The essence of the GPL is:
When someone distributes binaries,
they must distribute the corresponding source code too.
This is
1. a legal requirement,
2. the mechanism that holds the Free Software community together,
3. what allows the public to trust these binaries.
Now, for several days (at least since 2025-07-28), the Cygwin
setup-x86_64.exe (in its default configuration) distributes
binaries of a package copyrighted by the FSF and under the GPL,
* that is obviously modified,
* for which no source code is available in the corresponding
git repository under https://cygwin.com/cgit/cygwin-packages/.
I contacted the Cygwin maintainer of that package, and they tell me that
- it is not an accidentally forgotten "git push" to the git repository,
- they need a few more days before they can push the corresponding source
code to that repository.
So, the corresponding source code is sitting solely on the Cygwin
maintainer's disk. If they experience a hard disk crash or if the directory
with that corresponding source code gets lost through an accidental
"rm -rf", the corresponding source cannot be distributed any more, ever.
This is a major shortcoming in the Cygwin packaging system. A packaging
system that distributes more than 9000 packages [1], many of them under GPL
or LGPL, should not make it so easy to distribute binaries while withholding
the corresponding source code. In particular:
* It ought to prevent an accidentally forgotten "git push" to the git
repository.
* It ought to prevent a maintainer's decision — for whatever reason —
to withhold the sources for one week, because
- that one week may turn into an indefinite duration, as mentioned
above,
- this resembles too much the behaviour of Google regarding the Android
sources [2], whose purpose it is to limit the influence of the
FOSS community. It's a slippery slope, at which end there is
proprietary software.
In each https://cygwin.com/packages/summary/<package>-src.html page there is a
per-version table of the list of source files. I am suggesting that this
reference gets replaced with a reference to a commit in the source code
repository (under https://cygwin.com/cgit/cygwin-packages/), that contains
the _actual_ source files, not only their names. And that a package maintainer
*cannot* upload binaries for a version without having provided that commit.
Btw, as a user I am thankful for the packaging work that the Cygwin package
maintainers do. And I understand that a mechanism that limits what they can do
could be annoying to them. But I think that a mechanism that helps fulfilling
the legal requirements of the GPL can only be beneficial to the Cygwin project.
Best regards,
Bruno
[1] https://cygwin.com/packages/package_list.html
[2] https://www.androidauthority.com/google-android-development-aosp-3538503/
--
Problem reports: https://cygwin.com/problems.html
FAQ: https://cygwin.com/faq/
Documentation: https://cygwin.com/docs.html
Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple
