>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote: >>> Do we routinely confirm that any site we list in SRC_URI has >>> permission to redistribute files? That seems like a slippery >>> slope. >> >> We don't, and for a package that comes with a license (as the vast >> majority of packages does) it normally isn't necessary.
> Why isn't this necessary? How do you know the person issuing the > license actually has the right to issue it? Don't you think there is a difference between downloading a package that has a known upstream and that is also carried by other distros, and downloading a license-less package from a random location on the internet? >> The package in question doesn't come with any license though, which >> means that only the copyright holder has the right to distribute >> it. So I believe that some extra care is justified, especially when >> the upstream location of the distfile has changed. > Why? We don't redistribute anything that is copyrighted. Users download the file, and I think that we are responsible to have only such SRC_URIs in our ebuilds from where they can obtain the package without being exposed to potential legal issues. > Are you arguing that merely linking to the file is illegal? If so, > then you better get the list archives purged. Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't think that such linking is illegal. IANAL, though. >> We don't know this for sure unless we ask the author. So whoever is >> interested in keeping the package in the tree should sort these >> issues out. > Perhaps if we want to enforce a policy like this we should take the > time to actually write the policy down. As far as I can tell Gentoo > has no such policy currently. The old Games Ebuild Howto [1] has this: | LICENSE | | The license is an important point in your ebuild. It is also a | common place for making mistakes. Try to check the license on any | ebuild that you submit. Often times, the license will be in a | COPYING file, distributed in the package's tarball. If the license | is not readily apparent, try contacting the authors of the package | for clarification. [...] I propose to add the paragraph above to the devmanual's licenses section. Ulrich [1] https://wiki.gentoo.org/wiki/Project:Games/Ebuild_howto#LICENSE
pgpKzfaecwAFg.pgp
Description: PGP signature