Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Sat, 9 Sep 2017, R0b0t1  wrote:

> I suspect the links in ebuilds are more like torrent files, in which
> case I think it makes sense to wait to be contacted to remove the
> links.

Ebuilds aren't hypertext, so by definition they don't contain any
"links". They merely contain lists of URIs.

You even cannot cut and paste a typical SRC_URI to a browser, because
it will choke on things like ${P}, mirror://, arrows, USE-conditional
syntax, etc.

Ulrich


pgpFBMHggTW9H.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[R0b0t1]

On Sat, Sep 9, 2017 at 3:58 AM, Kent Fredric  wrote:
> On Fri, 8 Sep 2017 20:33:49 -0500
> R0b0t1  wrote:
>
>> In any case it is my understanding that the issue is that simple. It's
>> the reason torrents and magnet links exist, and why there are no legal
>> claims possible against websites which host magnet links.
>
> The entire court case against PirateBay was based on that.
>
> And the court case was won against PirateBay
>
> https://en.wikipedia.org/wiki/The_Pirate_Bay_trial#Trial_and_courtroom_charges
>
>> The court found that the defendants were all guilty of accessory to
>> crime against copyright law, strengthened by the commercial and
>> organized nature of the activity.
>

This was normal torrents, not magnet links? Was the complaint retried
against someone else who was hosting a magnet link website?

I suspect the links in ebuilds are more like torrent files, in which
case I think it makes sense to wait to be contacted to remove the
links. Otherwise, lots of other precautions should be taken, such as
disclaiming liability for acts of terrorism perpetrated using Gentoo.

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Kent Fredric]

On Fri, 8 Sep 2017 20:33:49 -0500
R0b0t1  wrote:

> In any case it is my understanding that the issue is that simple. It's
> the reason torrents and magnet links exist, and why there are no legal
> claims possible against websites which host magnet links.

The entire court case against PirateBay was based on that.

And the court case was won against PirateBay

https://en.wikipedia.org/wiki/The_Pirate_Bay_trial#Trial_and_courtroom_charges

> The court found that the defendants were all guilty of accessory to
> crime against copyright law, strengthened by the commercial and
> organized nature of the activity.



pgpG_n42ZpQNE.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[R0b0t1]

On Fri, Sep 8, 2017 at 8:33 PM, R0b0t1  wrote:
> On Fri, Sep 8, 2017 at 10:56 AM, Kent Fredric  wrote:
>> On Fri, 8 Sep 2017 10:11:51 -0500
>> R0b0t1  wrote:
>>
>>> Then I'm quite confused as to why people seem to be extremely attentive to
>>> copyright infringement (besides an immediate payout). In the US they cite
>>> the reasoning I gave, from memory.
>>>
>>> Maybe that was for trademarks?
>>
>> This is one of those problems where the nebulous term "IP" has infected
>> our thinking.
>>
>> Yes, US is very *copyright* infringement zealous.
>>
>> But Trademark and Copyright are very different beasts.
>>
>> Trademarks (read: brands, company names, company symbols, etc)  do
>> expire much shorter, but that's due to other reasons. Namely, that if
>> your company ceases to be doing business for 10 years, nobody is harmed
>> by people using a name of a company that doesn't exist, because
>> "Trademark protection" is largely a device to prevent competitors
>> claiming they're you, and to prevent competitors selling products
>> claiming you made them.
>>
>> Copyright (read: the right to publish, distribute, and sell) has a much
>> longer life as the results of that can be inheritable, eg: profits from
>> sale copyrighted works can go towards the estate of the author of those
>> works after the death of that author.
>>
>> There are documented *exceptions* to this, but they don't apply to us
>> as they apply to public institutions such as archives and libraries.
>>
>> And there are exceptions in cases of "fair use", which Gentoo does not
>> fall under.
>>
>> So, even though it is true that copyright expires, copy right expiry
>> dates are currently such that most juristictions don't have any
>> software that could conceivably exist that expires.
>>
>> If the expiry period is 50 years, and there's no software in
>> circulation older than 30, its kindof a moot point to argue software
>> that is less than 10 years old might have expired.
>>
>
> There's nothing in this though that says a copyright couldn't be
> weakened by failure to enforce claims against infringers. However, it
> happens that copyright law allows selective enforcement.
>
>>> >> Sir, please see my above comment about building ballistic missiles.
>>> >> It may be important for the Gentoo Foundation to add a disclaimer
>>> >> similar to the one I mentioned. I would hate for the Foundation or
>>> >> any of its administrators or contributors to be found guilty of
>>> >> aiding and abetting terrorists.
>>> >
>>> > Yeah. Stop trolling, please.
>>> >
>>>
>>> I am being completely serious. You can find such a clause in the iTunes
>>> license.
>>>
>>> If it seems ridiculous please reconsider the subject in question.
>>
>> I'm not sure how enforceable that clause is as a License.
>>
>> As a Warranty, sure.
>>
>
> The point isn't to be practically enforceable. If someone put their
> mind to using iTunes to make an ICBM I'm sure no one could stop them.
> The point is that Apple has now disclaimed liability for terrorist
> acts associated with iTunes in a very legally important way, which I
> believe is related to export restrictions (the item of interest likely
> being the cryptography portions of the digital restrictions management
> code).
>
>> "if you use it for this, don't blame us if bad things happen, we told
>> you not to"
>>
>
> There's a myriad of laws that duplicate the intent of the basic laws
> against property damage and taking life.
>

My apologies. In my dimwittedness I forgot to finish this section.

There's a lot of overlapping laws that duplicate things already in
existence. Likewise, people keep attempting to disclaim whatever
liability the law tells them they have in shrinkwrap contracts.

A good example is Li-Ion batteries. Did you know you're supposed to
watch them and not let them out of your sight while charging? If you
leave them out of your sight or do not take additional precautions
that no reasonable person I know would take, then the manufacturer
claims they are not responsible for property damage (read: fires) due
to their product's defects.

However, in fairly recent memory, the fires cause by Samsung phones
were being blamed on Samsung, and other smaller suits have been won
against battery manufacturers.

