[gentoo-user] binary packages: how to ...

[gentoo-user] binary packages: how to ...

[n952162]

[-- Attachment #1: Type: text/plain, Size: 270 bytes --]

binary packages: how to:

 1. find out if a package is binary before you install it (e.g. where on
    app-arch/rar does it say it's a binary package)
 2. inhibit their installation
 3. get a list of the ones installed on a system

Any ideas about that are appreciated.

[-- Attachment #2: Type: text/html, Size: 502 bytes --]

Re: [gentoo-user] binary packages: how to ...

[Ashley Dixon]

[-- Attachment #1: Type: text/plain, Size: 3468 bytes --]

On Tue, Jul 14, 2020 at 11:24:31PM +0200, n952162 wrote:
> binary packages: how to:
> 
> 1. find out if a package is binary before you install it (e.g. where on
>    app-arch/rar does it say it's a binary package)

RAR is an unusual case, with both the "mirror" and "bindist" flags  set  in  the
RESTRICT variable (i.e., Gentoo cannot legally mirror the  package,  and  you're
not allowed to redistribute binaries either).  I couldn't find anything  in  the
ebuild which suggests it is a binary package; perhaps  this  is  something  that
should be reviewed by the Gentoo  developers,  as  most  packages  supporting  a
binary distribution provide a separate package with the `-bin` suffix, although
I suppose this doesn't make much sense when there is no source package.

The entire RAR business model of free decompression  and  paid  compression  has
caused confusion for many people over many decades.  I'd always stick to 7zip or
one of the classic UNIX compression utilities, if I had a choice.

> 2. inhibit their installation

Don't install them. ;-)

More seriously: there's not that many of them, so it's probably  not  a  process
worth automating, unless you're on a  multi-user  machine,  in  which  untrusted
users can install packages -  although  I  think  you'd  have  more  significant
problems at that point.  As you've unfortunately discovered, there isn't much of
a concrete framework in place to automatically  detect  binary  packages,  which
also makes Point (3) difficult.

> 3. get a list of the ones installed on a system

`EIX_LIMIT=0 eix --only-names -I *-bin`, perhaps ?   Unfortunately,  this  won't
catch the unusual cases, as seen with `app-arch/rar`.

> Any ideas about that are appreciated.

[1] might be worth a read; it's quite comprehensive, and  gives  you  a  glimpse
into the inner-workings of Portage, allowing you to fix these  issues  yourself.

Something to note: "bindist", as the USE-flag and RESTRICT option, does not mean
"use a binary distribution", but rather "compile the package in such a way  that
I can redistribute my build without putting myself in a legal problem  with  the
package authors" (this commonly is synonymous with disabling official branding):

$ ash-euses -sk bindist

dev-libs/openssl:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
dev-libs/openssl-compat:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
dev-qt/qtnetwork:bindist - Disable EC support via dev-libs/openssl
mail-client/thunderbird:bindist - Disable official Firefox/Thunderbird branding (icons, name) which are not binary-redistributable according to upstream.
media-libs/freetype:bindist - Disable ClearType support (see http://freetype.org/patents.html)
net-libs/liboauth:bindist - Alias for the nss USE flag, since there are license compliancy trouble when using OpenSSL.
net-misc/openssh:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons.
sys-apps/ucspi-ssl:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons.
www-client/firefox:bindist - Disable official Firefox branding (icons, name) which are not binary-redistributable according to upstream.

        Hope this helps,
        Ashley.

[1] https://wiki.gentoo.org/wiki/Binary_package_guide

-- 

Ashley Dixon
suugaku.co.uk

2A9A 4117
DA96 D18A
8A7B B0D2
A30E BF25
F290 A8AA


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] binary packages: how to ...

[Andreas Fink]

On Wed, 15 Jul 2020 00:46:58 +0100
Ashley Dixon <ash@suugaku.co.uk> wrote:

> On Tue, Jul 14, 2020 at 11:24:31PM +0200, n952162 wrote:
> > binary packages: how to:
> >
> > 1. find out if a package is binary before you install it (e.g. where on
> >    app-arch/rar does it say it's a binary package)
>
> RAR is an unusual case, with both the "mirror" and "bindist" flags  set  in  the
> RESTRICT variable (i.e., Gentoo cannot legally mirror the  package,  and  you're
> not allowed to redistribute binaries either).  I couldn't find anything  in  the
> ebuild which suggests it is a binary package; perhaps  this  is  something  that
> should be reviewed by the Gentoo  developers,  as  most  packages  supporting  a
> binary distribution provide a separate package with the `-bin` suffix, although
> I suppose this doesn't make much sense when there is no source package.
>
> The entire RAR business model of free decompression  and  paid  compression  has
> caused confusion for many people over many decades.  I'd always stick to 7zip or
> one of the classic UNIX compression utilities, if I had a choice.
>
> > 2. inhibit their installation
>
> Don't install them. ;-)
>
> More seriously: there's not that many of them, so it's probably  not  a  process
> worth automating, unless you're on a  multi-user  machine,  in  which  untrusted
> users can install packages -  although  I  think  you'd  have  more  significant
> problems at that point.  As you've unfortunately discovered, there isn't much of
> a concrete framework in place to automatically  detect  binary  packages,  which
> also makes Point (3) difficult.
>
> > 3. get a list of the ones installed on a system
>
> `EIX_LIMIT=0 eix --only-names -I *-bin`, perhaps ?   Unfortunately,  this  won't
> catch the unusual cases, as seen with `app-arch/rar`.
>
> > Any ideas about that are appreciated.
>
> [1] might be worth a read; it's quite comprehensive, and  gives  you  a  glimpse
> into the inner-workings of Portage, allowing you to fix these  issues  yourself.
>
> Something to note: "bindist", as the USE-flag and RESTRICT option, does not mean
> "use a binary distribution", but rather "compile the package in such a way  that
> I can redistribute my build without putting myself in a legal problem  with  the
> package authors" (this commonly is synonymous with disabling official branding):
>
> $ ash-euses -sk bindist
>
> dev-libs/openssl:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
> dev-libs/openssl-compat:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
> dev-qt/qtnetwork:bindist - Disable EC support via dev-libs/openssl
> mail-client/thunderbird:bindist - Disable official Firefox/Thunderbird branding (icons, name) which are not binary-redistributable according to upstream.
> media-libs/freetype:bindist - Disable ClearType support (see http://freetype.org/patents.html)
> net-libs/liboauth:bindist - Alias for the nss USE flag, since there are license compliancy trouble when using OpenSSL.
> net-misc/openssh:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons.
> sys-apps/ucspi-ssl:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons.
> www-client/firefox:bindist - Disable official Firefox branding (icons, name) which are not binary-redistributable according to upstream.
>
>         Hope this helps,
>         Ashley.
>
> [1] https://wiki.gentoo.org/wiki/Binary_package_guide
>
Searching for -bin does not help to find binary only packages. Two more
examples, which are binary only:
zoom, skypeforlinux

Searching for -bin mostly (if not always) implies that there would be a
possibility to compile it from source.

In my experience so far, every binary-only package does not have an open
source license. So mostly you'll hit a license issue and you have to
accept the license (/etc/portage/package.license) before you will be
able to merge the package. Any license issue should start make you
thinking what is going on, since it is a potential binary-only package.
Installation of these packages is inhibited by emerge, because you have
to accept the license first ;)
When I look into my /etc/portage/package.license file I get a good idea
of which packages are binary only. Not all of them are pure binary
packages, but it is a superset as far as I can tell.

To conclude: You cannot find out if a package is binary only with
emerge. You have to do the research yourself, but
/etc/portage/package.license is a good starting point to find potential
candidates.

Cheers
Andreas

Re: [gentoo-user] binary packages: how to ...

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]

On Wed, 15 Jul 2020 00:46:58 +0100, Ashley Dixon wrote:

> > 1. find out if a package is binary before you install it (e.g. where
> > on app-arch/rar does it say it's a binary package)  
> 
> RAR is an unusual case, with both the "mirror" and "bindist" flags  set
>  in  the RESTRICT variable (i.e., Gentoo cannot legally mirror the
> package,  and  you're not allowed to redistribute binaries either).  I
> couldn't find anything  in  the ebuild which suggests it is a binary
> package;

src_compile() { :; }

This is setting the compile to a NOP, which is a bit of a giveaway.
However, it's not a consistent way of checking, for example skypeforlinux
doesn't specify src_compile at all, which I thought meant it used the
default of running emake().

As Andreas mentioned, the LICENSE setting is probably a more reliable way
of excluding such packages. By only allowing open source licences you
prevent the installation of proprietary binary packages. You can still
install the *-bin packages as they are mostly convenience packages to
save you lengthy compilation by using the developer's provided binary
packages of open source software.


-- 
Neil Bothwick

Help put the "fun" back in "dysfunctional" !

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] binary packages: how to ...

[n952162]

On 07/15/20 01:46, Ashley Dixon wrote:
> On Tue, Jul 14, 2020 at 11:24:31PM +0200, n952162 wrote:
>> binary packages: how to:
>>
>> 1. find out if a package is binary before you install it (e.g. where on
>>     app-arch/rar does it say it's a binary package)
> RAR is an unusual case, with both the "mirror" and "bindist" flags  set  in  the
> RESTRICT variable (i.e., Gentoo cannot legally mirror the  package,  and  you're
> not allowed to redistribute binaries either).  I couldn't find anything  in  the
> ebuild which suggests it is a binary package; perhaps  this  is  something  that
> should be reviewed by the Gentoo  developers,  as  most  packages  supporting  a
> binary distribution provide a separate package with the `-bin` suffix, although
> I suppose this doesn't make much sense when there is no source package.
>
> The entire RAR business model of free decompression  and  paid  compression  has
> caused confusion for many people over many decades.  I'd always stick to 7zip or
> one of the classic UNIX compression utilities, if I had a choice.
>
>> 2. inhibit their installation
> Don't install them. ;-)
>
> More seriously: there's not that many of them, so it's probably  not  a  process
> worth automating, unless you're on a  multi-user  machine,  in  which  untrusted
> users can install packages -  although  I  think  you'd  have  more  significant
> problems at that point.  As you've unfortunately discovered, there isn't much of
> a concrete framework in place to automatically  detect  binary  packages,  which
> also makes Point (3) difficult.
>
>> 3. get a list of the ones installed on a system
> `EIX_LIMIT=0 eix --only-names -I *-bin`, perhaps ?   Unfortunately,  this  won't
> catch the unusual cases, as seen with `app-arch/rar`.
>
>> Any ideas about that are appreciated.
> [1] might be worth a read; it's quite comprehensive, and  gives  you  a  glimpse
> into the inner-workings of Portage, allowing you to fix these  issues  yourself.
>
> Something to note: "bindist", as the USE-flag and RESTRICT option, does not mean
> "use a binary distribution", but rather "compile the package in such a way  that
> I can redistribute my build without putting myself in a legal problem  with  the
> package authors" (this commonly is synonymous with disabling official branding):
>
> $ ash-euses -sk bindist
>
> dev-libs/openssl:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
> dev-libs/openssl-compat:bindist - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI
> dev-qt/qtnetwork:bindist - Disable EC support via dev-libs/openssl
> mail-client/thunderbird:bindist - Disable official Firefox/Thunderbird branding (icons, name) which are not binary-redistributable according to upstream.
> media-libs/freetype:bindist - Disable ClearType support (see http://freetype.org/patents.html)
> net-libs/liboauth:bindist - Alias for the nss USE flag, since there are license compliancy trouble when using OpenSSL.
> net-misc/openssh:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons.
> sys-apps/ucspi-ssl:bindist - Disable EC/RC5 algorithms in OpenSSL for patent reasons.
> www-client/firefox:bindist - Disable official Firefox branding (icons, name) which are not binary-redistributable according to upstream.
>
>          Hope this helps,
>          Ashley.
>
> [1] https://wiki.gentoo.org/wiki/Binary_package_guide
>

Yes, excellent overview.  Thank you.

Re: [gentoo-user] binary packages: how to ...

[n952162]

On 07/15/20 07:01, Andreas Fink wrote:
> ...
> Searching for -bin does not help to find binary only packages. Two more
> examples, which are binary only:
> zoom, skypeforlinux
>
> Searching for -bin mostly (if not always) implies that there would be a
> possibility to compile it from source.
>
> In my experience so far, every binary-only package does not have an open
> source license. So mostly you'll hit a license issue and you have to
> accept the license (/etc/portage/package.license) before you will be
> able to merge the package. Any license issue should start make you
> thinking what is going on, since it is a potential binary-only package.
> Installation of these packages is inhibited by emerge, because you have
> to accept the license first ;)
> When I look into my /etc/portage/package.license file I get a good idea
> of which packages are binary only. Not all of them are pure binary
> packages, but it is a superset as far as I can tell.
>
> To conclude: You cannot find out if a package is binary only with
> emerge. You have to do the research yourself, but
> /etc/portage/package.license is a good starting point to find potential
> candidates.
>
> Cheers
> Andreas
>
>
>
Yes, the license issue came up, and I pavlov-wise put the exception in. 
I repressed the suspicion that I shouldn't be doing that.

Thank you.

Is there an open-source way to view the contents of a rar archive?

Re: [gentoo-user] binary packages: how to ...

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 258 bytes --]

On Wed, 15 Jul 2020 12:13:44 +0200, n952162 wrote:

> Is there an open-source way to view the contents of a rar archive?

app-arch/unrar


-- 
Neil Bothwick

Hospitality:  making your guests feel like they're at home, even if you
wish they were.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] binary packages: how to ...

[Rich Freeman]

On Wed, Jul 15, 2020 at 4:06 AM Neil Bothwick <neil@digimed.co.uk> wrote:
>
> As Andreas mentioned, the LICENSE setting is probably a more reliable way
> of excluding such packages. By only allowing open source licences you
> prevent the installation of proprietary binary packages. You can still
> install the *-bin packages as they are mostly convenience packages to
> save you lengthy compilation by using the developer's provided binary
> packages of open source software.

There might be the really odd case of something that has an FOSS
license but which is available binary-only, either because it was
never packaged for Gentoo in source form, or because it actually is a
binary by nature.

These are pretty rare and honestly I'm not sure if we have any in our
repos.  I do remember seeing the odd case of some project that uses
GPL for its license but there is no source.  It wasn't that there
wasn't source code available - the project didn't have any source.
Such as using a GPL license for a photograph or something (not what it
was intended for, but probably not illegal).

In any case, if you set your license filters appropriately, and
bindist appropriately, you will end up with a system that completely
complies with your license requirements, binary packages or otherwise,
so you won't get in trouble for redistribution/etc.

-- 
Rich

Re: [gentoo-user] binary packages: how to ...

[Matt Connell (Gmail)]

On Wed, 2020-07-15 at 12:13 +0200, n952162 wrote:
> Is there an open-source way to view the contents of a rar archive?

The p7zip package, if compiled with the "rar" USE flag, can handle
this, in case you have it already.

Re: [gentoo-user] binary packages: how to ...

[Ashley Dixon]

[-- Attachment #1: Type: text/plain, Size: 781 bytes --]

On Wed, Jul 15, 2020 at 09:29:03AM -0500, Matt Connell (Gmail) wrote:
> On Wed, 2020-07-15 at 12:13 +0200, n952162 wrote:
> > Is there an open-source way to view the contents of a rar archive?
> 
> The p7zip package, if compiled with the "rar" USE flag, can handle
> this, in case you have it already.

This forces the "unRAR" LICENSE on p7zip, as opposed to the Lesser GPL:

        app-arch/p7zip ebuild:
        LICENSE="LGPL-2.1 rar? ( unRAR )"

Unfortunately, as [1] describes, this licence is non-free and GPL-incompatible.
The full text is at `$(q -Ce PORTDIR)/licenses/unRAR`, for your viewing
displeasure.

[1] https://fedoraproject.org/wiki/Licensing:Unrar

-- 

Ashley Dixon
suugaku.co.uk

2A9A 4117
DA96 D18A
8A7B B0D2
A30E BF25
F290 A8AA


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] binary packages: how to ...

[Matt Connell (Gmail)]

On Wed, 2020-07-15 at 17:14 +0100, Ashley Dixon wrote:
> This forces the "unRAR" LICENSE on p7zip

Good point.  It should be noted that app-arch/unrar (suggested
elsewhere in the thread) and some other packages for working with rar
achives also require accepting this license.

It seems that in order to un-rar something in a fully free-software-
compatible way, I believe options are limited to using a programming
language library.  dev-python/rarfile is available under the ISC
license, which is listed as GPL compatible.

Re: [gentoo-user] binary packages: how to ...

[David Haller]

Hello,

On Wed, 15 Jul 2020, Matt Connell (Gmail) wrote:
>It seems that in order to un-rar something in a fully free-software-
>compatible way, I believe options are limited to using a programming
>language library.  dev-python/rarfile is available under the ISC
>license, which is listed as GPL compatible.

==== dev-python/rarfile/rarfile-3.1.ebuild ====
RDEPEND="compressed? ( || ( app-arch/unrar app-arch/rar ) )"
====

-dnh

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.	-- bugtraq

Re: [gentoo-user] binary packages: how to ...

[Ashley Dixon]

[-- Attachment #1: Type: text/plain, Size: 1330 bytes --]

On Wed, Jul 15, 2020 at 07:52:27PM +0200, David Haller wrote:
> ==== dev-python/rarfile/rarfile-3.1.ebuild ====
> RDEPEND="compressed? ( || ( app-arch/unrar app-arch/rar ) )"
> ====

This USE-flag strikes me as slightly nondescript:

$ ash-euses rarfile:compressed
dev-python/rarfile:compressed - Enables the module to support compressed v3
                                archives by calling the app-arch/unrar.

Does this mean that rarfile is compatible with  pre-version#3  archives  without
the `compressed` flag ?  Regardless, the point remains that RAR is a proprietary
format, which inevitably is locked to similarly proprietary (or non-free to some
extent) software.  According to [1] and [2], there does exist an  attempt  at  a
GPL'd implementation of RAR, however its development has since  ceased,  and  it
only supports up to v2 archives.

It seems like every reasonably modern archiving software supporting RAR does  so
via E. Roshal's `unrar`, disallowing the creation of a RAR-creation utility [3].

[1] https://en.wikipedia.org/wiki/RAR_(file_format)#Third-party_software_for_extracting_RAR_files
[2] http://www.unrarlib.org/
[3] https://en.wikipedia.org/wiki/PeaZip#Third-party_technologies

-- 

Ashley Dixon
suugaku.co.uk

2A9A 4117
DA96 D18A
8A7B B0D2
A30E BF25
F290 A8AA


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]