×
all 25 comments

[–][deleted]  (12 children)

[deleted]

    [–]mana-addict4652 3 points4 points  (7 children)

    I know there's been some mixed thoughts on the old TrueCrypt license but what does that have to do with Veracrypt now and is it really worth moving? Why would they move it now after all this time?

    [–]oreo639 2 points3 points  (6 children)

    It was in the repos because we didn't realize until it was brought up.

    From my understanding the license allows it to be redistributed as a self extracting archive if the archive requires you to accept the license before extracting, which is definitely not the case in xbps. (section VI.4)

    (Hence why it wasn't just moved to the nonfree repos)

    [–]atreyu64 0 points1 point  (5 children)

    That's fine. It can be removed such that users are unable to install it with xbps. But why was it uninstalled from the users (an my) machine? This is the main reason I migrated away from Windows and Ubuntu; I couldn't trust what was happening under the hood without having to dive into pages of changelogs.

    Updates are one thing, removing dead packages and libs is reasonable. Uninstalling an application that someone may rely on crosses a line.

    [–]oreo639 1 point2 points  (4 children)

    We have removed-packages which removes unsupported packages to ensure they don't cause issues with other supported pacakges in the future (i.e. file conflicts, updated/broken dependencies, etc).

    https://github.com/void-linux/void-packages/blob/master/srcpkgs/removed-packages/template

    The veracript was marked as restricted and revbumped and then the pre-restricted version was added to removed-packages. It has since been removed from removed-packages.

    And I agree it probably wasn't necessary in this case.

    [–]atreyu64 0 points1 point  (3 children)

    I understand the need to maintain dependencies and avoid file conflicts. I understand it's a complicated problem to solve. I don't think forcibly removing it from everyone's void install is the solution.

    I'm absolutely gutted that this is the default behavior. Now I have to be vigilant for every single update that I do that it doesn't remove some other application for whatever reason. I have kids, I have a full-time job, I play IT for family members, I don't have time to read every single commit. This really affects my trust in this os.

    I'm both furious and saddened by this.

    [–]paper42_ 6 points7 points  (0 children)

    I don't have time to read every single commit. This really affects my trust in this os.

    Package removals are always visible in the upgrade overview before approving the update. Some packages will just have to be removed. If you find that xbps is trying to remove something you use, you don't have to approve the update, look at recent commits for an explanation or ask.

    [–]ClassAbbyAmplifier 1 point2 points  (1 child)

    you can echo ignorepkg=removed-packages > /etc/xbps.d/no-remove.conf; xbps-remove removed-packages if you really want, and you don't need to be that vigilant, xbps will tell you what it will install/update/remove in every run

    [–]paper42_ 4 points5 points  (0 children)

    Expect your updates to break at some point if you decide to ignore removed-packages.

    [–][deleted] 1 point2 points  (3 children)

    How is it not free?

    https://www.veracrypt.fr/en/VeraCrypt%20License.html

    Every portion of that I just read states that it is free to distribute and use, based on not using Truecrypt in the name. I'm not a lawyer, but it seems fairly clear that this can be distributed, understanding that it must include certain things, etc.

    More importantly, this has been included in Void Linux for a long time and has become part of my work package. To have it removed, without my permission or even a warning, is horrible practice.

    [–]cdqx 1 point2 points  (2 children)

    1. ANYONE WHO USES AND/OR COPIES AND/OR MODIFIES AND/OR CREATES DERIVATIVE WORKS OF AND/OR (RE)DISTRIBUTES THIS PRODUCT, OR ANY PORTION(S) THEREOF, IS, BY SUCH ACTION(S), AGREEING TO BE BOUND BY AND ACCEPTING ALL TERMS AND CONDITIONS OF THIS LICENSE (AND THE RESPONSIBILITIES AND OBLIGATIONS CONTAINED IN THIS LICENSE). IF YOU DO NOT ACCEPT (AND AGREE TO BE BOUND BY) ALL TERMS AND CONDITIONS OF THIS LICENSE, DO NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) THEREOF.

    2. IF YOU ARE NOT SURE WHETHER YOU UNDERSTAND ALL PARTS OF THIS LICENSE OR IF YOU ARE NOT SURE WHETHER YOU CAN COMPLY WITH ALL TERMS AND CONDITIONS OF THIS LICENSE, YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) OF IT. YOU SHOULD CONSULT WITH A LAWYER.

    3. IF (IN RELEVANT CONTEXT) ANY PROVISION OF CHAPTER IV OF THIS LICENSE IS UNENFORCEABLE, INVALID, OR PROHIBITED UNDER APPLICABLE LAW IN YOUR JURISDICTION, YOU HAVE NO RIGHTS UNDER THIS LICENSE AND YOU MUST NOT USE, COPY, MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY PORTION(S) THEREOF.

    [–][deleted] 0 points1 point  (1 child)

    I'm assuming you're referring to '6'.

    That's not a limitation, that's a condition. Given that Truecrypt/Veracrypt deal with controlled cryptography, this should be expected.

    This is just like coding: IF... then... else... then. These are conditional arguments, not limitational. I've since read up on the arguments against the Truecrypt license and side with those who argued that this is not a limitation on freedom of use.

    Here's the relevant quote: "A conditional statement (also called an If-Then Statement) is a statement with a hypothesis followed by a conclusion. Another way to define a conditional statement is to say, “If this happens, then that will happen.”

    [–]furryfixer 1 point2 points  (0 children)

    u/cdqx did not have the relevant portion. This is it, and there is no way around it. Bold text is my emphasis:

    Subject to the terms and conditions of this License, You may allow a third party to use Your copy of This Product (or a copy that You make and distribute, or Your Product) provided that the third party explicitly accepts and agrees to be bound by all terms and conditions of this License and the third party is not prohibited from using This Product (or portions thereof) by this License (see, e.g., Section VI.7) or by applicable law. However, You are not obligated to ensure that the third party accepts (and agrees to be bound by all terms of) this License if You distribute only the self-extracting package (containing This Product) that does not allow the user to install (nor extract) the files contained in the package until he or she accepts and agrees to be bound by all terms and conditions of this License.

    [–]ClassAbbyAmplifier 4 points5 points  (11 children)

    it is very concerning that there was absolutely no warning about a package being removed on update

    before xbps actually does anything, it shows you exactly what it will do. if a package is going to be removed, it will show "remove" in the Action column. This is one reason you should never use the -y flag unless you know what xbps is going to do.

    [–][deleted] 2 points3 points  (10 children)

    I use:

    $ sudo xbps-install -Suv

    Usually, I look through the changes; I did this time, noting that Firefox, Thunderbird and LibreOffice comprised the bulk of the roughly 1GB download I was facing; however, I must have missed the deinstallation.

    I do not think that Void developers should remove the package if I had it installed for months, or years, prior. At best, they should not offer it for install going forward; however, to go into my system and retroactively remove software, well, that makes them no better than Amazon when it removed George Orwell's book '1984'.

    I've been able to recompile VeraCrypt from their source; however, that's not the larger issue.

    [–]paper42_ 6 points7 points  (2 children)

    I do not think that Void developers should remove the package if I had it installed for months, or years, prior. At best, they should not offer it for install going forward; however, to go into my system and retroactively remove software, well, that makes them no better than Amazon when it removed George Orwell's book '1984'.

    I don't see how that's similar, xbps told you it will be removed and you approved it.

    [–][deleted] 0 points1 point  (1 child)

    Yep - I own that. That's my fault for not paying more attention.

    Back in 1999/2000 timeframe, I used to actually read the code and determine dependency reach for each package I installed on a Linux server; lately, I've not done that, because there are so many packages and dependencies. I've gotten in the habit of trusting Void Linux maintainers. That is my mistake.

    Just because you don't perceive it as similar doesn't mean it is or isn't. I think it is similar. If you read the article, Amazon did an update which removed an installed item. Although Amazon had a small notice about it, both Amazon and the courts, through the settlement, have recognized that Amazon was wrong, both legally and morally.

    Quote: 'Jeff Bezos earlier made an online apology about the deletions, calling the move "stupid, thoughtless, and painfully out of line with our principles." '

    [–]paper42_ 2 points3 points  (0 children)

    Amazon didn't ask and just removed it, xbps asked and then when you approved it, removed it.

    Analogies like the one you are making are tricky to get right and you failed at that. I can try to correct it for you: you went to update your Android phone, skimmed the changeling, hit the upgrade button, rebooted and now there is no Radio app. It turns out the update removed it because xxx reasons and you just missed it in the changelog. You can still install it manually.

    I don't get your point here, should xbps just not remove any packages and let your upgrades break when there is an update to a library that doesn't work with the old removed package?

    No one is asking you to read the code or inspect the dependency tree, we are just expecting that you will read what will happen to your computer before you approve an update. Void is moving forward, if you don't like that, you might want a distribution that doesn't like Ubuntu or non-rawhide Fedora.

    [–][deleted]  (4 children)

    [deleted]

      [–][deleted] 0 points1 point  (3 children)

      Nope, I Amazon'ed it; the fact that Amazon did this to a copy of '1984' is incidental. What Amazon did was remove an item without notifying the product owner.

      It is interesting that you, yourself, correlated '1984' to what happened to my machine; I was correlating it to Amazon.

      [–]paper42_ 3 points4 points  (2 children)

      Are you saying Void removed VeraCrypt from your device without your approval? It didn't.

      [–][deleted] 0 points1 point  (1 child)

      It removed VeraCrypt and fuse-exfat and a couple other things on which VeraCrypt depended.

      An update happened that removed VeraCrypt because package maintainers put it on the removed-package list; it has since been removed from the removed-package list (see above).

      See my response to your statement above. Further, if you look through the removed-package list, those are primarily for controlling versions, at least the several dozen I looked at indicated. They were removed because alternatives were available that did not break dependency between packages.

      This was removed without anything being put in place to replace it and without a warning that I would lose business functionality.

      YOU ARE RIGHT in that IT WAS MY FAULT FOR TRUSTING VOID PACKAGE MAINTAINERS. I was more interested in why I had such a large update than what was being removed, so much so that I overlooked the deinstallation portion.

      Again, Amazon had a tiny, little note about the item removal. It was considered inadequate, by the users, the courts and Amazon, themselves. This is similar.

      [–]paper42_ 3 points4 points  (0 children)

      Further, if you look through the removed-package list, those are primarily for controlling versions, at least the several dozen I looked at indicated. They were removed because alternatives were available that did not break dependency between packages.

      Not really, if something is added to removed-packages, it is removed from your system after you approve it. I don't know what you mean by controlling versions and breaking dependencies, but the version restrictions are there to be able to reintroduce the package in the future. If a package is removed from your system, it's dependencies that are not used by other packages become orphans and will be removed with the next xbps-remove -o after you approve that.

      This was removed without anything being put in place to replace it and without a warning that I would lose business functionality.

      The VeraCrypt restricted package replaces it and again, the warning that VeraCrypt will be removed was there.

      YOU ARE RIGHT in that IT WAS MY FAULT FOR TRUSTING VOID PACKAGE MAINTAINERS

      You might also want to know that if you are using a package that you didn't install manually, it might one day get orphaned and removed. Inspect what your updates will do before running them. For example if you are using gnome-terminal, but you installed it as a dependency of GNOME, one day the package might want to be removed with xbps-remove -o because GNOME will move to use something else.

      Amazon has nothing to do with this, you don't have to mention it in every comment.

      [–]atreyu64 -1 points0 points  (1 child)

      I agree with your sentiment and find it disturbing that a package has been uninstalled by someone else.

      It's the equivalent of buying a car, installing an aftermarket muffler, going in for an oil change, then bringing the car home and realizing the muffler was removed and being told that it was listed in the receipt.

      [–]ahesford 6 points7 points  (0 children)

      This is a ridiculous and inapt analogy.

      You didn't bring your PC into a shop for an update and find out after the fact that things were done without advance notice. XBPS didn't use some automatic update process or other central control mechanism to force the removal while you slept peacefully and unaware. You initiated an update, glossed over the proposed changes and then decided to proceed. You had full control at all times.

      What's more, you have easy recourse to restore the package. The cached package in /var/cache/xbps can just be reinstalled as is. As noted elsewhere, you can ignore removed-packages to avoid this behavior in the future, at the risk of eventual conflicts that you will have to resolve. Furthermore, the template wasn't even removed, just marked restricted, so you can just install the restricted package and not thinking about it until some dependency update requires you to rebuild the package.

      [–]atreyu64 1 point2 points  (0 children)

      I did an update today and it not only removed VeraCrypt, but it also removed fuse-exfat and anything to do with the installation.

      This is concerning to me.

      [–]mysterious7777777 0 points1 point  (0 children)

      There are always a variety of opinions on the way to maintain a distribution. The /usr/local is meant for installing things outside the distribution so they cannot be disturbed or removed during normal updates.

      There have been several times when Void updates caused problems like when I wanted to keep an older version of firefox that was being updated. I put the files to be saved in /usr/local/ with the supporting files needed to keep the old versions running copied from the older versions in /var/cache/xbps.

      So I always backup the older packages stored in /var/cache/xbps for future reference. They can be used for your purposes as explained here with the term "downgrade" aka "unremove":

      https://docs.voidlinux.org/xbps/advanced-usage.html

      EDIT: I use midnight commander (mc) to easily open the .xbps files and copy the required files to /usr/local as needed. The .xbps files are just tar archives so there are many more ways that would work.