Re: Reproducible, precompiled .o files: what say policy+gpl?

["John H. Robinson, IV" <jaqque@debian.org>]

I am not subscribed to debian-legal.

Glenn Maynard wrote:
> 
> Consider a major, practical reason we require that packages be buildable
> with free tools: so people--both Debian and users--can make fixes to the
> software in the future.

I agree with this. This is also not the point. You keep talking about
pracakge that can only be built with a non-free compiler. The one in
question can be built with a free or non-free compiler.

> For example, suppose OpenSSL is built with ecc (Expensive C Compiler),
> because it produces faster binaries, the Debian package is created with
> it, and ends up in a stable release.  A security bug is found, and the
> maintainer isn't available.  Can another developer fix this bug?  No:
> you can't possibly make a stable update with a completely different
> compiler, halving the speed and possibly introducing new bugs.  (Debian
> is very conservative and cautious with stable updates; this is one of
> the reasons many people use it.)

Yes. Assuming that OpenSSL will compile properly with both gcc and ecc,
and the source is not using tricks to change functionality when compiled
wiht one or the other. To me, using ecc or gcc is, or at least should
be, similar to using gcc -O1 or gcc -O9.

Similarly, I do not consider a signifcant performance boost to be a
change in functionality. I'm thinking something like this:

#ifdef ecc
// this enables the -S option
#elif defined(gcc)
// remove -S, but add in -o instead
#else
// neither -S nor -o available
#endif

In this case, the compiler used would have a significant change in
functionality, and would require the build-dep on ecc, and would be
contrib at best.

> On the same token, users are similarly unable to exercise the level of
> caution needed when making security updates on critical systems, unless
> they subject themselves to whatever non-free license the compiler uses.

gcc is written under the GPL. I can write a non-free program, keep the
source entirely secret, and distribute my program in binary form only,
with a very restrictive license. The gcc license does not contaminate
the resultant binary (unless, of course, I put gcc code in my program).
Similarly, the ecc license should not prevent compiling GPL'd code. If
it did, ecc would be unsuitable for any purpose, period.

> This is a fundamental reason it's required that packages be buildable
> using free tools, and why I don't think "you can build a kind-of similar
> package using free tools, but the one we're giving you can only be built
> with non-free tools" is acceptable.

Again, if it could only be built properly and working with ecc, I will
happily agree with you until the cows come home to roost. This would be a
long time, as cows donot generally roost.

Specifically, this package could be built with either gcc or icc. I will
accept the argument from a pragmatic standpoint, in as much a bug in icc
would be harder to track down, but not from a ``it is a different
package'' because of using icc instead of gcc.

-- 
John H. Robinson, IV          jaqque@debian.org
                                                                 http  ((((
WARNING: I cannot be held responsible for the above,         sbih.org ( )(:[
as apparently my cats have learned how to type.          spiders.html  ((((