Hello, Free software enables cooperation in a free society. More precisely, it makes it easy for a user of a package to use a new version where the personal information has been corrected. The thread in [1] questions our handling of potential cases where a transgender contributor of Guix or one of its packages requests to change their name. While it would be nothing but cruel to deny such a request, I want to consider the broader case of updating personal information in general.
If someone asks you to update your installation of a package to a new tarball with updated personal information (or a new tag in a rewritten history), then in a non-free society, you can only say, “Sorry, I’m not allowed to”. In a free society, you’re allowed to, and you have tools at your fingertips to make sure it’s harmless to you (diff with your old version, if you are alone, or collectively check that it follows semver, remember that it still has all the CVEs, and forget about the old thing). If accepting such a safe update makes a security system fire false positives (such as, guix pull saying there’s a downgrade attack if guix’ history has been safely rewritten), then it’s a limitation of the security system. If it’s too much work to silence this warning for a legitimate reason, then make an announcement about this particular false positive and let the user proceed. The guix users, I claim, would rather have a distribution of guix (and the packages it provides) with accurate personal information, even if it means to be annoyed for a moment with a security system. Best regards, Vivien [1] https://lists.gnu.org/archive/html/guix-devel/2024-03/msg00138.html P.S. I am desensitized to eye-rolling when I talk about free software ;)
