Perhaps, if it would ease mirror operator's minds (especially our commercial partners), it might be wise to put a "readme.txt" or "sources.txt" file in the root of the mirrored directory explaining how/where one might obtain the sources?
On Mon, May 30, 2022 at 3:24 AM Morten Linderud <[email protected]> wrote: > On Sun, May 29, 2022 at 03:45:49PM +0200, Imre Jonk wrote: > > Hi all, > > Yo! > > > I'm not sure if this is the right place to address this issue; as far > > as I'm aware, there is no Arch mailing list or forum for legal matters. > > What I'd like to discuss is the (unnecessary?) legal risk that mirror > > operators are exposed to when they don't mirror source packages. > > There isn't any list to discuss legal matter so this is fine. > > However, please realize that legal matters are down to interpretations of > text > which can be interpreted narrowly or broadly. Clarifying which > interpretation > you decide to understand the legal text under is important. > > Neither of us are lawyers so lets hold off on claiming Arch is putting > mirrors > in legal risk on this list because you decided to read over the license > text. > > I did however check with someone close with Free Software matters and they > believe it should be fine. > > > I believe that most mirrors are violating article 6 of the GPLv3 (or > > article 3 of the GPLv2). My reasoning goes like this: > > > > - The Arch repositories contain some software that is released under the > > GPL (or GPL-like) license. > > - Anyone distributing GPL-licensed software in compiled form is > > obligated to distribute the source code as well, either alongside the > > compiled software or, when accompanied by a 'written offer', on > > request at a later date. (there are a few more ways under the GPLv3 > > but I don't think they apply) > > - Few mirrors provide source packages, and as far as I'm aware, there > > are no mirrors out there that accompany the compiled software with a > > written offer. > > - Ergo, most Arch mirrors are violating the GPL. > > All of these assumptions are a narrow definition of the GPL2 and GLP3. > It's > important to realize the GPL licenses are vague enough that any bad faith > interpretation of the text can easily be construed to claim "you are > violating > the license". > > Neither GPL2 nor GPL3 makes any strict claims the source needs to be > distributed > from the same server as the binaries. > > Section 6d claims "regardless of what server hosts the corresponding > source" and > 6e open up for "peer-to-peer" transmission of the source. It is only > demanded > it's explained how to get it, and that is done on the archwiki free of > charge as > the license demands. > > The main issue is "next to the object source"; If we regard "archlinux.org" > as > the software distributor, and the mirrors an extension of this service, > then a > broad definition of the above can be interpreted as having links on > "wiki.archlinux.org" for how to access the source would be fine. > > Else you can email us and get a link, which you'd promptly get. > > The above coupled with the FAQ entry linked earlier and I don't think we > can be > violating any license under a reasonable interpretation of the GPL. > > However, unless you start engaging someone who can deal with legal matters > we > are only laymans that read the license and come to some conclusion. If you > think > we are doing something different from what other Linux distributions are > doing > please do tell us and we can figure out how to solve any discrepancies. > > Speculating about the meaning of GPL is not really useful. > > (None of the above should be taken as legal advice, neither any discussion > in this thread.) > > -- > Morten Linderud > PGP: 9C02FF419FECBE16 >
