it's not human 
readable", yet xz has shown we aren't really reviewing human readable 
build inputs either (or at least we aren't successful and too easily 
clowned by our own tools).

There's whatsrc that attempts to keep track of what those build inputs 
are (and trying to establish identifiers), in the Rust ecosystem there's 
cargo-crev that's tracking who has read/reviewed which source code 
(instead of just blogging about findings and staying silent about 
everything else), but there are not enough people doing reviews[0] and 
that's about it.

[0]: https://web.crev.dev/rust-reviews/reviewers/

I wish we were in the timeline of binary blobs being the actual problem 
instead of there not being enough interest/incentives to review build 
inputs.

(I obviously still believe connecting binaries to source code with 
reproducible builds as much as possible is useful).

> Just curious, do Ubuntu and Mint get the same amount of "it's not free!" 
> whining than Debian does?

Arch Linux doesn't, but maybe it's because having discord in the package 
repositories is great for managing expectations. People usually 
appreciate our great hardware support.

cheers,
kpcyrd

More information about the rb-general mailing list