Re: possibly exhausted ftp-masters (Re: Do we still value contributions?

[Russ Allbery <rra@debian.org>]

Jonas Smedegaard <dr@jones.dk> writes:

> Beware that I say we must _check_ every file - not that we must _list_
> every file in debian/copyright.

> All that Debian distributes must be legal to distribute.

> You may argue that you need not check e.g. if PNG files in your package 
> contain embedded non-free ICC profiles, but that just means that you 
> rely on ftpmasters to check it on your behalf.

> You may argue that your upstream has already checked that for you.  I'd 
> call that a sloppy check, and there is a real risk that again you then 
> burden ftpmasters with digging out dirt because upstream has a different 
> view than Debian what is legally acceptable.

Requiring ftpmasters to do this check is a choice that Debian has made.
Maybe it's the right choice, but other choices exist, and other entities
make different choices.

For example, we could chose to trust upstream license assertions and fix
them later if upstream turns out to be wrong.  Or we could chose to adopt
a specific tool for automated license checks and base the accept decision
on the output of that tool plus upstream assertions in the knowledge that
this could be incorrect, and later fix problems that are drawn to our
attention.  (Note that thorough license review has not completely
eliminated license problems that we have had to fix later, although it
certainly reduces the number of them.  We will be fixing some issues
retroactively under any approach.)

In the context of limited project resources, it seems worth asking not the
absolute question of whether thorough license checks have desirable
properties (obviously they do), but instead whether this is the most
effective use to which the project could be putting this energy, or if we
should consider alternatives so that we can redirect some of that energy
to other things the project considers important.

Another way of asking that question is to ask whether this sort of
thorough license double-checking is something we consider a core mission
of the project, or something that we're doing for secondary reasons (such
as reducing the risk of legal liability).  If it's a core mission of the
project, then maybe we do want to reaffirm our decision to spend
significant resources on it.  If we're only doing this for secondary
reasons like legal liability, it might be worth looking around and seeing
if other organizations with similar legal risks take the same precautions,
or asking for legal advice on whether this precaution is legally necessary
or if we're creating work for ourselves that exceeds the legal risk we'd
be accepting by doing something more automatable.

To be clear, it may be that we'll ask this question and decide that yes,
detailed license review is something we consider important and we want to
keep doing it the way that we have been doing it, and we need to figure
out how to make that work scale.  But I do think it's worth occasionally
explicitly asking the question and then making an intentional choice,
rather than assuming we're obligated to continue doing what we're doing.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>