Re: Gow, Cygwin alternative refers to GNU programs as open source UNIX tools

[Jean Louis]

We assume good faith of author and observe the distribution as
excercise.

* Kaz Kylheku (gnu-misc-discuss) <936-846-2769@kylheku.com> [2020-10-28 21:11]:
> - gow-utilities-src-0.8.0.tar contains the source code archives of
>   the bundled utilities, but no build scripts or documentation.

That applies to this section:

  1. Source Code.

  The "source code" for a work means the preferred form of the work
for making modifications to it.

and this section of GPL3:

  The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities.

>   There is not even a hint as to what toolchain is required;

Valid point.

> we can guess from .dll files bundled with the executables that this
> that this project just extends MSYS (the run-time system for MinGW)
> and thus probably uses the environment with which that is built.

You can guess if you have experience there. We could argue that one
could even guess the license to be GNU GPL if person has
experience. 

All that does not make software compliant.

> - The download links to a "Source code" .zip and .tar.gz file
>   actually lead to archived snapshots of the git repository
>   with the all the .exe files and no source code.

Aren't those .VBS files source code? Maybe that is what is meant to
be. Maybe you did not see it as it is bundled together with .EXE
files. To me it looks like simple shell script could do that. Maybe
Gow is actually just a script? I cannot know as I do not use Windoze,
though play XBill.

> In fact, there i[X]ctually no need to provide that, since those programs
> have upstream repo[X]ories which have those.

If author have modified the software then the modified software has to
be given as source. Original sources no.

When any OS distribution (GNU/Linux, FreeBSD, OpenBSD, Haiku OS, etc.)
makes any modifications that it does not suffice to provide original
sources, that would be violation as modificed sources have to be
provided. Some developers in OS distributions have that misconception
and provide links to original servers while having modified the
conveyed software.

In my opinion even slightest change is important as it can affect user
and user can lose data or get into insecurities. For example
./configure switches are important, as user has to know how to build
from sources to get same features in software.

> Nowadays, distributions don't ship copies[X] the tarballs; the mainstream
> practice is for build scripts to d[X]load tarballs from the original
> upstream locations, or else mirrors, and then cache them locally.

If software is not modified then they could even point out to the
upstream sources without caching locally for distributions.

That is unfair to those who pay for their hosting services. There are
more and more Debian derived distributions so imagine if all those
would be pointing to Debian overloading their servers.

> Even if the build script doesn't do any downloading, if it is obvious
> from its source code that it requires, say, sed-4.2.1-src, then the
> user can manually procure that exact program.

I did not get this fully. Yet to build the program one should not need
to look into the source. All necessary scripts and information has to
help a receiver of source to build it and easily find that sed is
required. If user need to look into the source to find out what is
required that does not fly.

> What's troubling about the source code archive is that it contains .zip
> files and not original tarballs.

I understand your point, but even the source could be original and
still repackaged in some different archive file or with different gzip
or tar options changing the original md5sums or hashes.

> $ tar tvf gow-utilities-src-0.8.0.tar
> drwxrwxrwx 0/0               0 2014-02-15 10:30 gow-utilities-src-0.8.0/
> -rwxrwxrwx 0/0          368562 2012-09-09 20:08
> gow-utilities-src-0.8.0/bc-1.06-2-src.zip
> -rwxrwxrwx 0/0         3796772 2012-09-09 20:09

That is what was strange, yet does not necessarily violate licenses.

It looks like binaries with some sources are together intertwined and
some other sources are outside of one package, so something is
findable in ZIP and something in tar.gz, so it is confusing.

"UNIX tools" is probably misconception of author, I am assuming good
faith, yet there is no answer on the issue filed at Github.

> So in other words, the sources are repackaged, leading to the
> suspicion that there are alterations.

That is for your sharp eye and I agree to that observation, though
that may not be general rule. Even if it is in tar.gz or however, they
could be modified. 

> Distributions should use the original sources: either pull from the
> real upstream git repositories or what have you or use the official
> release tarballs.

Only if original sources have been used without modifications. But
then the build script must be available too! It is how it works in
almost all OS distributions, there are package managers that usually
can build the package for the user. When designing a package manager
those developers must have been guiding themselves with principles of
compliance to GPL and other licenses.

Though complying to some licenses may be very eas, like those BSD/MIT
licenses that are quite vague:

- user can deliver binary, with or without sources

- binary can be modified, sources not and vice versa

- binary could even include backdoors and malicious software, while
  sources not, and distributor would ask from user to hold him free of
  liabilities. Example is Intel with the Management Engine and
  distribution of MINIX OS in the chip. Huge damage for the world and
  nobody can do anything against it legally due to all
  disclaimers.

> Let's dig into this deeper, using Bison as our focus.  What we find
> inside bison-2.4.1-src.zip is not just the Bison sources, but a tree
> structure containing a build directory and other superfluous
> materials.
> 
> The Bison source is buried in this tree, at the relative path
> 
>    src/bison/2.4.1/bison-2.4.1-src
> 
> This is not identical to GNU Bison 2.4.1.
> 
>    $ diff -urN bison-2.4.1 gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src |
> wc
>    141896  509172 4155393

Thank you for checking out, it becomes interesting.

Do you have ability to actually build it with all your experiences?


> The diff exceeds four megabytes!  Some of the changes are due to line ending
> differences: the files have been altered with carriage return characters.
> However, this is not the bulk of it. If we suppress whitespace with -w, the
> diff size is still about the same:
> 
>    $ diff -urNw bison-2.4.1 gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src
> | wc
>    141757  508598 4150945
> 
> Below is a small samples of the differences, which are serious. What is
> being called
> bison-2.4.1 is certainly not bison-2.4.1:
> 
> 
> 
> --- bison-2.4.1/doc/bison.1     2008-12-11 14:07:25.000000000 -0800
> +++ gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src/doc/bison.1 2008-12-14
> 04:03:25.000000000 -0800
> @@ -3,7 +3,7 @@
>  .SH NAME
>  bison \- GNU Project parser generator (yacc replacement)
>  .SH SYNOPSIS
> -.B bison
> +.B j:\Devel\bison\2.4.1\bison-2.4.1\src\bison.exe
>  [\fIOPTION\fR]... \fIFILE\fR
>  .SH DESCRIPTION
>  .I Bison
> @@ -60,9 +60,12 @@
>  .PP
>  Generate LALR(1) and GLR parsers.
>  .PP
> +
>  Mandatory arguments to long options are mandatory for short options too.
>  The same is true for optional arguments.
> -.SS "Operation modes:"
> +.PP
> +
> +Operation modes:
>  .TP
>  \fB\-h\fR, \fB\-\-help\fR
>  display this help and exit
> 
> 
> 
> 
> diff -urNw bison-2.4.1/src/main.c
> gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src/src/main.c
> --- bison-2.4.1/src/main.c      2008-11-19 08:57:30.000000000 -0800
> +++ gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src/src/main.c  2008-12-14
> 04:03:00.000000000 -0800
> @@ -55,7 +55,7 @@
>  int
>  main (int argc, char *argv[])
>  {
> -  program_name = argv[0];
> +  set_program_name (argv[0]);
>    setlocale (LC_ALL, "");
>    (void) bindtextdomain (PACKAGE, LOCALEDIR);
>    (void) bindtextdomain ("bison-runtime", LOCALEDIR);
> 
> 
> 
> 
> 
> diff -urNw bison-2.4.1/src/Makefile.in
> gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src/src/Makefile.in
> --- bison-2.4.1/src/Makefile.in       2008-12-11 14:05:55.000000000 -0800
> +++
> gow-bison-2.4.1/src/bison/2.4.1/bison-2.4.1-src/src/Makefile.in       
> 2008-12-13
> 09:22:23.000000000 -0800
> @@ -110,7 +110,7 @@
>       relation.$(OBJEXT) scan-code-c.$(OBJEXT) scan-gram-c.$(OBJEXT) \
>       scan-skel-c.$(OBJEXT) state.$(OBJEXT) symlist.$(OBJEXT) \
>       symtab.$(OBJEXT) tables.$(OBJEXT) uniqstr.$(OBJEXT) \
> -     graphviz.$(OBJEXT)
> +     graphviz.$(OBJEXT) bison-res.$(OBJEXT)
>  bison_OBJECTS = $(am_bison_OBJECTS)
>  bison_LDADD = $(LDADD)
>  am__DEPENDENCIES_1 =
> @@ -367,7 +367,7 @@
>  LTLIBICONV = @LTLIBICONV@
>  LTLIBINTL = @LTLIBINTL@
>  LTLIBOBJS = @LTLIBOBJS@
> -M4 = @M4@
> +M4 = m4.exe
>  MAKEINFO = @MAKEINFO@
>  MKDIR_P = @MKDIR_P@
>  MSGFMT = @MSGFMT@
> @@ -430,6 +430,9 @@
>  USE_NLS = @USE_NLS@
>  VALGRIND = @VALGRIND@
>  VERSION = @VERSION@
> +MAJOR=$(shell echo $(VERSION) | sed -e "s/\..*$$//")
> +MINOR=$(shell echo $(VERSION) | sed -e "s/^[^\.]*\.0*\([0-9]\+\).*$$/\1/")
> +LDFLAGS += -Wl,--major-image-version=$(MAJOR)
> -Wl,--minor-image-version=$(MINOR)
>  VOID_UNSETENV = @VOID_UNSETENV@
>  WARN_CFLAGS = @WARN_CFLAGS@
>  WARN_CXXFLAGS = @WARN_CXXFLAGS@
> @@ -508,7 +511,7 @@
>  AM_CFLAGS = $(WARN_CFLAGS) $(WERROR_CFLAGS)
>  AM_CPPFLAGS = -I$(top_srcdir)/lib
>  AM_YFLAGS = "-dv"
> -LDADD = ../lib/libbison.a $(LIBINTL)
> +LDADD = ../lib/libbison.a $(LIBINTL) $(VERSADD)
>  bin_SCRIPTS = $(YACC_SCRIPT)
>  EXTRA_SCRIPTS = yacc
>  bison_SOURCES = \
> @@ -558,7 +561,7 @@
>       $(MAKE) $(AM_MAKEFLAGS) all-am
> 
>  .SUFFIXES:
> -.SUFFIXES: .c .l .o .obj .y
> +.SUFFIXES: .c .l .o .obj .y .rc
>  $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
>       @for dep in $?; do \
>         case '$(am__configure_deps)' in \
> @@ -706,6 +709,12 @@
>  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tables.Po@am__quote@
>  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/uniqstr.Po@am__quote@
> 
> +# Rule to make compiled resource (Windows)
> +resdir = @top_builddir@/resource
> +vpath %-res.rc $(resdir)
> +%-res.o: %-res.rc
> +     windres --include-dir $(resdir) -i $< -o $@
> +
>  .c.o:
>  @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o
> $@ $<
>  @am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
> 
> 
> 
> 
> 

-- 
Jean Louis