Charles Plessy <plessy@debian.org> writes: > Hi all, > > resurecting a discussion from 2022 where Russ wrote about "Do we need to hide > packages in NEW queue?": > >> A lawyer cannot make that risk trade-off decision for us. We'll have to >> make it as a project. > > It just came to my mind that now once tag2upload can upload to NEW, we can have > very strong evidence that source package X in NEW is exactly the same as the > one generated by tag Y on Salsa or elsewhere. > > So for an increasing number of source packages, it will be possible for anyone > to audit a copy of the package in NEW. > > There is a path where we can migrate from "we may be legally obliged to hide > packages in NEW" to "please justify why you are opting out releasing a copy of > what you uploaded to NEW". I think publishing NEW uploads is not a problem. What is the argument behind "we may be legally obliged to hide packages in NEW"? If there ever is a problem with an upload (say, someone uploading clearly proprietary content), I hope the upload will be REJECTED. This is like other organizations publishing something and later realizing it was a mistake, and takes it down. We need that path anyway, as it may happen that we need to un-publish things generally. I've only ever seen things become a problem (legal liability) if an organization insists on keeping clearly problematic content up and refuse to take things down. /Simon
Attachment:
signature.asc
Description: PGP signature