[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Do we need to hide packages in NEW queue

Francesco Poli <invernomuto@paranoici.org> writes:

> I thought the basis was the fact that copyright and licensing bugs may
> have bad legal consequences (lawsuits against the Project for
> distributing legally undistributable packages, things like that), while
> technical bugs do not cause issues with lawyers and are, in this sense,
> "easier" to fix.

Sure, everyone says this, but is this *true*?

The free software community has a tendency to assume a lot of things about
laws that aren't actually true.  Sometimes this is useful conservatism,
since there are a lot of legal areas for which the answer is not
clear-cut, and if it doesn't matter much either way, better to avoid any
sharp corners.  But in this case, this assumption has a very high cost for
the project, so maybe it's worth finding out whether it actually matters.

As people have pointed out in the numerous previous iterations of this
discussion, it's not like the ftp-master screen eliminates all copyright
and licensing bugs on project services.  I'm sure that we've accidentally
pushed non-distributable material to Salsa, we did to Alioth before that,
ftp-master will occasionally make mistakes, etc.

We should act with alacrity to remedy serious copyright and licensing
bugs; no one is arguing against that.  But is it legally necessary to take
the very specific measure that we are currently taking against them?

It's also worth remembering that absolutely nothing that we can do will
guarantee the project or some members of the project will not be sued.  As
the saying goes in the US, you can sue anyone for anything; you just might
not *win*.  If we're protecting ourselves against *losing* a lawsuit, or
can draw a direct line between the measures we're taking and decreased
liability, better settlements, etc., that would be useful to know,
including the rough shape of the parameters around that.  But I'm a little
worried that we've fallen into a reflexive defense of a specific
mitigation that may not be doing very much about the project's actual
legal risks, but which has accumulated enough weight of tradition that
everyone thinks it's necessary.

> I am under the impression that the pre-screening in the NEW queue is an
> attempt to catch legal issues *before* the package is introduced into
> the archive.

I also agree that this is the case, but I don't think it's obvious that
this attempt is necessary or that it's the most effective place to put
that level of effort and friction.

> Personally, I think the legal pre-screening by the FTP masters in the
> NEW queue is useful and should be kept.

Is this on advice of legal counsel?  Do you have some concrete reference
for this belief that we can rely on?

I do think that the amount of effort that the project puts into this
pre-screening is of sufficiently high magnitude that it would be worth
paying a lawyer for a legal opinion about whether or not we need to do
it.  The savings to the project if we found out that we didn't, or that we
could do something simpler and more easily automated, would be more than
the cost of the legal opinion.

> In fact, I wish the pre-screening were stricter.

> I've seen cases, where a bug is reported against a legally
> undistributable package and the issue is left unaddressed for ages with
> nobody apparently caring enough.

Doesn't this argue that it is not as important to pre-screen as we think
it is, given that this has happened multiple times and none of the
horrible consequences from which pre-screening is intended to protect us
have occurred?  (I know the argument is that we've just gotten lucky, but
I think it's worth being careful of that argument since it's inherently
irrefutable.  "We have to do this thing because horrible things will
happen if we don't, and those horrible things have never happened in the
past only because we've gotten lucky" is a circular argument that cannot
be disproven, and therefore we should be a bit skeptical about it.)

What if we took all the effort we put into pre-screening and instead
devoted it to resolving actual problems that have been reported to us?  Is
it possible that would resolve our legal issues *faster* than investing
huge amounts of project time and resources into pre-screening?

This is the point that this same argument for pre-screening could be made
about *any* bug.  For *any* type of bug, doing additional pre-screening
will reduce the incidence of that bug.  The question is whether that's the
most effective use of resources, not whether it has any positive effect at
all.  Clearly it does help, but does it help more than other things we
could be doing with the same time and energy?

The counterfactual is not "Debian stops caring about legal issues at all."
The alternative is instead "the primary responsibility for legal issues
lies with the person uploading the package, here are the rules that we
follow, we encourage audits and other analysis and will automate them to
the degree possible, and if anyone reports a copyright or licensing bug,
we will prioritize resolving it."  In other words, pretty much exactly the
policy we use right now for security issues, which I suspect are far more
dangerous to Debian users on the whole than copyright and licensing issues
(although both are important!).

Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to: