Re: Legal advice regarding the NEW queue

To: debian-devel@lists.debian.org
Subject: Re: Legal advice regarding the NEW queue
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Sat, 5 Feb 2022 15:07:18 +0000
Message-id: <[🔎] Yf6Spq8wHYJiEj2C@einval.com>
In-reply-to: <[🔎] 0d04077a-6ff2-a817-09a1-421795f48cf5@debian.org>
References: <8cd06e57-14b9-a550-a190-5ddf8e629986@debian.org> <[🔎] 2705192.utMLZZqbz3@localhost> <[🔎] 20220203194008.GA14564@mithrandir.lan.emorrp1.name> <[🔎] 5689758.1FsVo3TvVN@localhost> <[🔎] 878rur2egz.fsf@hands.com> <[🔎] 61FD31DE.2060804@fastmail.fm> <[🔎] 87a6f6a5vm.fsf@hope.eyrie.org> <[🔎] 0d04077a-6ff2-a817-09a1-421795f48cf5@debian.org>

On Fri, Feb 04, 2022 at 11:50:20PM +0100, Christian Kastner wrote:
> On 2022-02-04 18:39, Russ Allbery wrote:
> > In other words, this thread is once again drifting into a discussion of
> > how to do copyright review *better*, when my original point is that we
> > should seriously consider not doing the current type of incredibly tedious
> > and nit-picky copyright review *at all*, and instead rely more on
> > upstream's assertions, automated tools, and being reactive in solving the
> > bugs that people actually care about (i.e., notice).
> 
> If we're honest, that's basically how the rest of the open source world
> already operates in general. Our level of scrutiny is a burden that I
> don't see many others sharing.
> 
> Of course "everybody's doing it" doesn't make something right. However,
> when things go wrong, they don't seem to go wrong in the dramatic ways
> we might anticipate them to.
> 
> If GitHub (a Microsoft-owned entity and thus an attractive target for a
> lawsuit) is OK with distributing files uploaded by third parties without
> subjecting them to a manual review process, perhaps we have been
> overthinking the risks here.
>

Just because someone else can't be bothered to do licence review checking
doesn't mean that Debian shouldn't. I'd much rather that packages were
removed in NEW than that they got installed in unstable and we then had
to tell people that they had gone.

There's a huge amount of software that's undistributable: Debian's good faith
attempt to review this is one of the crucial arguments I have with $DAYJOB
about the benefits of a curated distribution, however fallible we may be.

I think we should use automated tools where available, query with upstream
where practicable, and continue doing what we're doing as far as possible,
in my humble opinion.

Reproducible builds and DEP-5 / SPDX are also crucial in improving everyone's 
quality - I don't see commercial/enterprise distributions doing this
valuable public service but I very much value the fact that Debian does
it, for example.

[No particular skin in the game, since I don't upload any package at
the moment but very appreciative of others' efforts]

With every good wish, as ever,

Andy Cater

[amacater@debian.org]

Reply to:

Follow-Ups:
- Re: Legal advice regarding the NEW queue
  - From: Julien Puydt <julien.puydt@gmail.com>
- Re: Legal advice regarding the NEW queue
  - From: Christian Kastner <ckk@debian.org>

References:
- Re: Legal advice regarding the NEW queue
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Legal advice regarding the NEW queue
  - From: Phil Morrell <debian@emorrp1.name>
- Re: Legal advice regarding the NEW queue
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Legal advice regarding the NEW queue
  - From: Philip Hands <phil@hands.com>
- Re: Legal advice regarding the NEW queue
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: Legal advice regarding the NEW queue
  - From: Russ Allbery <rra@debian.org>
- Re: Legal advice regarding the NEW queue
  - From: Christian Kastner <ckk@debian.org>

Prev by Date: Bug#1005012: ITP: mptcpd -- Multipath TCP Daemon
Next by Date: Re: Legal advice regarding the NEW queue
Previous by thread: Re: Legal advice regarding the NEW queue
Next by thread: Re: Legal advice regarding the NEW queue
Index(es):
- Date
- Thread