On Fri, Sep 8, 2017 at 6:09 AM, Ulrich Mueller <u...@gentoo.org> wrote: > > Quoting from "all-rights-reserved": > > | This package has an explicit "all rights reserved" clause, or comes > | without any license, or only with a disclaimer. This means that you > | have only the rights that are granted to you by law. If you have > | lawfully acquired a copy of the program (e.g., by buying it or by > | downloading it from the author's site) then in many legislations you > | are allowed to compile it, run it, make a backup, and to patch it as > | necessary, without permission from the copyright holder. > > Note that it explicitly says "downloading from the author's site".
It also explicitly says "e.g." This means that this is merely one way of lawfully acquiring a copy of the program, and that other ways may exist. It sounds pedantic but this is the whole reason that "e.g." exists as opposed to "i.e." and courts certainly would read the policy in this way because lawyers distinguish between the two all the time. > I still think that we should handle this in a restrictive way, and > permit only sites where we can be reasonably certain that they > distribute the software with the copyright holder's approval. Sure, that's you opinion, and I have a different opinion, and kentnl has another opinion. This is why we have processes to turn those opinions into documented policies so that we can be consistent. Failing to do this can cause all kinds of problems. Suppose we remove this package. Suppose we don't remove some other package with the same problem. In the absence of a written policy one way or another somebody could cite your statement as a concession. > > Why not follow kentnl's suggestion? If you don't want to figure out > what the connection between the author and the download site is, then > make the ebuild fetch restricted, and have the user download the > file manually. I'd also suggest to put only the file's basename in > SRC_URI then. > It would be inconvenient for the user. That's why we don't fetch-restrict every package in the tree, even though doing so would lower our risk of getting sued. Maybe the Linux foundation redistributes something it shouldn't. I doubt it, but it could happen. If we fetch-restricted the kernel then we'd be covered if another SCO comes along. But, that would be ridiculous. We don't even do that with things like libcss which are higher risk. -- Rich
