Jonas Smedegaard <d...@jones.dk> writes: > Beware that I say we must _check_ every file - not that we must _list_ > every file in debian/copyright.
> All that Debian distributes must be legal to distribute. > You may argue that you need not check e.g. if PNG files in your package > contain embedded non-free ICC profiles, but that just means that you > rely on ftpmasters to check it on your behalf. > You may argue that your upstream has already checked that for you. I'd > call that a sloppy check, and there is a real risk that again you then > burden ftpmasters with digging out dirt because upstream has a different > view than Debian what is legally acceptable. Requiring ftpmasters to do this check is a choice that Debian has made. Maybe it's the right choice, but other choices exist, and other entities make different choices. For example, we could chose to trust upstream license assertions and fix them later if upstream turns out to be wrong. Or we could chose to adopt a specific tool for automated license checks and base the accept decision on the output of that tool plus upstream assertions in the knowledge that this could be incorrect, and later fix problems that are drawn to our attention. (Note that thorough license review has not completely eliminated license problems that we have had to fix later, although it certainly reduces the number of them. We will be fixing some issues retroactively under any approach.) In the context of limited project resources, it seems worth asking not the absolute question of whether thorough license checks have desirable properties (obviously they do), but instead whether this is the most effective use to which the project could be putting this energy, or if we should consider alternatives so that we can redirect some of that energy to other things the project considers important. Another way of asking that question is to ask whether this sort of thorough license double-checking is something we consider a core mission of the project, or something that we're doing for secondary reasons (such as reducing the risk of legal liability). If it's a core mission of the project, then maybe we do want to reaffirm our decision to spend significant resources on it. If we're only doing this for secondary reasons like legal liability, it might be worth looking around and seeing if other organizations with similar legal risks take the same precautions, or asking for legal advice on whether this precaution is legally necessary or if we're creating work for ourselves that exceeds the legal risk we'd be accepting by doing something more automatable. To be clear, it may be that we'll ask this question and decide that yes, detailed license review is something we consider important and we want to keep doing it the way that we have been doing it, and we need to figure out how to make that work scale. But I do think it's worth occasionally explicitly asking the question and then making an intentional choice, rather than assuming we're obligated to continue doing what we're doing. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>