[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What to do when DD considers policy to be optional? [kubernetes]

Russ Allbery <rra@debian.org> schrieb:
> Michael Lustfield <michael@lustfield.net> writes:
>> One last thing to consider... NEW reviews are already an intense
>> process. If this package hit NEW /and/ we allowed vendored libs, you
>> could safely expect me to never complete that particular review. I doubt
>> I'm the only one; that's essentially ~200 package reviews wrapped into
>> 1.
> I'll repeat a point that I made earlier but put a bit of a sharper point
> on it: We should thoughtfully question whether the current approach to
> license review that we as a project ask ftpmasters to do is a correct
> investment of project resources.

Full ack!

> We do not *have* to do a detailed file-by-file review of the correctness
> of upstream's license metadata when packaging.  This is a choice.  By
> choosing to do this, we absolutely catch bugs... just like we would catch
> bugs if we did a detailed file-by-file review of any other property of
> upstream code.

Or even replace it with automated license detection to spot such bugs (as
provided by tools like Fossology), which could even be an ongoing thing
for every upload instead of "once for the initial upload" and "randomly 
when new new binary  packages" appear. Plus everyone keen on reviewing
copyright files is always able to report bugs in the BTS.


Reply to: