Re: Do we need to hide packages in NEW queue

To: debian-devel@lists.debian.org
Subject: Re: Do we need to hide packages in NEW queue
From: Russ Allbery <rra@debian.org>
Date: Mon, 31 Jan 2022 09:32:18 -0800
Message-id: <[🔎] 87r18ndd5p.fsf@hope.eyrie.org>
In-reply-to: <[🔎] E1nEUUt-008AF8-PW@drop.zugschlus.de> (Marc Haber's message of "Mon, 31 Jan 2022 12:05:23 +0100")
References: <[🔎] YeqL7XiE1Q9PCzWm@an3as.eu> <[🔎] ae00554c41106cb34b2e5caf0d7468a8d5bffec8.camel@debian.org> <[🔎] m3bkzzh7py.fsf@debian.org> <[🔎] 164314389064.312615.9222305474885608025@auryn.jones.dk> <[🔎] 87k0enij6g.fsf@hope.eyrie.org> <[🔎] YfDsUuoNpxK+5WT6@an3as.eu> <[🔎] 20220130192552.7672bc28292279ba3de5b234@paranoici.org> <[🔎] 87a6fdnhk1.fsf@hope.eyrie.org> <[🔎] CAKZYK4-xjsbQg6O-gd_RbG-cCpSVi8YD1QxpG0gs3kfocPNqtw@mail.gmail.com> <[🔎] E1nEUUt-008AF8-PW@drop.zugschlus.de>

Marc Haber <mh+debian-devel@zugschlus.de> writes:

> Even if a lawyer says A, it doesn't buy us anything if J Robert DD gets
> sued and the judge says B, or "not A".

Yes, a legal opinion cannot fully resolve the question, unfortunately,
since it's a risk judgment.  Copyright law is murky enough that it's
unlikely that any lawyer will be willing to guarantee that we won't lose a
lawsuit, and of course no one can guarantee that we won't be sued.

What a lawyer can do is give us a better risk analysis.  How *likely* is
it that we would be sued over such a thing, and if we were, what would
happen then?  How much would it cost us to dispose of the resulting
lawsuit?

I think it's useful to view this as a price.  We're paying a quite
substantial price right now to implement pre-screening.  If we increase
the risk that we may temporarily distribute something that we shouldn't
until we discover that and fix it, that comes with some corresponding
increased risk of a legal cost.  But in the meantime we'd be saving a
substantial pre-screening cost.

A lawyer cannot make that risk trade-off decision for us.  We'll have to
make it as a project.  But my hope would be that they could help put a
number on the likely legal cost in the worst-case scenario and provide
some input into the likelihood of that scenario, and some context in terms
of what other organizations do and what risks it's common to accept and
mediate if it becomes a problem.

My personal guess is that, given how completely casual or even openly
contemptuous most companies are about copyright licensing and how insanely
difficult it's been to get them to face any legal consequences whatsoever,
it seems unlikely that dealing with some licensing issues more reactively
would be a substantial legal risk.  By dealing with them *at all*, and we
would of course continue to hold ourselves to the same high standard that
we always have, we're already doing far better than the industry norm.
But a lawyer would have much more concrete experience and would be able to
provide a far better analysis.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Andreas Tille <andreas@an3as.eu>
- Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: "M. Zhou" <lumin@debian.org>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Vincent Bernat <bernat@debian.org>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Jonas Smedegaard <jonas@jones.dk>
- Re: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not
  - From: Russ Allbery <rra@debian.org>
- Do we need to hide packages in NEW queue (Was: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not))
  - From: Andreas Tille <andreas@an3as.eu>
- Re: Do we need to hide packages in NEW queue (Was: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not))
  - From: Francesco Poli <invernomuto@paranoici.org>
- Re: Do we need to hide packages in NEW queue
  - From: Russ Allbery <rra@debian.org>
- Re: Do we need to hide packages in NEW queue
  - From: Stephan Lachnit <stephanlachnit@debian.org>
- Re: Do we need to hide packages in NEW queue
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Bug#1004675: ITP: debian-edu-fai -- FAI config space for setting up Debian Edu workstations
Next by Date: Re: Do we need to hide packages in NEW queue
Previous by thread: Re: Do we need to hide packages in NEW queue
Next by thread: Re: Do we need to hide packages in NEW queue
Index(es):
- Date
- Thread