Re: What to do when DD considers policy to be optional? [kubernetes]
Russ Allbery <firstname.lastname@example.org> schrieb:
> Michael Lustfield <email@example.com> writes:
>> One last thing to consider... NEW reviews are already an intense
>> process. If this package hit NEW /and/ we allowed vendored libs, you
>> could safely expect me to never complete that particular review. I doubt
>> I'm the only one; that's essentially ~200 package reviews wrapped into
> I'll repeat a point that I made earlier but put a bit of a sharper point
> on it: We should thoughtfully question whether the current approach to
> license review that we as a project ask ftpmasters to do is a correct
> investment of project resources.
> We do not *have* to do a detailed file-by-file review of the correctness
> of upstream's license metadata when packaging. This is a choice. By
> choosing to do this, we absolutely catch bugs... just like we would catch
> bugs if we did a detailed file-by-file review of any other property of
> upstream code.
Or even replace it with automated license detection to spot such bugs (as
provided by tools like Fossology), which could even be an ongoing thing
for every upload instead of "once for the initial upload" and "randomly
when new new binary packages" appear. Plus everyone keen on reviewing
copyright files is always able to report bugs in the BTS.