Re: Do we need to hide packages in NEW queue

[Russ Allbery <rra@debian.org>]

The Wanderer <wanderer@fastmail.fm> writes:

> I am not on the inside of these things, certainly, but I have kept my
> eyes open from the outside, and I am not aware of there being any
> mechanism for removing something root-and-branch - across all affected
> versions, however far back those may stretch - from these repositories
> and archive locations once it's made it in. In order to avoid continuing
> to distribute something which we once accepted but which has since been
> deemed legally undistributable (and thus exposing ourselves to
> copyright-infringement lawsuits), we would need to have such a
> mechanism.

The thing is, we need this anyway for something we would legally need to
stop distributing, since otherwise we would be expecting ftp-master review
to be perfect *and* to never introduce unredistributable content in a
package update that doesn't go through NEW.  I don't think either of those
are realistic (or fair) expectations.

Now, we could defer creating such a thing until we actually need it and
then try to come up with something under emergency circumstances, and
maybe we'd get lucky and never need it.  But I think that's also true in
either scenario.  I'm not sure that the ftp-master review reduces the
likelihood so much as to change the risk analysis that much.  (But that
could well be a point of disagreement.)

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>