[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do we need to hide packages in NEW queue (Was: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not))

Andreas Tille <andreas@an3as.eu> writes:

> May be some intermediate step would be to not hide packages in NEW queue
> but exposing them as an apt source.  If I'm correct this is not the case
> since it had certain legal consequences for the project if code with
> certain non-free licenses would be downloadable from some debian.org
> address.  May be NEW could be considered as some kind of pre-non-free as
> long as it is not checked and the legal consequences are not valid for
> us any more.  But I'm not educated in international law - just asking
> whether somebody might know better.

I have a repository on salsa: https://salsa.debian.org/installer-team/branch2repo
that allows one to easily take a collection of branches (with the same
branch name) from several repos, and assemble the (u)debs that one can
build from all those branches into an apt repo.

The motivation for that is for testing patches to Debian-Installer, but
it should work for anything, so if that (or something like it) got
merged into the main salsa-CI pipeline then people could more easily
decouple the testing of new packages from their progress through NEW.

This does of course raise the question of whether I ought to be able to
do that, since it creates apt repos, such as this (trivial) example:


that publish .debs from a debian.org host, that could easily be created
from sources that have never been near NEW.

Of course, the URL is not exactly obvious there, and the artifacts will
get deleted, so maybe that's a difference, but I don't suppose it would
be too hard to make that into a stable 'pages' URL and ensure that it
got built often enough to keep the repo there permanently.  Would that
cross the line?

I think the important distinction is probably that once packages get
through NEW they are mirrored all over the world, by unsuspecting third
parties, who live in every jurisdiction under the sun. They are also
incorporated into down-stream distros, often with little/no manual
oversight, some of whom then do things like selling their resulting
distribution for profit.

That involves other people in a lot of risks that might not apply to
Debian itself, so I'd suggest requires rather more caution than trying
to see what we alone can expect to get away with.

Do we need to shut down salsa's ability to do the above (given that one
can do all of that from a guest account, using any old code you
uploaded), or is that OK because the URLs are unstable and/or obscure?
(obviously, given that I did it, I think it's OK)

If obscure URLs are enough, I'd think it would be OK to have things in
the NEW queue available from repo URLs that were not something that one
could easily mirror, and would not be an "all of current NEW repo" but
rather something like an apt repo per upload, so that one could easily
test stuff stuck in NEW, but wouldn't be tempted to just install
everything that hits NEW by default.

Cheers, Phil.
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

Reply to: