The Wanderer <wande...@fastmail.fm> writes: > I am not on the inside of these things, certainly, but I have kept my > eyes open from the outside, and I am not aware of there being any > mechanism for removing something root-and-branch - across all affected > versions, however far back those may stretch - from these repositories > and archive locations once it's made it in. In order to avoid continuing > to distribute something which we once accepted but which has since been > deemed legally undistributable (and thus exposing ourselves to > copyright-infringement lawsuits), we would need to have such a > mechanism.
The thing is, we need this anyway for something we would legally need to stop distributing, since otherwise we would be expecting ftp-master review to be perfect *and* to never introduce unredistributable content in a package update that doesn't go through NEW. I don't think either of those are realistic (or fair) expectations. Now, we could defer creating such a thing until we actually need it and then try to come up with something under emergency circumstances, and maybe we'd get lucky and never need it. But I think that's also true in either scenario. I'm not sure that the ftp-master review reduces the likelihood so much as to change the risk analysis that much. (But that could well be a point of disagreement.) -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