>> Also, those are typically things that fall under "National Laws" and it
>> doesn't really make sense to have to explicitly articulate in a
>> software license that its intended use is to be done within the scope
>> of your local governing laws.
>>
>> You're bound to follow local law regardless of whether you accept or
>> reject a given license. So, its kinda moot.
>>
>
> It is my understanding that this realization supports the view that
> the link should be left in. It's up to the user of the software, radio
> broadcasting kit, car, etc, to use the item in a responsible manner.
>
> I am worried about ceding rights where it is not necessary to do so. A
> good analogue to 

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[R0b0t1]

On Fri, Sep 8, 2017 at 10:56 AM, Kent Fredric  wrote:
> On Fri, 8 Sep 2017 10:11:51 -0500
> R0b0t1  wrote:
>
>> Then I'm quite confused as to why people seem to be extremely attentive to
>> copyright infringement (besides an immediate payout). In the US they cite
>> the reasoning I gave, from memory.
>>
>> Maybe that was for trademarks?
>
> This is one of those problems where the nebulous term "IP" has infected
> our thinking.
>
> Yes, US is very *copyright* infringement zealous.
>
> But Trademark and Copyright are very different beasts.
>
> Trademarks (read: brands, company names, company symbols, etc)  do
> expire much shorter, but that's due to other reasons. Namely, that if
> your company ceases to be doing business for 10 years, nobody is harmed
> by people using a name of a company that doesn't exist, because
> "Trademark protection" is largely a device to prevent competitors
> claiming they're you, and to prevent competitors selling products
> claiming you made them.
>
> Copyright (read: the right to publish, distribute, and sell) has a much
> longer life as the results of that can be inheritable, eg: profits from
> sale copyrighted works can go towards the estate of the author of those
> works after the death of that author.
>
> There are documented *exceptions* to this, but they don't apply to us
> as they apply to public institutions such as archives and libraries.
>
> And there are exceptions in cases of "fair use", which Gentoo does not
> fall under.
>
> So, even though it is true that copyright expires, copy right expiry
> dates are currently such that most juristictions don't have any
> software that could conceivably exist that expires.
>
> If the expiry period is 50 years, and there's no software in
> circulation older than 30, its kindof a moot point to argue software
> that is less than 10 years old might have expired.
>

There's nothing in this though that says a copyright couldn't be
weakened by failure to enforce claims against infringers. However, it
happens that copyright law allows selective enforcement.

>> >> Sir, please see my above comment about building ballistic missiles.
>> >> It may be important for the Gentoo Foundation to add a disclaimer
>> >> similar to the one I mentioned. I would hate for the Foundation or
>> >> any of its administrators or contributors to be found guilty of
>> >> aiding and abetting terrorists.
>> >
>> > Yeah. Stop trolling, please.
>> >
>>
>> I am being completely serious. You can find such a clause in the iTunes
>> license.
>>
>> If it seems ridiculous please reconsider the subject in question.
>
> I'm not sure how enforceable that clause is as a License.
>
> As a Warranty, sure.
>

The point isn't to be practically enforceable. If someone put their
mind to using iTunes to make an ICBM I'm sure no one could stop them.
The point is that Apple has now disclaimed liability for terrorist
acts associated with iTunes in a very legally important way, which I
believe is related to export restrictions (the item of interest likely
being the cryptography portions of the digital restrictions management
code).

> "if you use it for this, don't blame us if bad things happen, we told
> you not to"
>

There's a myriad of laws that duplicate the intent of the basic laws
against property damage and taking life.

> Also, those are typically things that fall under "National Laws" and it
> doesn't really make sense to have to explicitly articulate in a
> software license that its intended use is to be done within the scope
> of your local governing laws.
>
> You're bound to follow local law regardless of whether you accept or
> reject a given license. So, its kinda moot.
>

It is my understanding that this realization supports the view that
the link should be left in. It's up to the user of the software, radio
broadcasting kit, car, etc, to use the item in a responsible manner.

I am worried about ceding rights where it is not necessary to do so. A
good analogue to the situation at hand is crowdfunded electronics
projects that try to be FCC compliant, or delay shipping to obtain FCC
compliance. They don't need to. They're almost always a product not
intended for end users or an incomplete product. This makes me afraid,
sir, because it may be the case in the future I can not produce any
electronic equipment on my own.

Likewise, being unable to tell someone where to download something is
another situation that makes me afraid.

> If your government goes and uses your software for military
> applications despite your license saying "don't", I'm not really sure
> you'll have much in the way of recourse.
>

I'm pretty sure it would be one of the rare times, at least in the US,
that the government does not have sovereign immunity.

> If it was that simple I'd just start putting license terms that
> prohibits people from using software I wrote as part of a state
> approved mass surveillance platform
>

If you did this the military 

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Gordon Pettey]

On Fri, Sep 8, 2017 at 11:15 AM, Ciaran McCreesh <
ciaran.mccre...@googlemail.com> wrote:

> On Fri, 8 Sep 2017 11:10:54 -0500
> Gordon Pettey  wrote:
> > And this is all irrelevant since the copyright applies to the
> > software, not the location you obtain it from. Nobody commits
> > copyright infringement by buying a used book from their neighbour
> > instead of buying it at Half Price Books.
> > Distribution licenses are another thing, but if the original SRC_URI
> > from the ebuild wasn't RESTICT="fetch", what makes anybody think that
> > would suddenly change with a new SRC_URI?
>
> Are you a lawyer, and does this constitute legal advice? I ask, because
> the lawyers I've spoken to about a similar issue seemed to think it
> wasn't that simple.
>

Since - just like you - I'm not lawyer, I have no obligation whatsoever to
say whether or not anything I say is legal advice. And so you can avoid
this the-sky-is-falling legal nonsense, here's yet another SRC_URI from the
author himself:
https://onedrive.live.com/download?resid=14984242E2F69941!25302=!AEUh_81RXMobRbo=file%2cexe
See http://www.familyofadam.com/mod/nwn_downloads.aspx

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Kent Fredric]

On Fri, 8 Sep 2017 11:10:54 -0500
Gordon Pettey  wrote:

> Distribution licenses are another thing, but if the original SRC_URI from
> the ebuild wasn't RESTICT="fetch", what makes anybody think that would
> suddenly change with a new SRC_URI?

I've seen terms that state people aren't allowed to re-host anything,
and may only obtain a resource from a specified URL
( including details of how people should link to the resource )

Its a bit contorted, but fits the bill.



pgp9EHkMlbR5x.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ciaran McCreesh]

On Fri, 8 Sep 2017 11:10:54 -0500
Gordon Pettey  wrote:
> And this is all irrelevant since the copyright applies to the
> software, not the location you obtain it from. Nobody commits
> copyright infringement by buying a used book from their neighbour
> instead of buying it at Half Price Books.
> Distribution licenses are another thing, but if the original SRC_URI
> from the ebuild wasn't RESTICT="fetch", what makes anybody think that
> would suddenly change with a new SRC_URI?

Are you a lawyer, and does this constitute legal advice? I ask, because
the lawyers I've spoken to about a similar issue seemed to think it
wasn't that simple.

-- 
Ciaran McCreesh

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Gordon Pettey]

And this is all irrelevant since the copyright applies to the software, not
the location you obtain it from. Nobody commits copyright infringement by
buying a used book from their neighbour instead of buying it at Half Price
Books.
Distribution licenses are another thing, but if the original SRC_URI from
the ebuild wasn't RESTICT="fetch", what makes anybody think that would
suddenly change with a new SRC_URI?

On Fri, Sep 8, 2017 at 11:05 AM, Ciaran McCreesh <
ciaran.mccre...@googlemail.com> wrote:

> On Sat, 9 Sep 2017 03:56:38 +1200
> Kent Fredric  wrote:
> > > >> Sir, please see my above comment about building ballistic
> > > >> missiles. It may be important for the Gentoo Foundation to add a
> > > >> disclaimer similar to the one I mentioned. I would hate for the
> > > >> Foundation or any of its administrators or contributors to be
> > > >> found guilty of aiding and abetting terrorists.
> > > >
> > > > Yeah. Stop trolling, please.
> > > >
> > >
> > > I am being completely serious. You can find such a clause in the
> > > iTunes license.
> > >
> > > If it seems ridiculous please reconsider the subject in question.
> >
> > I'm not sure how enforceable that clause is as a License.
>
> Until recently, there was a clause in the Nauty licence prohibiting use
> in "military applications". This was sufficient for the highly paid
> lawyers who looked at it to recommend not redistributing Nauty as part
> of the GAP computer algebra system, because computer algebra could
> conceivably be used for blowing stuff up.
>
> --
> Ciaran McCreesh
>
>

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ciaran McCreesh]

On Sat, 9 Sep 2017 03:56:38 +1200
Kent Fredric  wrote:
> > >> Sir, please see my above comment about building ballistic
> > >> missiles. It may be important for the Gentoo Foundation to add a
> > >> disclaimer similar to the one I mentioned. I would hate for the
> > >> Foundation or any of its administrators or contributors to be
> > >> found guilty of aiding and abetting terrorists.
> > >
> > > Yeah. Stop trolling, please.
> > >
> > 
> > I am being completely serious. You can find such a clause in the
> > iTunes license.
> > 
> > If it seems ridiculous please reconsider the subject in question.  
> 
> I'm not sure how enforceable that clause is as a License.

Until recently, there was a clause in the Nauty licence prohibiting use
in "military applications". This was sufficient for the highly paid
lawyers who looked at it to recommend not redistributing Nauty as part
of the GAP computer algebra system, because computer algebra could
conceivably be used for blowing stuff up.

-- 
Ciaran McCreesh

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Kent Fredric]

On Fri, 8 Sep 2017 10:11:51 -0500
R0b0t1  wrote:

> Then I'm quite confused as to why people seem to be extremely attentive to
> copyright infringement (besides an immediate payout). In the US they cite
> the reasoning I gave, from memory.
> 
> Maybe that was for trademarks?

This is one of those problems where the nebulous term "IP" has infected
our thinking.

Yes, US is very *copyright* infringement zealous.

But Trademark and Copyright are very different beasts.

Trademarks (read: brands, company names, company symbols, etc)  do
expire much shorter, but that's due to other reasons. Namely, that if
your company ceases to be doing business for 10 years, nobody is harmed
by people using a name of a company that doesn't exist, because
"Trademark protection" is largely a device to prevent competitors
claiming they're you, and to prevent competitors selling products
claiming you made them.

Copyright (read: the right to publish, distribute, and sell) has a much
longer life as the results of that can be inheritable, eg: profits from
sale copyrighted works can go towards the estate of the author of those
works after the death of that author.

There are documented *exceptions* to this, but they don't apply to us
as they apply to public institutions such as archives and libraries.

And there are exceptions in cases of "fair use", which Gentoo does not
fall under.

So, even though it is true that copyright expires, copy right expiry
dates are currently such that most juristictions don't have any
software that could conceivably exist that expires.

If the expiry period is 50 years, and there's no software in
circulation older than 30, its kindof a moot point to argue software
that is less than 10 years old might have expired.

> >> Sir, please see my above comment about building ballistic missiles.
> >> It may be important for the Gentoo Foundation to add a disclaimer
> >> similar to the one I mentioned. I would hate for the Foundation or
> >> any of its administrators or contributors to be found guilty of
> >> aiding and abetting terrorists.  
> >
> > Yeah. Stop trolling, please.
> >  
> 
> I am being completely serious. You can find such a clause in the iTunes
> license.
> 
> If it seems ridiculous please reconsider the subject in question.

I'm not sure how enforceable that clause is as a License.

As a Warranty, sure. 

"if you use it for this, don't blame us if bad things happen, we told
you not to"

Also, those are typically things that fall under "National Laws" and it
doesn't really make sense to have to explicitly articulate in a
software license that its intended use is to be done within the scope
of your local governing laws.

You're bound to follow local law regardless of whether you accept or
reject a given license. So, its kinda moot.

If your government goes and uses your software for military
applications despite your license saying "don't", I'm not really sure
you'll have much in the way of recourse.

If it was that simple I'd just start putting license terms that
prohibits people from using software I wrote as part of a state
approved mass surveillance platform



pgpR8fTo1LFd2.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[R0b0t1]

On Friday, September 8, 2017, Ulrich Mueller  wrote:
>> On Thu, 7 Sep 2017, R0b0t1  wrote:
>
>> Downloading does not imply committing a felony. As far as anyone can
>> tell it is impossible to prosecute someone for downloading something
>> they already own (regardless of what any EULA has claimed).
>
> Sure, if the user already has rightfully obtained the software then
> nothing can stop him from downloading it again.
>
>> Further, copyrights lapse if not enforced. Depending on how long
>> that download has been up the original rightsholder has forfeited
>> their claim to their work.
>
> Copyright expires no sooner than 50 years after the author's death:
> https://en.wikipedia.org/wiki/Berne_Convention
> In most countries that term is even longer, e.g. 70 years in the
> European Union.
>
> Also contrary to popular belief, there is no such concept as
> "abandonware". In some legislations, there are some provisions to
> allow archiving of orphan works, but only for public institutions
> (e.g. in the EU, museums and digital archives).
>

Then I'm quite confused as to why people seem to be extremely attentive to
copyright infringement (besides an immediate payout). In the US they cite
the reasoning I gave, from memory.

Maybe that was for trademarks?

>> Sir, please see my above comment about building ballistic missiles.
>> It may be important for the Gentoo Foundation to add a disclaimer
>> similar to the one I mentioned. I would hate for the Foundation or
>> any of its administrators or contributors to be found guilty of
>> aiding and abetting terrorists.
>
> Yeah. Stop trolling, please.
>

I am being completely serious. You can find such a clause in the iTunes
license.

If it seems ridiculous please reconsider the subject in question.

R0b0t1.

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Fri, Sep 8, 2017 at 6:09 AM, Ulrich Mueller  wrote:
>
> Quoting from "all-rights-reserved":
>
> | This package has an explicit "all rights reserved" clause, or comes
> | without any license, or only with a disclaimer. This means that you
> | have only the rights that are granted to you by law. If you have
> | lawfully acquired a copy of the program (e.g., by buying it or by
> | downloading it from the author's site) then in many legislations you
> | are allowed to compile it, run it, make a backup, and to patch it as
> | necessary, without permission from the copyright holder.
>
> Note that it explicitly says "downloading from the author's site".

It also explicitly says "e.g."  This means that this is merely one way
of lawfully acquiring a copy of the program, and that other ways may
exist.  It sounds pedantic but this is the whole reason that "e.g."
exists as opposed to "i.e." and courts certainly would read the policy
in this way because lawyers distinguish between the two all the time.

> I still think that we should handle this in a restrictive way, and
> permit only sites where we can be reasonably certain that they
> distribute the software with the copyright holder's approval.

Sure, that's you opinion, and I have a different opinion, and kentnl
has another opinion.

This is why we have processes to turn those opinions into documented
policies so that we can be consistent.  Failing to do this can cause
all kinds of problems.  Suppose we remove this package.  Suppose we
don't remove some other package with the same problem.  In the absence
of a written policy one way or another somebody could cite your
statement as a concession.

>
> Why not follow kentnl's suggestion? If you don't want to figure out
> what the connection between the author and the download site is, then
> make the ebuild fetch restricted, and have the user download the
> file manually. I'd also suggest to put only the file's basename in
> SRC_URI then.
>

It would be inconvenient for the user.  That's why we don't
fetch-restrict every package in the tree, even though doing so would
lower our risk of getting sued.  Maybe the Linux foundation
redistributes something it shouldn't.  I doubt it, but it could
happen.  If we fetch-restricted the kernel then we'd be covered if
another SCO comes along.  But, that would be ridiculous.  We don't
even do that with things like libcss which are higher risk.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Thu, 7 Sep 2017, Rich Freeman wrote:

> On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny  wrote:
>> W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
>> napisał:
>>> Are you saying it is sufficient to just point the SRC_URI at the
>>> new URL and remove the mask? As far as I can tell that is all that
>>> needs to be done. Per the policy the license is readily apparent,
>>> so there is no need to contact the authors.

Huh? The very problem here is that the package has *no* license.

The LICENSE variable was always mandatory, so originally a package
without a license (like the one mentioned in the subject) could
not be added to the tree. Or, devs would tag it with the infamous
"as-is" license label. Cleaning up the resulting mess was quite a
nightmare [1].

Later it was noticed that there is a specific class of software where
there is no license, but that are up for download at their author's
site. Examples were dev-libs/djb and other packages related to qmail.
We then came up with the "all-rights-reserved" license label [2], in
order to permit such software in the tree. (You should be aware of
this, because you were a trustee back then).

Quoting from "all-rights-reserved":

| This package has an explicit "all rights reserved" clause, or comes
| without any license, or only with a disclaimer. This means that you
| have only the rights that are granted to you by law. If you have
| lawfully acquired a copy of the program (e.g., by buying it or by
| downloading it from the author's site) then in many legislations you
| are allowed to compile it, run it, make a backup, and to patch it as
| necessary, without permission from the copyright holder.

Note that it explicitly says "downloading from the author's site".
I still think that we should handle this in a restrictive way, and
permit only sites where we can be reasonably certain that they
distribute the software with the copyright holder's approval.

>> I don't know what is sufficient. It's your business as the new
>> maintainer to figure it out and take the responsibility. If there's
>> nobody willing to do that, then we don't get to keep the package.
>> Simple as that.

> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?

Why not follow kentnl's suggestion? If you don't want to figure out
what the connection between the author and the download site is, then
make the ebuild fetch restricted, and have the user download the
file manually. I'd also suggest to put only the file's basename in
SRC_URI then.

Ulrich


[1] https://bugs.gentoo.org/436214
[2] https://bugs.gentoo.org/24


pgpfrj8f19GzK.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Fri, Sep 8, 2017 at 2:52 AM, Michał Górny  wrote:
>
> Maybe find yourself a lawyer, and ask him. We're all volunteers,

I've already done the research.  There is no legal requirement to
contact the authors before changing the SRC_URI.

> and we're no in way obligated to give legal advices to you or anyone
> in particular.

I'm not asking for legal advice.

Somebody suggested a solution.  ulm objected to that solution.  I'm
merely asking that those trying to stop a problem from being solved to
point to a written policy, because that is how virtually every
organization on the planet works.  If you don't put the impetus on the
person trying to block action, then nothing gets done, because posting
an objection on a mailing list costs nothing.

> Especially if it all started with the tone 'how dare you
> remove this?!'
>

I certainly never objected to the removal of the package.  It didn't
fetch and was unmaintained.  Of course it should have been
treecleaned.  Maybe somebody else had that tone, and if that concerns
you I suggest you take it up with them.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Thu, 7 Sep 2017, R0b0t1  wrote:

> Downloading does not imply committing a felony. As far as anyone can
> tell it is impossible to prosecute someone for downloading something
> they already own (regardless of what any EULA has claimed).

Sure, if the user already has rightfully obtained the software then
nothing can stop him from downloading it again.

> Further, copyrights lapse if not enforced. Depending on how long
> that download has been up the original rightsholder has forfeited
> their claim to their work.

Copyright expires no sooner than 50 years after the author's death:
https://en.wikipedia.org/wiki/Berne_Convention
In most countries that term is even longer, e.g. 70 years in the
European Union.

Also contrary to popular belief, there is no such concept as
"abandonware". In some legislations, there are some provisions to
allow archiving of orphan works, but only for public institutions
(e.g. in the EU, museums and digital archives).

> Sir, please see my above comment about building ballistic missiles.
> It may be important for the Gentoo Foundation to add a disclaimer
> similar to the one I mentioned. I would hate for the Foundation or
> any of its administrators or contributors to be found guilty of
> aiding and abetting terrorists.

Yeah. Stop trolling, please.

Ulrich


pgpnabBWWiRtr.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Michał Górny]

W dniu czw, 07.09.2017 o godzinie 17∶56 -0400, użytkownik Rich Freeman
napisał:
> On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny  wrote:
> > W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
> > napisał:
> > > On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
> > > > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> > > > napisał:
> > > > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  
> > > > > wrote:
> > > > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > > > > > 
> > > > > > Don't you think there is a difference between downloading a package
> > > > > > that has a known upstream and that is also carried by other distros,
> > > > > > and downloading a license-less package from a random location on the
> > > > > > internet?
> > > > > 
> > > > > Most upstreams do not do much checking about the ownership of their 
> > > > > sources.
> > > > > 
> > > > > Gentoo certainly doesn't - we don't even require developers to submit 
> > > > > a DCO.
> > > > > 
> > > > > Other projects like the Linux kernel require signing a DCO for each
> > > > > commit, but do not do any checking beyond this.  I have no doubt that
> > > > > they would remove offending sources if they were contacted, but they
> > > > > do not actively go out and confirm authorship.
> > > > > 
> > > > > > 
> > > > > > > > The package in question doesn't come with any license though, 
> > > > > > > > which
> > > > > > > > means that only the copyright holder has the right to distribute
> > > > > > > > it. So I believe that some extra care is justified, especially 
> > > > > > > > when
> > > > > > > > the upstream location of the distfile has changed.
> > > > > > > 
> > > > > > > Why?  We don't redistribute anything that is copyrighted.
> > > > > > 
> > > > > > Users download the file, and I think that we are responsible to have
> > > > > > only such SRC_URIs in our ebuilds from where they can obtain the
> > > > > > package without being exposed to potential legal issues.
> > > > > 
> > > > > I'm not aware of any court rulings that have found downloading
> > > > > something like this to be illegal.
> > > > > 
> > > > > > 
> > > > > > > Perhaps if we want to enforce a policy like this we should take 
> > > > > > > the
> > > > > > > time to actually write the policy down.  As far as I can tell 
> > > > > > > Gentoo
> > > > > > > has no such policy currently.
> > > > > > 
> > > > > > The old Games Ebuild Howto [1] has this:
> > > > > > 
> > > > > > > LICENSE
> > > > > > > 
> > > > > > > The license is an important point in your ebuild. It is also a
> > > > > > > common place for making mistakes. Try to check the license on any
> > > > > > > ebuild that you submit. Often times, the license will be in a
> > > > > > > COPYING file, distributed in the package's tarball. If the license
> > > > > > > is not readily apparent, try contacting the authors of the package
> > > > > > > for clarification. [...]
> > > > > > 
> > > > > > I propose to add the paragraph above to the devmanual's licenses
> > > > > > section.
> > > > > > 
> > > > > 
> > > > > We already know there isn't a license for redistribution.  This
> > > > > doesn't speak about requiring us to ensure that those distributing our
> > > > > source files have the rights to do so.  It merely says to check the
> > > > > license.  We understand the license already.  I don't see how this
> > > > > paragraph pertains to this situation.
> > > > 
> > > > AFAIK you're a developer. So if you want to keep this package, then
> > > > please do the needful and take care of it yourself instead of
> > > > complaining and demanding others to do the work you want done.
> > > > 
> > > 
> > > Are you saying it is sufficient to just point the SRC_URI at the new
> > > URL and remove the mask?  As far as I can tell that is all that needs
> > > to be done.  Per the policy the license is readily apparent, so there
> > > is no need to contact the authors.
> > > 
> > 
> > I don't know what is sufficient. It's your business as the new
> > maintainer to figure it out and take the responsibility. If there's
> > nobody willing to do that, then we don't get to keep the package. Simple
> > as that.
> > 
> 
> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?

Maybe find yourself a lawyer, and ask him. We're all volunteers,
and we're no in way obligated to give legal advices to you or anyone
in particular. Especially if it all started with the tone 'how dare you
remove this?!'

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Kent Fredric]

On Thu, 7 Sep 2017 17:56:32 -0400
Rich Freeman  wrote:

> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?
> 
> -- 

Surely RESTRICT=fetch and then just do a "Hey look, the legal here is not clear
so you need to acquire this yourself after making sure you have the rights to do
so"

You know, like we do for things that can only be installed with a physical copy.


pgpXMW8l28_lm.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[R0b0t1]

Hello,

On Thu, Sep 7, 2017 at 8:04 AM, Ulrich Mueller  wrote:
>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
 Do we routinely confirm that any site we list in SRC_URI has
 permission to redistribute files? That seems like a slippery
 slope.
>>>
>>> We don't, and for a package that comes with a license (as the vast
>>> majority of packages does) it normally isn't necessary.
>
>> Why isn't this necessary?  How do you know the person issuing the
>> license actually has the right to issue it?
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?
>
>>> The package in question doesn't come with any license though, which
>>> means that only the copyright holder has the right to distribute
>>> it. So I believe that some extra care is justified, especially when
>>> the upstream location of the distfile has changed.
>
>> Why?  We don't redistribute anything that is copyrighted.
>
> Users download the file, and I think that we are responsible to have
> only such SRC_URIs in our ebuilds from where they can obtain the
> package without being exposed to potential legal issues.
>

Downloading does not imply committing a felony. As far as anyone can
tell it is impossible to prosecute someone for downloading something
they already own (regardless of what any EULA has claimed). Further,
copyrights lapse if not enforced. Depending on how long that download
has been up the original rightsholder has forfeited their claim to
their work.

It's also really hard to convince a judge or jury that I am to blame
if someone follows my instructions (save for specific cases where I
could be considered a subject matter expert). E.g. it's possible to
sell radio kits that are illegal to put together and operate.

>> Are you arguing that merely linking to the file is illegal?  If so,
>> then you better get the list archives purged.
>
> Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't
> think that such linking is illegal. IANAL, though.
>

It is at this point I would suggest that you have defeated your own argument.

>>> We don't know this for sure unless we ask the author. So whoever is
>>> interested in keeping the package in the tree should sort these
>>> issues out.
>
>> Perhaps if we want to enforce a policy like this we should take the
>> time to actually write the policy down.  As far as I can tell Gentoo
>> has no such policy currently.
>
> The old Games Ebuild Howto [1] has this:
>
> | LICENSE
> |
> | The license is an important point in your ebuild. It is also a
> | common place for making mistakes. Try to check the license on any
> | ebuild that you submit. Often times, the license will be in a
> | COPYING file, distributed in the package's tarball. If the license
> | is not readily apparent, try contacting the authors of the package
> | for clarification. [...]
>
> I propose to add the paragraph above to the devmanual's licenses
> section.
>

Should the Gentoo foundation include a disclaimer that the software
distributed by it is not to be used to build ballistic missiles or run
nuclear arms programs? Users might do those things, and Gentoo might
be liable for the consequences if they do.


On Thu, Sep 7, 2017 at 4:56 PM, Rich Freeman  wrote:
> Do you really need me to put it on the Council agenda?

Sir, please see my above comment about building ballistic missiles. It
may be important for the Gentoo Foundation to add a disclaimer similar
to the one I mentioned. I would hate for the Foundation or any of its
administrators or contributors to be found guilty of aiding and
abetting terrorists.

Respectfully,
 R0b0t1

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny  wrote:
> W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
> napisał:
>> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
>> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
>> > napisał:
>> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
>> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
>> > > >
>> > > > Don't you think there is a difference between downloading a package
>> > > > that has a known upstream and that is also carried by other distros,
>> > > > and downloading a license-less package from a random location on the
>> > > > internet?
>> > >
>> > > Most upstreams do not do much checking about the ownership of their 
>> > > sources.
>> > >
>> > > Gentoo certainly doesn't - we don't even require developers to submit a 
>> > > DCO.
>> > >
>> > > Other projects like the Linux kernel require signing a DCO for each
>> > > commit, but do not do any checking beyond this.  I have no doubt that
>> > > they would remove offending sources if they were contacted, but they
>> > > do not actively go out and confirm authorship.
>> > >
>> > > >
>> > > > > > The package in question doesn't come with any license though, which
>> > > > > > means that only the copyright holder has the right to distribute
>> > > > > > it. So I believe that some extra care is justified, especially when
>> > > > > > the upstream location of the distfile has changed.
>> > > > >
>> > > > > Why?  We don't redistribute anything that is copyrighted.
>> > > >
>> > > > Users download the file, and I think that we are responsible to have
>> > > > only such SRC_URIs in our ebuilds from where they can obtain the
>> > > > package without being exposed to potential legal issues.
>> > >
>> > > I'm not aware of any court rulings that have found downloading
>> > > something like this to be illegal.
>> > >
>> > > >
>> > > > > Perhaps if we want to enforce a policy like this we should take the
>> > > > > time to actually write the policy down.  As far as I can tell Gentoo
>> > > > > has no such policy currently.
>> > > >
>> > > > The old Games Ebuild Howto [1] has this:
>> > > >
>> > > > > LICENSE
>> > > > >
>> > > > > The license is an important point in your ebuild. It is also a
>> > > > > common place for making mistakes. Try to check the license on any
>> > > > > ebuild that you submit. Often times, the license will be in a
>> > > > > COPYING file, distributed in the package's tarball. If the license
>> > > > > is not readily apparent, try contacting the authors of the package
>> > > > > for clarification. [...]
>> > > >
>> > > > I propose to add the paragraph above to the devmanual's licenses
>> > > > section.
>> > > >
>> > >
>> > > We already know there isn't a license for redistribution.  This
>> > > doesn't speak about requiring us to ensure that those distributing our
>> > > source files have the rights to do so.  It merely says to check the
>> > > license.  We understand the license already.  I don't see how this
>> > > paragraph pertains to this situation.
>> >
>> > AFAIK you're a developer. So if you want to keep this package, then
>> > please do the needful and take care of it yourself instead of
>> > complaining and demanding others to do the work you want done.
>> >
>>
>> Are you saying it is sufficient to just point the SRC_URI at the new
>> URL and remove the mask?  As far as I can tell that is all that needs
>> to be done.  Per the policy the license is readily apparent, so there
>> is no need to contact the authors.
>>
>
> I don't know what is sufficient. It's your business as the new
> maintainer to figure it out and take the responsibility. If there's
> nobody willing to do that, then we don't get to keep the package. Simple
> as that.
>

And how would I figure it out, considering that simply asking on the
list doesn't seem to yield a straight answer?  Do you really need me
to put it on the Council agenda?  Or do we unmask it, let QA mask it
10 minutes later, then go back and forth for a month, and THEN put it
on the Council agenda?

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Michał Górny]

W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
napisał:
> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> > napisał:
> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > > > 
> > > > Don't you think there is a difference between downloading a package
> > > > that has a known upstream and that is also carried by other distros,
> > > > and downloading a license-less package from a random location on the
> > > > internet?
> > > 
> > > Most upstreams do not do much checking about the ownership of their 
> > > sources.
> > > 
> > > Gentoo certainly doesn't - we don't even require developers to submit a 
> > > DCO.
> > > 
> > > Other projects like the Linux kernel require signing a DCO for each
> > > commit, but do not do any checking beyond this.  I have no doubt that
> > > they would remove offending sources if they were contacted, but they
> > > do not actively go out and confirm authorship.
> > > 
> > > > 
> > > > > > The package in question doesn't come with any license though, which
> > > > > > means that only the copyright holder has the right to distribute
> > > > > > it. So I believe that some extra care is justified, especially when
> > > > > > the upstream location of the distfile has changed.
> > > > > 
> > > > > Why?  We don't redistribute anything that is copyrighted.
> > > > 
> > > > Users download the file, and I think that we are responsible to have
> > > > only such SRC_URIs in our ebuilds from where they can obtain the
> > > > package without being exposed to potential legal issues.
> > > 
> > > I'm not aware of any court rulings that have found downloading
> > > something like this to be illegal.
> > > 
> > > > 
> > > > > Perhaps if we want to enforce a policy like this we should take the
> > > > > time to actually write the policy down.  As far as I can tell Gentoo
> > > > > has no such policy currently.
> > > > 
> > > > The old Games Ebuild Howto [1] has this:
> > > > 
> > > > > LICENSE
> > > > > 
> > > > > The license is an important point in your ebuild. It is also a
> > > > > common place for making mistakes. Try to check the license on any
> > > > > ebuild that you submit. Often times, the license will be in a
> > > > > COPYING file, distributed in the package's tarball. If the license
> > > > > is not readily apparent, try contacting the authors of the package
> > > > > for clarification. [...]
> > > > 
> > > > I propose to add the paragraph above to the devmanual's licenses
> > > > section.
> > > > 
> > > 
> > > We already know there isn't a license for redistribution.  This
> > > doesn't speak about requiring us to ensure that those distributing our
> > > source files have the rights to do so.  It merely says to check the
> > > license.  We understand the license already.  I don't see how this
> > > paragraph pertains to this situation.
> > 
> > AFAIK you're a developer. So if you want to keep this package, then
> > please do the needful and take care of it yourself instead of
> > complaining and demanding others to do the work you want done.
> > 
> 
> Are you saying it is sufficient to just point the SRC_URI at the new
> URL and remove the mask?  As far as I can tell that is all that needs
> to be done.  Per the policy the license is readily apparent, so there
> is no need to contact the authors.
> 

