[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the DPL



Hi Ansgar,

Am Sat, Oct 04, 2025 at 11:39:52AM +0200 schrieb Ansgar 🙀:
> > If we agree that this is something we agree as a project, the next step
> > is to discuss how to make it feasible — for example, whether the
> > proposed split of responsibilities between the Archive Team and the
> > DFSG/licensing team could help, and what kind of processes or
> > infrastructure improvements would be required.
> 
> If you want guaranteed reaction teams, shifting responsibilities
> doesn't seem relevant. You need to guarantee that people are always
> available, so in practice paid positions as this cannot be guaranteed
> with volunteer work.

I was rather thinking along the lines of automating this process.
According to your insight, how complex would it be to integrate such an
"accidental removal" feature into our software stack? The removal could
even be implemented in a way that makes the affected content temporarily
"not visible to the public" (if I understood the advice I received
correctly).

> And you would need those for all relevant teams and with enough man
> power to handle vacations, sick leave, ...

The advice concerns how Debian should handle potential copyright
violations — cases where code has been published without the right to do
so.   As you perfecctly know we do our best to avoid this.  Its just for
cases if something might have slipped through.  In the very improbable
case that someone claims the distribution of some code may be unlawful,
Debian needs to react quickly to minimize legal risks. The 48-hour
timeframe mentioned is not a hard rule but an example I came accross of
what might be considered “speedy” action in a potential court case; the
key point is that we must not knowingly continue to distribute code that
infringes copyright.

It is therefore in Debian's interest to establish a clear, centralized
process for handling copyright claims. Such a process would take
pressure off individual maintainers and ensure that legal notices are
addressed consistently at the project level. While monitoring for such
issues may be tedious, it is a necessary safeguard for our developers.

> You also have to take into account people building services outside the
> main archive that distribute software artifacts without further
> coordination.
> 
> How much is Debian willing to spend on this?

I would very much welcome it if more developers were financially
supported by companies that benefit from Debian — as is already the case
today. Several companies employ Debian Developers and allow them to
dedicate part of their working time to important Debian work, which is
highly valuable and something I'd be glad to see expanded.

However, the situation we're discussing here doesn't seem like a good
example for that. Unlike the continuous and demanding work done by the
Security Team or the FTP masters — which clearly requires steady
attention and could justify such external sponsorship — handling rare
package removals due to potential copyright issues is not an ongoing
task. In this case, what we mainly need is a clear process and defined
responsibilities to ensure Debian can act safely and consistently,
rather than any form of funded position.

Kind regards
    Andreas.

-- 
https://fam-tille.de


Reply to: