On 02/08/2025 11:43, Bruno Haible via Cygwin wrote:
The essence of the GPL is:
When someone distributes binaries,
they must distribute the corresponding source code too.
This is
1. a legal requirement,
2. the mechanism that holds the Free Software community together,
3. what allows the public to trust these binaries.
Now, for several days (at least since 2025年07月28日), the Cygwin
setup-x86_64.exe (in its default configuration) distributes
binaries of a package copyrighted by the FSF and under the GPL,
* that is obviously modified,
* for which no source code is available in the corresponding
git repository under https://cygwin.com/cgit/cygwin-packages/.
I contacted the Cygwin maintainer of that package, and they tell me that
- it is not an accidentally forgotten "git push" to the git repository,
- they need a few more days before they can push the corresponding source
code to that repository.
So, the corresponding source code is sitting solely on the Cygwin
maintainer's disk. If they experience a hard disk crash or if the directory
with that corresponding source code gets lost through an accidental
"rm -rf", the corresponding source cannot be distributed any more, ever.
This is a major shortcoming in the Cygwin packaging system. A packaging
system that distributes more than 9000 packages [1], many of them under GPL
or LGPL, should not make it so easy to distribute binaries while withholding
the corresponding source code. In particular:
I feel there must be some miscommunications here, as I am mystified that
the maintainer in question hasn't directed to you to the corresponding
source package.
(These can be installed into /usr/src/ using the setup tool, by
selecting "src?" checkbox after locating the appropriate package and
version)
For the exactly reasons you lay out, it is absolutely mandatory that
those packages exist, are accurate and be provided along with the
install package.
(To quote from [1], "Source tar files should contain the source files,
patches and scripts needed to rebuild the package. [...] As an open
source project, providing this tar file is not optional.")
Given that, if you still think we are not complying with our obligations
under the GPL, can you explain why?
* It ought to prevent an accidentally forgotten "git push" to the git
repository.
* It ought to prevent a maintainer's decision — for whatever reason —
to withhold the sources for one week, because
- that one week may turn into an indefinite duration, as mentioned
above,
- this resembles too much the behaviour of Google regarding the Android
sources [2], whose purpose it is to limit the influence of the
FOSS community. It's a slippery slope, at which end there is
proprietary software.
In each https://cygwin.com/packages/summary/<package>-src.html page there is a
per-version table of the list of source files. I am suggesting that this
reference gets replaced with a reference to a commit in the source code
repository (under https://cygwin.com/cgit/cygwin-packages/), that contains
the _actual_ source files, not only their names. And that a package maintainer
*cannot* upload binaries for a version without having provided that commit.
Btw, as a user I am thankful for the packaging work that the Cygwin package
maintainers do. And I understand that a mechanism that limits what they can do
could be annoying to them. But I think that a mechanism that helps fulfilling
the legal requirements of the GPL can only be beneficial to the Cygwin project.
Nevertheless, I am fully aware that our existing packaging system has
many shortcomings, and I would very much like to evolve it into a system
which reduces the scope for maintainer error and where the sources used
to build a package are more transparently and easily located.
You can see some of the ongoing discussion on that topic at [2].
[1] https://cygwin.com/packaging-package-files.html#files
[2] https://cygwin.com/pipermail/cygwin-apps/2025-July/044394.html
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple