Re: Legal advice regarding the NEW queue

To: debian-devel@lists.debian.org
Subject: Re: Legal advice regarding the NEW queue
From: John Goerzen <jgoerzen@complete.org>
Date: Sun, 06 Feb 2022 10:17:51 -0600
Message-id: <[🔎] 87pmo0x93k.fsf@complete.org>
In-reply-to: <[🔎] 87a6f6a5vm.fsf@hope.eyrie.org>
References: <8cd06e57-14b9-a550-a190-5ddf8e629986@debian.org> <[🔎] 2705192.utMLZZqbz3@localhost> <[🔎] 20220203194008.GA14564@mithrandir.lan.emorrp1.name> <[🔎] 5689758.1FsVo3TvVN@localhost> <[🔎] 878rur2egz.fsf@hands.com> <[🔎] 61FD31DE.2060804@fastmail.fm> <[🔎] 87a6f6a5vm.fsf@hope.eyrie.org>

On Fri, Feb 04 2022, Russ Allbery wrote:

> Scott correctly points out that there are a ton of copyright bugs in
> Debian *anyway*, despite NEW review.  He sees this as a reason for not
> relaxing our review standards.  I see it as the exact opposite: evidence
> that our current review standards are not achieving the 100% correctness
> we have claimed to be striving for, and the nearly complete lack of
> practical consequences for that failure.  It really seems to me like
> evidence that this task is not as important as we think it is.

Well put.  I'd like to expand a bit:

Philip Hands pointed out that we can't download packages in NEW.  It
seems we have a sort of 1990s approach here.

I want to stipulate up-front that it is good and necessary to have
quality controls over what goes into a distribution.

But it is, in 2022, no longer accurate to think that preventing
downloads from NEW prevents Debian from distributing code.  We do, after
all, run salsa, with CI builders, we have people.debian.org, and all
sorts of other places - none of which require any kind of review, at
all.

So if we set aside technical quality, as a legal matter, we have
decided:

1. It is OK to distribute completely unreviewed code from salsa, people,
   planet, etc, etc.

2. It is not OK to distribute unreviewed code from NEW

3. It is not OK to distribute code from unstable or experimental without
   a copyright review

4. It is not OK to distribute code from stable or testing without a
   copyright review

It seems to me that #4 is the strongest argument we can make.  #1 and #2
seem to me practically the same, and even #3 is along those lines.  I
think #1 and #2 are logically inconsistent, in fact.  Perhaps #1 is
inconsistent with all the rest, in fact.

Now to return to your point: I think it is certain that there are even
more un-surfaced issues present on salsa, and yet we have had, AFAIK,
zero issues there.

Is there any fundamental reason that we focus on NEW with such rigidity
other than simply because we always have?

John

Reply to:

References:
- Re: Legal advice regarding the NEW queue
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Legal advice regarding the NEW queue
  - From: Phil Morrell <debian@emorrp1.name>
- Re: Legal advice regarding the NEW queue
  - From: Scott Kitterman <debian@kitterman.com>
- Re: Legal advice regarding the NEW queue
  - From: Philip Hands <phil@hands.com>
- Re: Legal advice regarding the NEW queue
  - From: The Wanderer <wanderer@fastmail.fm>
- Re: Legal advice regarding the NEW queue
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Salsa CI introducing world-writable permissions
Next by Date: Re: Legal advice regarding the NEW queue
Previous by thread: Re: Legal advice regarding the NEW queue
Next by thread: Re: Legal advice regarding the NEW queue
Index(es):
- Date
- Thread