Re: Do we need to hide packages in NEW queue

To: debian-devel@lists.debian.org
Subject: Re: Do we need to hide packages in NEW queue
From: Charles Plessy <plessy@debian.org>
Date: Thu, 13 Nov 2025 10:34:56 +0900
Message-id: <[🔎] aRU1cSZMXaitkQJw@kumo.plessy.net>
In-reply-to: <87r18ndd5p.fsf@hope.eyrie.org>

Hi all,

resurecting a discussion from 2022 where Russ wrote about "Do we need to hide
packages in NEW queue?":

> A lawyer cannot make that risk trade-off decision for us.  We'll have to
> make it as a project. 

It just came to my mind that now once tag2upload can upload to NEW, we can have
very strong evidence that source package X in NEW is exactly the same as the
one generated by tag Y on Salsa or elsewhere.

So for an increasing number of source packages, it will be possible for anyone
to audit a copy of the package in NEW.

There is a path where we can migrate from "we may be legally obliged to hide
packages in NEW" to "please justify why you are opting out releasing a copy of
what you uploaded to NEW".

Have a nice day,

Charles

-- 
Charles Plessy                         Nagahama, Yomitan, Okinawa, Japan
Debian Med packaging team         http://www.debian.org/devel/debian-med
Tooting from home                  https://framapiaf.org/@charles_plessy
- You  do not have  my permission  to use  this email  to train  an AI -

Reply to:

Follow-Ups:
- Re: Do we need to hide packages in NEW queue
  - From: Simon Josefsson <simon@josefsson.org>

Prev by Date: Re: Bug#1120599: ITP: golang-modernc-sqlite -- CGo-free port of SQLite/SQLite3
Next by Date: Re: Seeking new members for the DFSG team (Re: Bits from the DPL)
Previous by thread: Re: Bug#1120599: ITP: golang-modernc-sqlite -- CGo-free port of SQLite/SQLite3
Next by thread: Re: Do we need to hide packages in NEW queue
Index(es):
- Date
- Thread