Mail Archives: cygwin/2025/08/02/12:51:09

Bruno Haible via Cygwin <cygwin AT cygwin DOT com> · Sat, 02 Aug 2025 12:43:07 +0200

The essence of the GPL is:

  When someone distributes binaries,
  they must distribute the corresponding source code too.

This is
  1. a legal requirement,
  2. the mechanism that holds the Free Software community together,
  3. what allows the public to trust these binaries.

Now, for several days (at least since 2025-07-28), the Cygwin
setup-x86_64.exe (in its default configuration) distributes
binaries of a package copyrighted by the FSF and under the GPL,

  * that is obviously modified,

  * for which no source code is available in the corresponding
    git repository under https://cygwin.com/cgit/cygwin-packages/.

I contacted the Cygwin maintainer of that package, and they tell me that
  - it is not an accidentally forgotten "git push" to the git repository,
  - they need a few more days before they can push the corresponding source
    code to that repository.

So, the corresponding source code is sitting solely on the Cygwin
maintainer's disk. If they experience a hard disk crash or if the directory
with that corresponding source code gets lost through an accidental
"rm -rf", the corresponding source cannot be distributed any more, ever.

This is a major shortcoming in the Cygwin packaging system. A packaging
system that distributes more than 9000 packages [1], many of them under GPL
or LGPL, should not make it so easy to distribute binaries while withholding
the corresponding source code. In particular:

  * It ought to prevent an accidentally forgotten "git push" to the git
    repository.

  * It ought to prevent a maintainer's decision ā€” for whatever reason ā€”
    to withhold the sources for one week, because
      - that one week may turn into an indefinite duration, as mentioned
        above,
      - this resembles too much the behaviour of Google regarding the Android
        sources [2], whose purpose it is to limit the influence of the
        FOSS community. It's a slippery slope, at which end there is
        proprietary software.

In each https://cygwin.com/packages/summary/<package>-src.html page there is a
per-version table of the list of source files. I am suggesting that this
reference gets replaced with a reference to a commit in the source code
repository (under https://cygwin.com/cgit/cygwin-packages/), that contains
the _actual_ source files, not only their names. And that a package maintainer
*cannot* upload binaries for a version without having provided that commit.

Btw, as a user I am thankful for the packaging work that the Cygwin package
maintainers do. And I understand that a mechanism that limits what they can do
could be annoying to them. But I think that a mechanism that helps fulfilling
the legal requirements of the GPL can only be beneficial to the Cygwin project.

Best regards,

       Bruno

[1] https://cygwin.com/packages/package_list.html
[2] https://www.androidauthority.com/google-android-development-aosp-3538503/

-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple

DMARC-Filter:	OpenDMARC Filter v1.4.2 delorie.com 572Gp8Ti404140
Authentication-Results:	delorie.com; dmarc=pass (p=none dis=none) header.from=cygwin.com
Authentication-Results:	delorie.com; spf=pass smtp.mailfrom=cygwin.com
DKIM-Filter:	OpenDKIM Filter v2.11.0 delorie.com 572Gp8Ti404140
Authentication-Results:	delorie.com;
	dkim=pass (1024-bit key, unprotected) header.d=cygwin.com header.i=@cygwin.com header.a=rsa-sha256 header.s=default header.b=pd8Iwi6x
X-Recipient:	archive-cygwin AT delorie DOT com
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org E9320385842B
DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1754131447;
	bh=2ib1aLBcjoTAEgKgWma2C+qQ2QFQxhMNYZwsniU/6gI=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	List-Help:List-Subscribe:From:Reply-To:From;
	b=pd8Iwi6xortGifYK5OHrLMvU5O5RPLkkWZbvvqVsNugNpUWP/cZZqQXz7joZ+AVHG
	xakaa+nHAGdS7Yl2oW8sUowKw1P2g9uXYdjffmWBgIRaZCYfWywRD+/hm9UEbO2BQt
	ZloAytVMnyFhLcp7167ZFyDGJo0neUkWFie2PVZE=
X-Original-To:	cygwin AT cygwin DOT com
Delivered-To:	cygwin AT cygwin DOT com
DMARC-Filter:	OpenDMARC Filter v1.4.2 sourceware.org 5539C3858D1E
ARC-Filter:	OpenARC Filter v1.0.0 sourceware.org 5539C3858D1E
ARC-Seal:	i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1754131389; cv=pass;
	b=MjxW22atMYsWVM1JlDYMzYGrDqWJNY89G4Dj4ZzSgeva71VYIvw8JYNtrBfGE3YB/aIFq9UaJTRZTSh1GT3cdPYpBub6hNw4E84NVqcv1/HrYDL/h0VKjoUT0UPejL4Tp/p3D/aph8HyxYl8f4+LsGpi5LGbyMKxl6uevRSHYUw=
ARC-Message-Signature:	i=2; a=rsa-sha256; d=sourceware.org; s=key;
	t=1754131389; c=relaxed/simple;
	bh=M6MunggXk13b2AcY8/CLDHNykxQooO2mgxj1nUQONgs=;
	h=DKIM-Signature:DKIM-Signature:From:To:Subject:Date:Message-ID:
	MIME-Version;
	b=AAtBoH/sUH4fjn5vjPQ81/C4ruVkQYDsHLGO2uiZQ07lEu9a+ssyPdvfkk+BWAX/4BmhsI+9AotIFgfK3PL89n3KRq0adahQy3P9BKUXGeoYzhKejKkc7ZE0ySf5cbS+4mwz1sFNmMaHg0plfcwH2Q/68CYLMZk9NyyGYj5PnF4=
ARC-Authentication-Results:	i=2; server2.sourceware.org
DKIM-Filter:	OpenDKIM Filter v2.11.0 sourceware.org 5539C3858D1E
ARC-Seal:	i=1; a=rsa-sha256; t=1754131387; cv=none;
	d=strato.com; s=strato-dkim-0002;
	b=ktWxRTB3BqNPFyn037ngoRBbzA6VXVE38wqtFIS9S3dqaEsDrFYNvyFKUkEY3+7ct5
	NGCeI/zn5C2a3JOeOPU0aEyIXnqrBo36OgCd5Wffuf+rYFrOYqsyt2fNNgNnL7tBPQJa
	9a3sgk7dOl7IZ4jNom5MoEGH/oQC8/4k0Z89RpmieBiyaAHJnPL1EngpcczEsuSP55QJ
	FZ7Mjuv3CtEwfziVsAa4L7oixHj39ytsJiIMXskZwZjiy4neNXXFXTHI0Gqlqw8p+Rt2
	B4I588EOIPwO9ln8K/EXFaQpMtwvIzpqgFTbGtMDU2fR7DGLsG3737uAz5SgJUEVtn46
	RDKA==
ARC-Message-Signature:	i=1; a=rsa-sha256; c=relaxed/relaxed; t=1754131387;
	s=strato-dkim-0002; d=strato.com;
	h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender;
	bh=lOR4hn9LYBn5dTsvALNotO7a4vJpmVtwH3o8tU3spGg=;
	b=RONXJiLuPNoM59pvNJlKdNIkaPlc8dz+hL60UD0tXmkHyHRBptLHxdFtSNFf6Ofkyj
	XuQeYG7uyGP1bUPeWune8UyBM6UQEmtNZFSf1xsxfWQq+BVD5i/A3QfjwJPcrRudzDXG
	EZDZKPF2JUhaYFlRKm6TCtgWzBsIAM0zpfx6yJX+anXWkiRNUXu40g+A35V1kyEOa4zM
	+9E8Akyrhzw1O5Kv3sVWY3ijn1YBKk9cpMQ/9sBWApj1PqaOUfQE6SrUlK9tkgyATnUw
	vpchRhJbGD79hLEEa9b1cIh6Rtj6p9SGboDXUjfQh0DJZ0CeIYptn/CRagcHjwjNnJpq
	TpZQ==
ARC-Authentication-Results:	i=1; strato.com;
	arc=none;
	dkim=none
X-RZG-CLASS-ID:	mo00
X-RZG-AUTH:	":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlLnY4jECd2hdUURIbZgL8PX2QiTuZ3cdB8X/nqj2cEGyTtdpGJflsc2w4cO7674/G"
To:	cygwin AT cygwin DOT com
Subject:	the Cygwin packaging system and the GPL
Date:	Sat, 02 Aug 2025 12:43:07 +0200
Message-ID:	<4993324.vzjCzTo3RI@nimes>
Organization:	GNU
MIME-Version:	1.0
X-BeenThere:	cygwin AT cygwin DOT com
X-Mailman-Version:	2.1.30
List-Id:	General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Archive:	<https://cygwin.com/pipermail/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe:	<https://cygwin.com/mailman/listinfo/cygwin>,
	<mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From:	Bruno Haible via Cygwin <cygwin AT cygwin DOT com>
Reply-To:	Bruno Haible <bruno AT clisp DOT org>
Sender:	"Cygwin" <cygwin-bounces~archive-cygwin=delorie DOT com AT cygwin DOT com>
X-MIME-Autoconverted:	from base64 to 8bit by delorie.com id 572Gp8Ti404140

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019