On Thu, 27 Jul 2023 06:05:40 +0200 Denis wrote: > If the repository has strict licensing criteria, then we can count it > as audited, but only for licensing
i have trouble accepting that - "audited for licensing" means that someone has checked that the licensing was done properly, all files are accounted for, no license conflicts, and so on - these repos are nearly 100% user-curated - the criteria is only that the uploader declares a license (eg: License: MIT) - that is the most that can be expected; and no one checks to see if even that 'MIT' ID accurately represents the code-base On Thu, 27 Jul 2023 06:05:40 +0200 Denis wrote: > But then precisely because distributions repositories are audited for > more than just licensing, it might not be feasible to package 150 000 > ruby packages. that is because distributions repositories are audited _at_ _all_ - most of those third-party repos are not audited in any way, just the same as github - the license presentation is highly suspicious for all hosted projects - it depends entirely on the anonymous uploader's knowledge and honesty, and often on their anonymous copyright which can never be verified i think this is being much too generous - imagine pulling and packaging every repo from github automatically, based only on github's license detector - would you really consider that as properly audited?
