Re: Bits from the DPL

To: debian-devel@lists.debian.org
Subject: Re: Bits from the DPL
From: Andreas Tille <andreas@an3as.eu>
Date: Sun, 5 Oct 2025 10:50:36 +0200
Message-id: <[🔎] aOIxXGwCVXjhN73a@an3as.eu>
In-reply-to: <[🔎] 9191c43b-9fd8-4c75-98ca-ae58e52b2b0d@debian.org>
References: <aN9v-QYu_NB6I583@an3as.eu> <[🔎] aN+GSxo2bY9ng5Qm@localhost> <[🔎] 9191c43b-9fd8-4c75-98ca-ae58e52b2b0d@debian.org>

Am Sun, Oct 05, 2025 at 05:18:33AM +0200 schrieb Philipp Kern:
> On 10/3/25 10:16 AM, Adrian Bunk wrote:
> > Are we able to create new point releases of stable and oldstable within 48h,
> > to withdraw the package (and withdraw/update reverse dependencies) there?
> > 
> > A well-known case of claimed copyright infringement that was in the
> > courts for two decades affected the Linux kernel.[1] Even in the best
> > case where a code fix is available immediately, updating src:linux and
> > then rebuilding the installers and then creating new point releases
> > would be challenging to do within 48h.
> 
> I also find the 48h questionable.

I would very much welcome better suggestions for what might qualify as
"speedy" on the one hand and "realistic" on the other. There's no real
need to specify an exact number of hours — I only wrote "_e.g._ within
48 h" as an example.

My intention was simply to propose a more structured response than just
telling someone who claims there's a copyright issue to "please file a
removal bug." It's about having a formalized process that shows we take
such reports seriously and that helps protect our developers from
potential legal exposure.

> If anyone without a contract is relying on
> us here, that's squarely their problem.

I was told that this is precisely our view — which I personally shared
as well — and I would also prefer if it were true. However, if it turns
out that this assumption is wrong and that Debian as a project, or even
an individual developer, might face consequences, it's better to be
prepared in advance.

> And if there is
> legislation/regulation, it'd be nice to know what the letter is. On the
> other hand I trust us to get the relevant advise here.

I would be more than happy if the concern I described above turns out to
be unfounded.

> However we could in theory remove the file without rebuilding the indexes.
> Not a great user experience, especially if all we technically need to do is
> to e.g. remove a single file. But if it's temporary, maybe it would be an
> option. OTOH I'd expect stuff post pulling the package to resolve in the
> matter of weeks to months, right?

I'm happy to consider any technical suggestions for implementing a
solution that, hopefully, will never actually be needed. The goal here
is simply to be prepared. Returning to my earlier question about
delegations, I tend to think that handling this should fall under the
Archive Operations Team.

What do you think? 

Kind regards
    Andreas.

-- 
https://fam-tille.de

Reply to:

Follow-Ups:
- Re: Bits from the DPL
  - From: Holger Levsen <holger@layer-acht.org>

References:
- Re: Bits from the DPL
  - From: Adrian Bunk <bunk@debian.org>
- Re: Bits from the DPL
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Bug#1117225: RFH: torrus -- Universal front-end for Round-Robin Databases (common files)
Next by Date: Bug#1117229: ITP: libalgorithm-loops-perl -- provides functions for different loop constructs in Perl
Previous by thread: Re: Bits from the DPL
Next by thread: Re: Bits from the DPL
Index(es):
- Date
- Thread