On Wed, Mar 18, 2020 at 12:25:24PM -0400, Theodore Y. Ts'o wrote: > > 2) We would be very limited in what checks we could actually do on new > > packages. If we look too closely at packages, we stop being a > > distributor, and start being a publisher. I'm not sure that we want to > > move towards just being a distribution platform, rather than actually > > doing QA checks. > > I'm confused. As near as I can tell, we already are looking super > closely at new packages. > Yes, and there's the problem. To move from a situation where we try and say "we're a distributor, not a publisher", then we would need to stop doing some of those checks, or at least work out a way of automating them. Apologies if the below is stuff you already know, but it may be useful for others. Please also note, this is an oversimplification of the way that this all works. There are two models of getting software from third parties into the hands of users - one is to be a "publisher", and one is to be a "distributor". Both are ways of trying to reduce the risk of putting on the web some bad software (as in, trademark infringing, copyright infringing etc). In the "publishing" model, you accept some software from a third party. You then run various checks on it, making sure it has a good licence, it complies with trademark and copyright law, and then we publish it. This is the way that Debian works at the moment. In the "distribution" model, you accept some software from a third party, and put it on the web. You don't look at it closely, but rely on your terms of service which says that the initial uploader is responsible for everything they upload, and making sure it is distributable etc. This is the way that sals/github/google play store etc work. To relieve the work on ftpmasters, some people are suggesting we move from the former to the latter. Now, imagine you have a law suit where Debian has shipped some proprietary code to millions of users. The upstream for this isn't happy. They come to Debian and complain. Debian says "oh, but we're just a distributor. The liability lies with the person who uploaded it". Unfortunately, we're doing checks on the package. Upstream can then claim that becasue we're looking at and approving packages, we're not just a platform who distributes software, we're actively publishing it by having editorial control over what gets published or not. So, to ease the burden on ftp-masters by trying to say that > the responsibility of the right to redistribute of the uploaded > software be moved on the uploader instead as suggested by Alexis, means we need to be very careful about /not/ looking too closely at what we put out. Sorry for the long mail, but hoepfully this clarifies. Neil --
Attachment:
signature.asc
Description: PGP signature