[Discussion] Non-free software points of entry

[Uptorn]

Keeping one's sources.list clear of non-free repositories is no guarantee that one's system will remain free of proprietary software. I have often avoided third party package installers for this reason. If it doesn't come from a Debian mirror, with deb-src available, or if I haven't compiled it from source myself, then I want nothing to do with it. Here are some common vectors:

• Mozilla addons (AMO)
• Other Firefox bits
• Webpage-supplied javascript
• Python Pip
• Ruby Gems

• Rust cargo crates?
• Gnome extensions?
• Kernel modules?
• (Many more that are not at the forefront of my memory)

Some of these are grey area. For example, do we count projects which simply forgot to supply a license as proprietary? As in the Gem example, do accidental inclusions of proprietary software merit distrusting the repo? Interpreted languages, by design must supply source code, so it is only proprietary in legality. But what of interpreted code that is minified or obfuscated in some way? Or what of software that is properly libre but still is textbook malware designed with intent to abuse those who run it?

[lindi]

Fun fact: Debian does include software without source code. Check the game beneath-a-steel-sky. As far as I am aware, even the original developers have lost the source code.

[jmgibson1981]

With all due respect while Debian does the best it can to keep free software and non free separate there is entirely too many ways stuff can get in. They can't catch every single one of them. The only way you can get what you seem to want (by the essence of the thread) is to build your own from LFS / (Gentoo?). Only then will you be 100% aware and able to verify everything that goes in. Unless you do something you are entirely in control of then you can only hope for the best.

[Uptorn]

With all due respect while Debian does the best it can to keep free software and non free separate there is entirely too many ways stuff can get in. They can't catch every single one of them. The only way you can get what you seem to want (by the essence of the thread) is to build your own from LFS / (Gentoo?). Only then will you be 100% aware and able to verify everything that goes in. Unless you do something you are entirely in control of then you can only hope for the best.

Debian and other distributions utilize a build system. If I'm not misunderstanding, each package is compiled from source for each architecture for which it builds successfully, the resulting binaries & packages then distributed via the repository system. There are many reasons that a package may fail to build, one of them being unavailable source files.

I understand that you are probably aware of this, and are simply referring to the licensing. So I think there is a distinction to be made programs which are functionally free (the source is made available) and programs which are legally free via appropriate copyleft licensing.

I only really care about the former. If a package has accidentally included some font or asset which is technically under a proprietary license, as long as it builds and runs from source I'm happy (since I will be using said program privately and not redistributing it (that would then be Debian's problem) )