On 2/5/2013 5:59 PM, holger krekel wrote:
On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote:
On 2/5/2013 11:35 AM, Lennart Regebro wrote:
On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft <[email protected]> wrote:
Besides the issues with validating that the package We are mirroring
is the authentic one there's also a legal issue. We don't know for sure
that we have the legal rights to redistribute those files. When you upload
a file to PyPI you grant the PSF a license to do that, no upload from the
author = no license. IANAL but i think i'm correct on that.
Absolutely, but if the package is marked with a license that allows
redistribution in the metadata, then we can.
The last I read (and I cannot find the seemingly hidden page) the
author (or rights-holder) of code must grant PSF something more than
just redistribution rights before uploading it. The same must also
certify some mumbo-jumbo about compliance with national laws and
cryptography. No 3rd party can do that.
Not sure i understand. Are you referring to a procedure that is in place
already or that should be in place?
PSF requirements in place. PSF requires an explicit Contributor
Agreement, with a choice of two licenses, before accepting code into the
CPython codebase -- even if the current public license would appear to
allow up to just stick it in.
Currently, it similarly (last I knew) requires a explicit license before
accepting and distributing code (as opposed to index info) on PyPI. That
appears to be a conservative, better safe than sorry, policy recommended
by the PSF lawyer.
--
Terry Jan Reedy
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
