Simon Richter <sjr@debian.org> writes: > Hi, > > On 11/13/25 5:03 PM, Simon Josefsson wrote: > >> I think publishing NEW uploads is not a problem. > > Historically, it was, because of export controls on cryptographic software. > > Still, there is a difference between a git repository (with clear > attribution) and distribution through an official channel -- even if > the upload will be rejected at a later stage -- especially if that > later stage is two months later. > > We would probably have to set up a process similar to DMCA complaints > -- an easy way to get content unpublished quickly, and a following > dispute resolution. My point is that we need such a process anyway, so we shouldn't hide NEW uploads in any attempt to avoid having such a process. What attribution is missing from NEW upload artifacts? The git repo doesn't say a lot that the NEW upload doesn't, or? > That sounds 面倒くさい. I have no idea what it means, but pretty sure I would agree. I think 99% of organizations just deal with this issue when/if it arise, by panicking around wishing there was a process they could follow. I think that is fairly okay. The desire to have a process is not always a good reason to invent a generic process for unique things that rarely happens. It would be nice if any actions (or inactions) were publicly announced, but I'm not sure how important transparency is valued these days. /Simon
Attachment:
signature.asc
Description: PGP signature