[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FTP Team -- call for volunteers

On Wed, Mar 18, 2020 at 12:25:24PM -0400, Theodore Y. Ts'o wrote:
> > 2) We would be very limited in what checks we could actually do on new
> > packages. If we look too closely at packages, we stop being a
> > distributor, and start being a publisher. I'm not sure that we want to
> > move towards just being a distribution platform, rather than actually
> > doing QA checks.
> I'm confused.  As near as I can tell, we already are looking super
> closely at new packages.

Yes, and there's the problem. To move from a situation where we try and
say "we're a distributor, not a publisher", then we would need to stop
doing some of those checks, or at least work out a way of automating

Apologies if the below is stuff you already know, but it may be useful
for others. Please also note, this is an oversimplification of the way
that this all works.

There are two models of getting software from third parties into the
hands of users - one is to be a "publisher", and one is to be a
"distributor". Both are ways of trying to reduce the risk of putting on
the web some bad software (as in, trademark infringing, copyright
infringing etc).

In the "publishing" model, you accept some software from a third party.
You then run various checks on it, making sure it has a good licence, it
complies with trademark and copyright law, and then we publish it. This
is the way that Debian works at the moment.

In the "distribution" model, you accept some software from a third
party, and put it on the web. You don't look at it closely, but rely on
your terms of service which says that the initial uploader is
responsible for everything they upload, and making sure it is
distributable etc. This is the way that sals/github/google play store
etc work.

To relieve the work on ftpmasters, some people are suggesting we move
from the former to the latter.

Now, imagine you have a law suit where Debian has shipped some
proprietary code to millions of users. The upstream for this isn't
happy. They come to Debian and complain. Debian says "oh, but we're
just a distributor. The liability lies with the person who uploaded it".

Unfortunately, we're doing checks on the package. Upstream can then
claim that becasue we're looking at and approving packages, we're not
just a platform who distributes software, we're actively publishing it
by having editorial control over what gets published or not.

So, to ease the burden on ftp-masters by trying to say that 
> the responsibility of the right to redistribute of the uploaded
> software be moved on the uploader instead
as suggested by Alexis, means we need to be very careful about /not/
looking too closely at what we put out.

Sorry for the long mail, but hoepfully this clarifies.


Attachment: signature.asc
Description: PGP signature

Reply to: