On Fri, Feb 04, 2022 at 11:50:20PM +0100, Christian Kastner wrote: > On 2022-02-04 18:39, Russ Allbery wrote: > > In other words, this thread is once again drifting into a discussion of > > how to do copyright review *better*, when my original point is that we > > should seriously consider not doing the current type of incredibly tedious > > and nit-picky copyright review *at all*, and instead rely more on > > upstream's assertions, automated tools, and being reactive in solving the > > bugs that people actually care about (i.e., notice). > > If we're honest, that's basically how the rest of the open source world > already operates in general. Our level of scrutiny is a burden that I > don't see many others sharing. > > Of course "everybody's doing it" doesn't make something right. However, > when things go wrong, they don't seem to go wrong in the dramatic ways > we might anticipate them to. > > If GitHub (a Microsoft-owned entity and thus an attractive target for a > lawsuit) is OK with distributing files uploaded by third parties without > subjecting them to a manual review process, perhaps we have been > overthinking the risks here. >
Just because someone else can't be bothered to do licence review checking doesn't mean that Debian shouldn't. I'd much rather that packages were removed in NEW than that they got installed in unstable and we then had to tell people that they had gone. There's a huge amount of software that's undistributable: Debian's good faith attempt to review this is one of the crucial arguments I have with $DAYJOB about the benefits of a curated distribution, however fallible we may be. I think we should use automated tools where available, query with upstream where practicable, and continue doing what we're doing as far as possible, in my humble opinion. Reproducible builds and DEP-5 / SPDX are also crucial in improving everyone's quality - I don't see commercial/enterprise distributions doing this valuable public service but I very much value the fact that Debian does it, for example. [No particular skin in the game, since I don't upload any package at the moment but very appreciative of others' efforts] With every good wish, as ever, Andy Cater [amaca...@debian.org]