On Sun, Mar 15, 2020 at 07:52:06PM +0000, Neil McGovern wrote: > > In theory, yes - this would move the liability to the uploader. However, > there are two issues with this: > 1) The liability now rests with the uploader. This isn't something that > has really been done before, and we'd need to make sure that we're > comfortable with this.
The uploader has *already* distributed the package by uploading it to ftp.debian.org. So the uploader already has any (99.99% of the time, completely non-existent) liability. If the uploader is using github, or salsa, they've also *already* distributed it. And I'll note that the salsa admins don't be as concerned about potential liability to Debian compared to the ftp team when a maintainer uploads a package with a shared library version bump so that there's a new package, libfoo4 instead of libfoo3. > 2) We would be very limited in what checks we could actually do on new > packages. If we look too closely at packages, we stop being a > distributor, and start being a publisher. I'm not sure that we want to > move towards just being a distribution platform, rather than actually > doing QA checks. I'm confused. As near as I can tell, we already are looking super closely at new packages. - Ted