Hi, On 15.03.20 12:55, Michael Lustfield wrote: > Personally, I was shocked when I found out we do review on the same server that > hosts the archive. I would have expected a separate server for review. However, > my expectation comes from younger environments, where CD/CI and extensive code > review processes are expected. When I try to picture how the current system > evolved (more evident as you dig into dak source...), it makes sense. There are two aspects to distribution: a license from the copyright holders, and export permissions from the country where the archive is hosted. Both of these are *currently* rather relaxed in the US, with DMCA safe harbor provisions and a blanket permission to export cryptography (the existence of which Debian had a large hand in), which allows places like Github to operate. It is unclear how much the DMCA protects us if we have a review process before publication (i.e. are we still good if we have any manual step, or must publication be fully automated?), and there is also a bill underway that would tighten requirements on cryptography software again if not defeated. Simon
Attachment:
signature.asc
Description: OpenPGP digital signature