On Mon, Apr 06, 2026 at 12:38:43AM +0200, Thomas Goirand wrote: > On 4/5/26 10:27 PM, Adrian Bunk wrote: > > On Sun, Apr 05, 2026 at 08:47:37PM +0200, Thomas Goirand wrote: > > > On 4/3/26 10:40 AM, Adrian Bunk wrote: > > > > On Sat, Mar 21, 2026 at 11:38:22PM +0100, Thomas Goirand wrote: > > > > > ... > > > > > If we become a registered entity, it'd be a way more easy for > > > > > governments to > > > > > get us accounted for. Even more in the case of a USA-registered > > > > > Foundation. > > > > > While with the current case, it'd be a way harder for Debian to get > > > > > into > > > > > trouble. For example, the foundation could be sued, and we'd have to > > > > > pay for > > > > > such trial in USA. But with the current state, one would have to go > > > > > after > > > > > single individuals. > > > > > ... > > > > > > > > It is strange that you consider going after single Debian members as > > > > preferable for Debian, single individuals are usually easier targets > > > > than large organizations. > > > > > > The idea is that the individual(s) involved may not be in the same > > > country, > > > making it even more difficult. Or even, impossible for a government to go > > > after all of use at once, as there would be no legal organization to > > > dissolve. > > > > When the French government goes after Debian it is fine for you when > > they arrest all DDs in France, like they did with Pavel Durov? > > > > And if a DD in France had a house or apartment or some savings, it is > > fine for you when this gets confiscated to compensate for whatever > > penalties France wants to impose on Debian? > > I can't believe that you remotely assume I'm fine with any government > annoying an DD (or any contributor) because of their contribution. Of > course, that would make me angry. > > It's just that if Debian becomes a legal entity, we add another risk of it > to be attacked by government. I do not think having Debian as a legal entity > would protects individual DDs also. And this in no way means that I would > *prefer* individual DDs to be attacked instead of the Debian legal entity > (you're assuming this wrongly here). I believe the 2 possible threats are > disconnected. > > Let's say the legal entity is declared illegal or dissolved by a judge. The > whole Debian project (and each of us) would be in danger if we were to > attempt ignoring the judge decision and continue to contribute to Debian (at > least, that's how it works in France).
When a government deploys the means available under criminal law against an organization, like the French did against Telegram, then the legal status of the organization does not really matter. Does it make a difference whether Al-Qaeda was ever anywhere a legal entity? Your whole argument is based on the notion that the only risk for individual DDs would be related to a government treating Debian as a terrorist or criminal organization. That's a rather remote risk, the more realistic risks are in civil law. Let's go back to my GDPR example: - Who is legally responsible for GDPR compliant handling of personal data? - Who has a legal obligation to respond to a GDPR request? - Who has to pay compensation for damages caused by GDPR violations? The current status quo is that for example that an expelled member can make a GDPR request against each member of DAM. If it turns out that the person has been a victim of not GDPR compliant handling of personal data, then the abuse survivor can pick which of the abusers to sue for compensation of all material and non-material damages. A legal entity would move the responsibility and (financial) liability for GDPR compliance from single individuals to the entity. It is also far easier to setup GDPR compliant data processing for a legal entity. Since you are worried about criminal law, GDPR violations might also be punished with up to 5 years in prison in France.[1,2] Article 33 GDPR referenced in the French criminal code is the obligation to notify a personal data breach within 72 hours to the supervisory authority. Without a legal entity the first question is which supervisory authority. > Cheers, > > Thomas Goirand (zigo) cu Adrian [1] https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037825504 [2] https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000037825500

