[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do we need to hide packages in NEW queue (Was: Lottery NEW queue (Re: Are libraries with bumped SONAME subject of inspection of ftpmaster or not))

On Wed, 26 Jan 2022 07:38:10 +0100 Andreas Tille wrote:

> Am Tue, Jan 25, 2022 at 01:45:11PM -0800 schrieb Russ Allbery:
> > The question, which keeps being raised in part
> > because I don't think it's gotten a good answer, is what the basis is for
> > treating copyright and licensing bugs differently than any other bug in
> > Debian?

I thought the basis was the fact that copyright and licensing bugs may
have bad legal consequences (lawsuits against the Project for
distributing legally undistributable packages, things like that), while
technical bugs do not cause issues with lawyers and are, in this sense,
"easier" to fix.
The consequences of introducing a "legally botched" package into the
archive are thus harder to undo, with respect to introducing a
technically flawed package...

> > 
> > The need for pre-screening was obvious when we had export control issues,
> > but my understanding is that those have gone away.  Are we working from
> > legal advice telling us that this pre-screening is required for some legal
> > purpose?  If so, is it effective for the legal purpose at which it is
> > aimed?  Is this system left over from old advice?  Have we checked our
> > assumptions recently?

I am under the impression that the pre-screening in the NEW queue is an
attempt to catch legal issues *before* the package is introduced into
the archive.
As far as I remember, the FTP masters are the people responsible for
what the Debian Project distributes through its archive...

Is this wrong (or no longer valid)?

> > NEW processing is a lot of friction for the project as a whole and a lot
> > of work for the ftp team.  If we were able to do less work at the cost of
> > a minimal increase in bugs, or at the cost of handling bugs a bit
> > differently, maybe that would be a good thing?
> > 
> > In other words, it's unclear what requirements we're attempting to meet
> > and what the basis of those requirements is, which makes it hard to have a
> > conversation about whether the current design is the best design for the
> > problem we're trying to solve.
> I'm CCing debian-legal for this branch of the discussion (but I do not
> read this list and think keeping debian-devel in the row is a good idea).

Personally, I think the legal pre-screening by the FTP masters in the
NEW queue is useful and should be kept.

In fact, I wish the pre-screening were stricter.

I've seen cases, where a bug is reported against a legally
undistributable package and the issue is left unaddressed for ages with
nobody apparently caring enough.
Maybe it's better, if such issues are addressed *before* the package is
accepted into the archive...

 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

Attachment: pgp9Gwqvft0zN.pgp
Description: PGP signature

Reply to: