Arguing about source inputs (Was: Irregular status update about reproducible Debian live ISO images)
kpcyrd
kpcyrd at archlinux.org
Fri Mar 28 18:55:08 UTC 2025
On 3/28/25 7:18 AM, Marc Haber wrote:
> I think that Debian should not let itself be pulled into that argument
> twice a month.
+1 (although I can't find the other discussion in the mailing list archive).
> If we did remove that firmware from our live images that would
> cause especially new users to shrug it off like "oh, Debian doesn't
> work" and move on to an even less free operating system.
A very long time ago when I switched from Windows to Debian as my first
Linux distro I also had the "why is my wifi not working"-experience (and
hated it, as this was my only computer because I was too poor to afford
a second one I could experiment with, and phones weren't what they are
these days).
> I move that Debian classifies such crossfire from the FSF, Trisquel etc
> as trolling and not discuss that any more. We just had that argument two
> weeks ago for the most recent time. It is a waste of time. We are never
> going to do everything right from the FSF's point of view.
Since this is posted on a list that is mostly used for supply-chain
security discussion, I think it's unfortunate how blobs are singled out
as "this build input is difficult to review because it's not human
readable", yet xz has shown we aren't really reviewing human readable
build inputs either (or at least we aren't successful and too easily
clowned by our own tools).
There's whatsrc that attempts to keep track of what those build inputs
are (and trying to establish identifiers), in the Rust ecosystem there's
cargo-crev that's tracking who has read/reviewed which source code
(instead of just blogging about findings and staying silent about
everything else), but there are not enough people doing reviews[0] and
that's about it.
[0]: https://web.crev.dev/rust-reviews/reviewers/
I wish we were in the timeline of binary blobs being the actual problem
instead of there not being enough interest/incentives to review build
inputs.
(I obviously still believe connecting binaries to source code with
reproducible builds as much as possible is useful).
> Just curious, do Ubuntu and Mint get the same amount of "it's not free!"
> whining than Debian does?
Arch Linux doesn't, but maybe it's because having discord in the package
repositories is great for managing expectations. People usually
appreciate our great hardware support.
cheers,
kpcyrd
More information about the rb-general
mailing list