Re: Bits from the DPL

[Philipp Kern <pkern@debian.org>]

On 10/3/25 10:16 AM, Adrian Bunk wrote:
> On Fri, Oct 03, 2025 at 08:40:57AM +0200, Andreas Tille wrote:
> > ...
> > One task not yet covered in the draft is package removals. These were
> > missing from the last delegation, though they remain an important
> > responsibility.  Most are routine, but exceptional cases may need faster
> > action:
> >
> >    * If a copyright holder claims a package infringes their rights,
> >      Debian should be able to withdraw it quickly (e.g. within 48h) until
> >      the claim is clarified or resolved. This requires a clearly
> >      responsible team and a visible contact point (e.g. e-mail or web form).
> > ...
>
> Are we able to create new point releases of stable and oldstable within 48h,
> to withdraw the package (and withdraw/update reverse dependencies) there?
>
> A well-known case of claimed copyright infringement that was in the
> courts for two decades affected the Linux kernel.[1] Even in the best
> case where a code fix is available immediately, updating src:linux and
> then rebuilding the installers and then creating new point releases
> would be challenging to do within 48h.

I also find the 48h questionable. If anyone without a contract is 
relying on us here, that's squarely their problem. And if there is 
legislation/regulation, it'd be nice to know what the letter is. On the 
other hand I trust us to get the relevant advise here.

However we could in theory remove the file without rebuilding the 
indexes. Not a great user experience, especially if all we technically 
need to do is to e.g. remove a single file. But if it's temporary, maybe 
it would be an option. OTOH I'd expect stuff post pulling the package to 
resolve in the matter of weeks to months, right?

Kind regards
Philipp Kern