You are not logged in.
Hi, everyone.
Congratulations (and thank you) to all the people involved in Devuan - for your Independence of Thought, and strong adherence to Freedom and diversity ideals. This is truly a great project.
I have only one criticism to make.
Upon installing Devuan, I noticed that (unlike with my fresh Debian installations) the "contrib" and "non-free" repositories are enabled by default. Which is something that I really disagree with. Because, by having such repositories (that depend on, or contain, non-Free Software) enabled, two things can happen.
1) It leaves the end user doubting if only Free Software has been installed on his/her system, after a fresh installation.
2) By having such repositories enabled by default,
a) a more ignorant user might install proprietary software without being aware of such, and
b) even someone who knows what these repositories are, might inadvertently install such proprietary software, either directly or indirectly because of dependencies.
Proprietary software (of which we don't know the source code of) is always a potential security risk. And, the use of such software is also contrary to the principles upon which GNU/Linux was founded. So, the installation of this type of software should always be unencouraged, and only made possible for those who really know what they're doing.
Debian, by default, has these repositories "disabled" (actually, it's not even possible to access them, unless you create entries for them yourself). And, if someone really wants (/needs) to install such type of software, s/he can always find instructions on how to do it on Debian's Wiki pages.
This should also be Devuan's policy. Since that, Devuan distinguishes itself from other GNU/Linux distributions for wanting to be more faithful to the principles upon which GNU/Linux itself was created. And, one of the underlying reasons for concern with the violation of such principles for some of the people who are attracted to Devuan, I believe, is the security risks that are created when we diverge from such principles.
Please, don't make this another Ubuntu-like distribution. One of the reasons why I left Ubuntu for Debian, was exactly the fact that Ubuntu, by default, has all sorts of proprietary programs ready to be installed, if one happens to make the wrong click.
Last edited by Fernando Negro (2018-04-08 09:06:46)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
I think the expert install has a way of choosing what goes into the /etc/apt/sources.list
Expert install is not that hard to do btw, a few more options are available to the user.
Offline
Upon installing Devuan, I noticed that (unlike with my fresh Debian installations) the "contrib" and "non-free" repositories are enabled by default.
Thanks for bringing this up. The issue is already known: https://bugs.devuan.org/db/19/190.html
Are you on jessie or ascii? And could you post your sources.list?
Offline
MSI, that bug did not affect my expert install. I tested a new install tonight to re-create a standard graphical install using NETINSTALL iso and yes it does include non-free in sources.list by default. I will have to do another install using expert to confirm from my iso which i downloaded a few days after release.
Offline
Hello, msi.
You're probably mixing the information on my first/original post together with the one on the first comment to it (by Panopticon)... I'm not talking about any kind of "bug".
When I say that, after a fresh installation of Devuan, I can see that the "non-free" and "contrib" repositories are activated, I'm talking about a normal installation (not one done in the expert mode). That is, one in which the user is not even able to choose what repositories s/he wants to activate. And, to be more precise, the way I installed Devuan (Jessie) was through a regular "Net Install".
Unfortunately, because I can't get 3D acceleration to work in my graphics card in Jessie (either in Devuan's or Debian's) I was forced to install Debian 9 Stretch again on my computer (and am now waiting for Devuan's next stable release). Therefore, I can't copy now what I saw on my "sources.list" file.
But, what I mention is surely something that anyone who has installed Devuan on his/her computer can see for him/herself.
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
Have you tried the ascii beta which is forked from Debian Stretch?
https://files.devuan.org/devuan_ascii_beta/
Offline
Yes. And, I would get error messages at boot - again, related to my graphics card. Devuan 2 (beta) is not yet as functional as Debian 9 proper.
Also, Devuan 2 came also with other repositories than "main" activated. And, (for reason no. 1 that I stated on my first post) I don't want to have such an OS installed on my computer.
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
Yes. And, I would get error messages at boot - again, related to my graphics card. Devuan 2 (beta) is not yet as functional as Debian 9 proper.
So what did you expect? A fully functional and stable Operating System? Ascii is in beta - that means not finished and it will come with various bugs and issues that the team will sort out before final release. If you want stable and sorted then use Jessie. If your hardware is not supported then consider alternatives. Can you compile, or has someone else already compiled, the driver you need? Should you be using that hardware if the manufacturer doesn't support your required degree of compliance with free software?
Also, Devuan 2 came also with other repositories than "main" activated. And, (for reason no. 1 that I stated on my first post) I don't want to have such an OS installed on my computer.
Debian, by default, has these repositories "disabled" (actually, it's not even possible to access them, unless you create entries for them yourself).
I really don't get this. Over the years I've done more Debian installations than I can count. Not in a single one, that I can remember, have I had to add contrib and non-free. They're there by default. Yesterday I installed Devuan (Jessie) to be my primary operating system on my desktop at home after some months testing. It installed exactly as expected, with contrib and non-free in the sources list. It's up to you whether to install from these sections or, if you like, remove them from your sources list. I try to support the whole 'free' software concept too, but occasionally one must resort to using other sources. As long as you source software from repos like those of Debian or Devuan you will be pretty safe. On this system I only have the mscorefonts installer (needed for compatibility with documents shared with Windows users) and some Realtek firmware (required by my hardware). Even Debian provides a degree of support for the use of non-free software.
a) a more ignorant user might install proprietary software without being aware of such
I'd suggest that the user you're talking about is probably not ignorant at all, rather he simply doesn't care. His computer is a tool and he'll do what he has to to be able to use his machine in the way that he sees fit.
b) even someone who knows what these repositories are, might inadvertently install such proprietary software, either directly or indirectly because of dependencies.
In everyday use this situation is most unlikely. However Stallman does recognise that it occasionally happens in this link. As he says, all you have to do is be aware and avoid it. The risks are the same in both Debian, Devuan and many other distributions.
Since that, Devuan distinguishes itself from other GNU/Linux distributions for wanting to be more faithful to the principles upon which GNU/Linux itself was created.
I think you'll find that Devuan, and the people behind it are no less committed to those principles and that they demonstrated this by forking Debian. That doesn't make them more committed other than that they disagreed with systemd and moved to create an alternative. This one thing distinguishes Devuan, not their degree of commitment to the whole free software concept which is shared by many others who may just happen to support systemd. Of course, their enthusiasm to develop and grow their product does distinguish them from Debian.....and that's one of the reasons I'm here.
Far too many words for something that could have simply been solved in Nano or Synaptic with a few presses of the Backspace or Delete keys.
Offline
So if non-free and contrib are enabled by default, does non-free and contrib packages get installed when you are installing a new devuan or debian system. From what little i know, the base gets installed and then configures apt then installs the rest, desktop standard utils etc? I suppose a lot of people on new hardware would probably have issues without non free software like wifi and modems, display drivers.
Last edited by Panopticon (2018-04-09 11:54:46)
Offline
To clear this up, here's a copy of the message about these issues that I've sent to the devuan-dev mailing list in early March. Unfortunately, it is not accessible through the mailinglist's web archive, so I'm reposting it here:
Hello,
two days ago, I installed Devuan Jessie on a laptop, using the i386
netinstCD image. After the installation was finished and I had booted into the new system, I noticed something strange about /etc/apt/sources.list. While the main package repository, "jessie", only had the "main" section activated, "jessie-security" and "jessie-updates" came with "main" and "non-free":/etc/apt/sources.list on Devuan 1.0.0/jessie: # # deb cdrom:[Debian GNU/Linux 1.0-final _Jessie_ - Official i386 CD Binary-1 20170522-03:52]/ jessie main non-free #deb cdrom:[Debian GNU/Linux 1.0-final _Jessie_ - Official i386 CD Binary-1 20170522-03:52]/ jessie main non-free deb http://de.mirror.devuan.org/merged/ jessie main deb-src http://de.mirror.devuan.org/merged/ jessie main # jessie-security, previously known as 'volatile' deb http://de.mirror.devuan.org/merged/ jessie-security main non-free deb-src http://de.mirror.devuan.org/merged/ jessie-security main non-free # jessie-updates, previously known as 'volatile' deb http://de.mirror.devuan.org/merged/ jessie-updates main non-free deb-src http://de.mirror.devuan.org/merged/ jessie-updates main non-free
When I asked about this on IRC, Irrwahn pointed me to a bug report he had recently filed about what seems to be the same issue in ASCII. That report also shows that if you select to have the backports repo during the expert installation, that one will come with "non-free" in place as well. See: https://bugs.devuan.org/db/19/190.html
Now, it was unclear if the problem is specific to Devuan. So I checked that. I installed both Debian Jessie and Stretch (using i386 netinst) and had a look at their sources.list files. As can be seen below, neither one had "non-free" activated for "security" and "updtaes" by default (Didn't check backports.).
/etc/apt/sources.list on Debian 8.10.0/jessie: # # deb cdrom:[Debian GNU/Linux 8.10.0 _Jessie_ - Official i386 NETINST Binary-1 20171209-21:10]/ jessie main #deb cdrom:[Debian GNU/Linux 8.10.0 _Jessie_ - Official i386 NETINST Binary-1 20171209-21:10]/ jessie main deb http://ftp.de.debian.org/debian/ jessie main deb-src http://ftp.de.debian.org/debian/ jessie main deb http://security.debian.org/ jessie/updates main deb-src http://security.debian.org/ jessie/updates main # jessie-updates, previously known as 'volatile' deb http://ftp.de.debian.org/debian/ jessie-updates main deb-src http://ftp.de.debian.org/debian/ jessie-updates main
/etc/apt/sources.list on Debian 9.3.0/stretch: # # deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official i386 NETINST 20171209-13:03]/ stretch main #deb cdrom:[Debian GNU/Linux 9.3.0 _Stretch_ - Official i386 NETINST 20171209-13:03]/ stretch main deb http://debian.inf.tu-dresden.de/debian/ stretch main deb-src http://debian.inf.tu-dresden.de/debian/ stretch main deb http://security.debian.org/debian-security stretch/updates main deb-src http://security.debian.org/debian-security stretch/updates main # stretch-updates, previously known as 'volatile' deb http://debian.inf.tu-dresden.de/debian/ stretch-updates main deb-src http://debian.inf.tu-dresden.de/debian/ stretch-updates main
Looking at the Devuan sources list again, you will notice that the deactivated CD source already has "non-free" in it (also in Irrwahn's bug report) while the Debian versions don't. That's probably the reason why "non-free" ends up being activated for "security" and "updates" after installation. (Btw, why is the CD source in there twice in both the Devuan and Debian versions?)
The question is: Should it be there in the first place? I'm pretty certain it shouldn't. golinux has told me that "non-free" won't be there, if you install using the desktop-live image.
And while we're at it, there's another issue with sources.list that has been there in Jessie and, as Irrwahn's bug report shows, is still present in the ASCII beta: Only "updates" were "previously known as 'volatile'". See: https://bugs.devuan.org/db/15/158.html
So, I guess, this will have to be transformed into some bug reports, supposedly one for Jessie about "non-free" being activated by default and another one for ASCII about "ascii-security" still being labelled "previously known as 'volatile'". I just wanted to post the whole story here before.
Best,
msi
I'm not talking about any kind of "bug".
Looks like you are.
Last edited by msi (2018-04-09 12:07:06)
Offline
The question is: Should it be there in the first place? I'm pretty certain it shouldn't. golinux has told me that "non-free" won't be there, if you install using the desktop-live image.
For the record: The live images don't have contrib and non-free in sources.list, but they do have non-free wireless firmware installed. There's a script you can run that will remove the non-free firmware. It's in /root in the minimal-live and in /usr/local/bin in the desktop-live.
The reasoning behind it is that there are a lot of people who rely on wireless networking, and it's easier to remove the firmware than it is to install it. In fact, with some of the firmware, it would be impossible to install it for use in a live session, because it requires a reboot.
Offline
Hello, msi.
Thank you for your clarification.
Indeed, like you say, in the two latest versions of Debian this doesn't happen. While, in the two versions of Devuan it happens. And, this is why I didn't believe it to be a "bug". Since that,
1) if it was, I would expect the same thing not to happen in the second version. And,
2) if what Devuan does is to only get rid of systemd and its dependencies, I really cannot see why would the developers mess around with the "sources.list" file.
And, this last point is a most pertinent one, to me...
The original Debian code didn't activate the other repositories. So, this is something that was added by Devuan's developers.
And, I cannot see why would someone, in the middle of the process of getting rid of systemd, would need to mess with (i.e. activate some of) the repositories used in the installation.
I really cannot see this as being the result of an "accident". And, can only conceive it as the result of deliberate choice.
(This last one being the main reason why I didn't believe it to be a "bug"...)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
For the record: The live images don't have contrib and non-free in sources.list, but they do have non-free wireless firmware installed. There's a script you can run that will remove the non-free firmware. It's in /root in the minimal-live and in /usr/local/bin in the desktop-live.
Well, that just confirms my suspicion (and proves the point I was making)...
Devuan's developers are, then, adding proprietary software in the installation images (that is not there in Debian's).
This is a big security risk. And, it's starting to make me loose (a lot of) trust in Devuan. Since that, one of the reasons why I want to adopt Devuan is because I see systemd as a great security risk. (And, I will explain this last point of mine in another post.)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
To clear this up even further: The Devuan installation images use a heavily modified version of the Debian Installer. I've just talked to KatolaZ, who is currently the main person working on that. He confirmed that non-free being added by default is considered a genuine bug, which means that it's up for fixing.
Offline
Since that, one of the reasons why I want to adopt Devuan is because I see systemd as a great security risk. (And, I will explain this last point of mine in another post.)
There. I've already posted the main reason why I want to adopt Devuan, in another sub-forum in here: https://dev1galaxy.org/viewtopic.php?id=1986
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
fsmithred wrote:For the record: The live images don't have contrib and non-free in sources.list, but they do have non-free wireless firmware installed. There's a script you can run that will remove the non-free firmware. It's in /root in the minimal-live and in /usr/local/bin in the desktop-live.
Well, that just confirms my suspicion (and proves the point I was making)...
Devuan's developers are, then, adding proprietary software in the installation images (that is not there in Debian's).
That's not quite correct. The addition of non-free to sources.list in the installer isos was an error. The addition of non-free wireless firmware in the live isos is the result of a decision. The live isos are frequently used by people to test devuan and by those who prefer to install without a mirror. Without the non-free firmware, a lot of people would not be able to get online and would not even know if their hardware is supported. We made it easy to remove the non-free firmware. If you prefer to have a system that never had it installed, then you can use the regular installer isos.
Note: the above-mentioned bug in the installer has been fixed.
https://git.devuan.org/devuan-packages/ … 7f366965c0
Offline
And, if the user decides to install a proprietary firmware (say, for wireless) during the installation,
With this bug fixed, will s/he be left with only the "main" repository activated, at the end of a fresh installation? (And, not the "contrib" or "non-free" repositories, from where that same firmware is originally from?)
If so, (that is, if the user ends up with proprietary firmware on his/her computer, but with only the "main" repository activated) this can:
1) be misleading - in the way that it might convince the user that only Free Software has been installed on his/her computer, when s/he checks the "sources.list"; and also
2) prevent those same pieces of non-free software from being updated.
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
i do not understand this all free ,non-free discusion if your computer has parts that needs non free firmware you have to install it if you are lucky and you don`t you dont that is all that i can see , if there is more to it please enlight me
Just a simple man!
Offline
Fernando,
I don't know much about the inner workings of the debian-installer, but what little I know confirms that it's an ugly hairball. I agree that the user should be alerted to the fact that their hardware might require non-free firmware, they should be given the choice to install it or not, and the appropriate repositories should be included in sources.list.
That's what I recall happening with the devuan jessie installer isos. I've been testing ascii in virtualbox, so I haven't run into any need for firmware. I'm looking into this.
wdq,
Simple answer: It's all about the user being able to make an informed choice.
Edit: In the hardware installs I've done, I chose eth0 for the network instead of wlan0, and the wireless firmware was not installed. No non-free or contrib packages were installed. (intel quad i7, intel graphics, realtek wireless)
Offline
wdq,
The problem I have with non-free software (firmware included) is that, I see all of it as potentially dangerous (ex: https://linux.slashdot.org/story/07/08/ … ox-profile). And, for that reason, I want to either (1) not install it, or (if I really need to) (2) to install it only when I really want and decide to.
And, I can give you an example.
The motherboard I'm using needs a proprietary firmware to reach higher speeds on its Ethernet port. And, because I see such components in my computer that connect to the Internet (Ethernet port, Wi-Fi card) as particularly sensitive components, in terms of security, I don't want to (ever) use any proprietary software (or even just firmware) on those.
So, when Debian asks me, in an installation, if I want to add any proprietary firmware to run on my Ethernet card, I simply choose "No".
But, with Devuan's installer having proprietary firmware in its installation media, I fear that it might add such proprietary firmware (to my Ethernet driver, for example) and not even tell me anything about it.
(Something that, with Debian wouldn't even be possible - because Debian's installer doesn't have any kind of non-free software in it. And, I would have to be the one to - very knowingly and conscientiously - add it myself.)
Last edited by Fernando Negro (2018-04-14 23:03:30)
Have no concerns with using proprietary software. Enjoy the "love" from some of this forum's administrators. And, above all, pay no attention to the fact that Dyne.org receives money from the European Commission to fulfil the latter's political projects.
Offline
I always use the "Expert Graphical Install". It allows the user to choose whether non-free is included. Granted, I haven't tried it without including non-free, so I can't say as to whether that option works in the Expert install. I do know that choosing to not include "deb-src" in the sources.list works...as does including "backports".
Last edited by MiyoLinux (2018-04-14 22:42:06)
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
Miyo, have you seen the question about non-free in the ascii installer isos? If so, which iso did you use? Thanks.
Offline
Miyo, have you seen the question about non-free in the ascii installer isos? If so, which iso did you use? Thanks.
No sir; I'm not familiar with the question. Here's all that I know...
1. In BOTH the Jessie and Ascii installers, all that I've ever used is the netinstall to install the base system and build from there...
2. In BOTH the Jessie and Ascii installers, I'm given the choice to include non-free during the installation while using the "Expert Graphical Install" option. I always choose to include non-free, so I can't answer as to whether not choosing that option works as far as not including it in the sources.list.
3. In BOTH the Jessie and Ascii netinstallers, I DO KNOW that including "backports" works as does the option to NOT include "deb-src" in the sources.list.
If I have time tomorrow, I will try a basic installation with both Jessie and Ascii...using the "Expert Graphical Installation" to see if choosing NOT to include non-free works.
Sorry that I couldn't be more help now.
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
Here are my results.
I used the 32 bit netinstall .isos of both Jessie and Ascii. I again used the Expert Graphical Install. During both installations, I chose NOT to include non-free and contrib.
After both installations of the base system, I checked the sources.list with nano. Both installations resulted in...the first line only had main. The lines for security, updates, and backports all had main and non-free. Contrib wasn't included in any lines.
I have been Devuanated, and my practice in the art of Devuanism shall continue until my Devuanization is complete. Until then, I will strive to continue in my understanding of Devuanchology, Devuanprocity, and Devuanivity.
Veni, vidi, vici vdevuaned. I came, I saw, I Devuaned.
Offline
Here are my results. amd64 in all cases. (also posted to devuan-dev mailing list)
Install and Graphical Install (beta netinstall iso and dvd):
installer does not ask about non-free packages.
selecting eth0 results in no non-free firmware installed
selecting wlan0 installs non-free wireless firmware
Expert Install and Expert Graphical Install (only tested dvd):
If you select a mirror, you get asked about non-free packages.
Without a mirror, you do not get asked about non-free.
*** Without a mirror, non-free firmware gets installed regardless of
whether eth0 or wlan0 was configured.
*** With a mirror, wlan0 configured, answer "NO" to the non-free question,
and non-free firmware gets installed anyway.
Note: the sources.list issue seems to be fixed in yesterday's mini.iso.
Offline