I don't know what is sufficient. It's your business as the new
maintainer to figure it out and take the responsibility. If there's
nobody willing to do that, then we don't get to keep the package. Simple
as that.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
> W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> napisał:
>> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
>> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
>> >
>> > Don't you think there is a difference between downloading a package
>> > that has a known upstream and that is also carried by other distros,
>> > and downloading a license-less package from a random location on the
>> > internet?
>>
>> Most upstreams do not do much checking about the ownership of their sources.
>>
>> Gentoo certainly doesn't - we don't even require developers to submit a DCO.
>>
>> Other projects like the Linux kernel require signing a DCO for each
>> commit, but do not do any checking beyond this.  I have no doubt that
>> they would remove offending sources if they were contacted, but they
>> do not actively go out and confirm authorship.
>>
>> >
>> > > > The package in question doesn't come with any license though, which
>> > > > means that only the copyright holder has the right to distribute
>> > > > it. So I believe that some extra care is justified, especially when
>> > > > the upstream location of the distfile has changed.
>> > > Why?  We don't redistribute anything that is copyrighted.
>> >
>> > Users download the file, and I think that we are responsible to have
>> > only such SRC_URIs in our ebuilds from where they can obtain the
>> > package without being exposed to potential legal issues.
>>
>> I'm not aware of any court rulings that have found downloading
>> something like this to be illegal.
>>
>> >
>> > > Perhaps if we want to enforce a policy like this we should take the
>> > > time to actually write the policy down.  As far as I can tell Gentoo
>> > > has no such policy currently.
>> >
>> > The old Games Ebuild Howto [1] has this:
>> >
>> > > LICENSE
>> > >
>> > > The license is an important point in your ebuild. It is also a
>> > > common place for making mistakes. Try to check the license on any
>> > > ebuild that you submit. Often times, the license will be in a
>> > > COPYING file, distributed in the package's tarball. If the license
>> > > is not readily apparent, try contacting the authors of the package
>> > > for clarification. [...]
>> >
>> > I propose to add the paragraph above to the devmanual's licenses
>> > section.
>> >
>>
>> We already know there isn't a license for redistribution.  This
>> doesn't speak about requiring us to ensure that those distributing our
>> source files have the rights to do so.  It merely says to check the
>> license.  We understand the license already.  I don't see how this
>> paragraph pertains to this situation.
>
> AFAIK you're a developer. So if you want to keep this package, then
> please do the needful and take care of it yourself instead of
> complaining and demanding others to do the work you want done.
>

Are you saying it is sufficient to just point the SRC_URI at the new
URL and remove the mask?  As far as I can tell that is all that needs
to be done.  Per the policy the license is readily apparent, so there
is no need to contact the authors.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Michał Górny]

W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
napisał:
> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > 
> > Don't you think there is a difference between downloading a package
> > that has a known upstream and that is also carried by other distros,
> > and downloading a license-less package from a random location on the
> > internet?
> 
> Most upstreams do not do much checking about the ownership of their sources.
> 
> Gentoo certainly doesn't - we don't even require developers to submit a DCO.
> 
> Other projects like the Linux kernel require signing a DCO for each
> commit, but do not do any checking beyond this.  I have no doubt that
> they would remove offending sources if they were contacted, but they
> do not actively go out and confirm authorship.
> 
> > 
> > > > The package in question doesn't come with any license though, which
> > > > means that only the copyright holder has the right to distribute
> > > > it. So I believe that some extra care is justified, especially when
> > > > the upstream location of the distfile has changed.
> > > Why?  We don't redistribute anything that is copyrighted.
> > 
> > Users download the file, and I think that we are responsible to have
> > only such SRC_URIs in our ebuilds from where they can obtain the
> > package without being exposed to potential legal issues.
> 
> I'm not aware of any court rulings that have found downloading
> something like this to be illegal.
> 
> > 
> > > Perhaps if we want to enforce a policy like this we should take the
> > > time to actually write the policy down.  As far as I can tell Gentoo
> > > has no such policy currently.
> > 
> > The old Games Ebuild Howto [1] has this:
> > 
> > > LICENSE
> > > 
> > > The license is an important point in your ebuild. It is also a
> > > common place for making mistakes. Try to check the license on any
> > > ebuild that you submit. Often times, the license will be in a
> > > COPYING file, distributed in the package's tarball. If the license
> > > is not readily apparent, try contacting the authors of the package
> > > for clarification. [...]
> > 
> > I propose to add the paragraph above to the devmanual's licenses
> > section.
> > 
> 
> We already know there isn't a license for redistribution.  This
> doesn't speak about requiring us to ensure that those distributing our
> source files have the rights to do so.  It merely says to check the
> license.  We understand the license already.  I don't see how this
> paragraph pertains to this situation.

AFAIK you're a developer. So if you want to keep this package, then
please do the needful and take care of it yourself instead of
complaining and demanding others to do the work you want done.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Andrew Savchenko]

On Thu, 7 Sep 2017 15:04:34 +0200 Ulrich Mueller wrote:
> > On Thu, 7 Sep 2017, Rich Freeman wrote:
> 
> >>> Do we routinely confirm that any site we list in SRC_URI has
> >>> permission to redistribute files? That seems like a slippery
> >>> slope.
> >> 
> >> We don't, and for a package that comes with a license (as the vast
> >> majority of packages does) it normally isn't necessary.
> 
> > Why isn't this necessary?  How do you know the person issuing the
> > license actually has the right to issue it?
> 
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?

If downloaded files are the same (e.g. sha512 hash matches), what's
the difference?

Best regards,
Andrew Savchenko


pgp10n1q4cpHA.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?

Most upstreams do not do much checking about the ownership of their sources.

Gentoo certainly doesn't - we don't even require developers to submit a DCO.

Other projects like the Linux kernel require signing a DCO for each
commit, but do not do any checking beyond this.  I have no doubt that
they would remove offending sources if they were contacted, but they
do not actively go out and confirm authorship.

>
>>> The package in question doesn't come with any license though, which
>>> means that only the copyright holder has the right to distribute
>>> it. So I believe that some extra care is justified, especially when
>>> the upstream location of the distfile has changed.
>
>> Why?  We don't redistribute anything that is copyrighted.
>
> Users download the file, and I think that we are responsible to have
> only such SRC_URIs in our ebuilds from where they can obtain the
> package without being exposed to potential legal issues.

I'm not aware of any court rulings that have found downloading
something like this to be illegal.

>
>> Perhaps if we want to enforce a policy like this we should take the
>> time to actually write the policy down.  As far as I can tell Gentoo
>> has no such policy currently.
>
> The old Games Ebuild Howto [1] has this:
>
> | LICENSE
> |
> | The license is an important point in your ebuild. It is also a
> | common place for making mistakes. Try to check the license on any
> | ebuild that you submit. Often times, the license will be in a
> | COPYING file, distributed in the package's tarball. If the license
> | is not readily apparent, try contacting the authors of the package
> | for clarification. [...]
>
> I propose to add the paragraph above to the devmanual's licenses
> section.
>

We already know there isn't a license for redistribution.  This
doesn't speak about requiring us to ensure that those distributing our
source files have the rights to do so.  It merely says to check the
license.  We understand the license already.  I don't see how this
paragraph pertains to this situation.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Thu, 7 Sep 2017, Rich Freeman wrote:

>>> Do we routinely confirm that any site we list in SRC_URI has
>>> permission to redistribute files? That seems like a slippery
>>> slope.
>> 
>> We don't, and for a package that comes with a license (as the vast
>> majority of packages does) it normally isn't necessary.

> Why isn't this necessary?  How do you know the person issuing the
> license actually has the right to issue it?

Don't you think there is a difference between downloading a package
that has a known upstream and that is also carried by other distros,
and downloading a license-less package from a random location on the
internet?

>> The package in question doesn't come with any license though, which
>> means that only the copyright holder has the right to distribute
>> it. So I believe that some extra care is justified, especially when
>> the upstream location of the distfile has changed.

> Why?  We don't redistribute anything that is copyrighted.

Users download the file, and I think that we are responsible to have
only such SRC_URIs in our ebuilds from where they can obtain the
package without being exposed to potential legal issues.

> Are you arguing that merely linking to the file is illegal?  If so,
> then you better get the list archives purged.

Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't
think that such linking is illegal. IANAL, though.

>> We don't know this for sure unless we ask the author. So whoever is
>> interested in keeping the package in the tree should sort these
>> issues out.

> Perhaps if we want to enforce a policy like this we should take the
> time to actually write the policy down.  As far as I can tell Gentoo
> has no such policy currently.

The old Games Ebuild Howto [1] has this:

| LICENSE
|
| The license is an important point in your ebuild. It is also a
| common place for making mistakes. Try to check the license on any
| ebuild that you submit. Often times, the license will be in a
| COPYING file, distributed in the package's tarball. If the license
| is not readily apparent, try contacting the authors of the package
| for clarification. [...]

I propose to add the paragraph above to the devmanual's licenses
section.

Ulrich

[1] https://wiki.gentoo.org/wiki/Project:Games/Ebuild_howto#LICENSE


pgpKzfaecwAFg.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 3:28 AM, Ulrich Mueller  wrote:
>> On Wed, 6 Sep 2017, Rich Freeman wrote:
>
>> Do we routinely confirm that any site we list in SRC_URI has
>> permission to redistribute files?  That seems like a slippery slope.
>
> We don't, and for a package that comes with a license (as the vast
> majority of packages does) it normally isn't necessary.

Why isn't this necessary?  How do you know the person issuing the
license actually has the right to issue it?

>
> The package in question doesn't come with any license though, which
> means that only the copyright holder has the right to distribute it.
> So I believe that some extra care is justified, especially when the
> upstream location of the distfile has changed.

Why?  We don't redistribute anything that is copyrighted.

Are you arguing that merely linking to the file is illegal?  If so,
then you better get the list archives purged.

>
> We don't know this for sure unless we ask the author. So whoever is
> interested in keeping the package in the tree should sort these issues
> out.
>

Perhaps if we want to enforce a policy like this we should take the
time to actually write the policy down.  As far as I can tell Gentoo
has no such policy currently.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Wed, 6 Sep 2017, Rich Freeman wrote:

> On Wed, Sep 6, 2017 at 2:52 AM, Ulrich Mueller  wrote:
>>> On Tue, 5 Sep 2017, Gordon Pettey wrote:
>> 
>>> Can these package.mask notes stop saying "no alternative found"
>>> when it's obvious five seconds of Google searching was not even
>>> performed to find an alternative?
>>> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
>>> has live links, and the exe even matches the sha256sum.
>> 
>> Do they have permission to redistribute the file, though? The
>> ebuild is mirror restricted and LICENSE says "all-rights-reserved".

> Do we routinely confirm that any site we list in SRC_URI has
> permission to redistribute files?  That seems like a slippery slope.

We don't, and for a package that comes with a license (as the vast
majority of packages does) it normally isn't necessary.

The package in question doesn't come with any license though, which
means that only the copyright holder has the right to distribute it.
So I believe that some extra care is justified, especially when the
upstream location of the distfile has changed.

https://gitweb.gentoo.org/repo/gentoo.git/tree/licenses/all-rights-reserved

> In any case, as far as I can tell this is probably one of the
> largest sites for hosting this sort of content and I can't imagine
> that it would have escaped the author's notice if they didn't want
> the files distributed there.

We don't know this for sure unless we ask the author. So whoever is
interested in keeping the package in the tree should sort these issues
out.

Ulrich


pgpRUcSjKVqyB.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Wed, Sep 6, 2017 at 2:52 AM, Ulrich Mueller  wrote:
>> On Tue, 5 Sep 2017, Gordon Pettey wrote:
>
>> Can these package.mask notes stop saying "no alternative found" when
>> it's obvious five seconds of Google searching was not even performed
>> to find an alternative?
>> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
>> has live links, and the exe even matches the sha256sum.
>
> Do they have permission to redistribute the file, though? The ebuild
> is mirror restricted and LICENSE says "all-rights-reserved".
>

Do we routinely confirm that any site we list in SRC_URI has
permission to redistribute files?  That seems like a slippery slope.
In any case, as far as I can tell this is probably one of the largest
sites for hosting this sort of content and I can't imagine that it
would have escaped the author's notice if they didn't want the files
distributed there.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Tue, 5 Sep 2017, Gordon Pettey wrote:

> Can these package.mask notes stop saying "no alternative found" when
> it's obvious five seconds of Google searching was not even performed
> to find an alternative?
> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
> has live links, and the exe even matches the sha256sum.

Do they have permission to redistribute the file, though? The ebuild
is mirror restricted and LICENSE says "all-rights-reserved".

Ulrich


pgpp7l3H2mnxt.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Gordon Pettey]

Can these package.mask notes stop saying "no alternative found" when it's
obvious five seconds of Google searching was not even performed to find an
alternative?
https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
has live links, and the exe even matches the sha256sum.

On Tue, Sep 5, 2017 at 4:43 PM, Austin English 
wrote:

> # Austin English  (05 Sep 2017)
> # Download has been broken for nearly a year, no alternative found
> # Bug: https://bugs.gentoo.org/599390
> # Removal in 30 days
> games-rpg/nwn-shadowlordsdreamcatcherdemon
>
> --
> -Austin
>
> Austin English
> Gentoo Developer
> GPG: 00B3 2957 B94B F3E1
>
>