1 |
On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <ulm@g.o> wrote: |
2 |
>>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote: |
3 |
> |
4 |
> Don't you think there is a difference between downloading a package |
5 |
> that has a known upstream and that is also carried by other distros, |
6 |
> and downloading a license-less package from a random location on the |
7 |
> internet? |
8 |
|
9 |
Most upstreams do not do much checking about the ownership of their sources. |
10 |
|
11 |
Gentoo certainly doesn't - we don't even require developers to submit a DCO. |
12 |
|
13 |
Other projects like the Linux kernel require signing a DCO for each |
14 |
commit, but do not do any checking beyond this. I have no doubt that |
15 |
they would remove offending sources if they were contacted, but they |
16 |
do not actively go out and confirm authorship. |
17 |
|
18 |
> |
19 |
>>> The package in question doesn't come with any license though, which |
20 |
>>> means that only the copyright holder has the right to distribute |
21 |
>>> it. So I believe that some extra care is justified, especially when |
22 |
>>> the upstream location of the distfile has changed. |
23 |
> |
24 |
>> Why? We don't redistribute anything that is copyrighted. |
25 |
> |
26 |
> Users download the file, and I think that we are responsible to have |
27 |
> only such SRC_URIs in our ebuilds from where they can obtain the |
28 |
> package without being exposed to potential legal issues. |
29 |
|
30 |
I'm not aware of any court rulings that have found downloading |
31 |
something like this to be illegal. |
32 |
|
33 |
> |
34 |
>> Perhaps if we want to enforce a policy like this we should take the |
35 |
>> time to actually write the policy down. As far as I can tell Gentoo |
36 |
>> has no such policy currently. |
37 |
> |
38 |
> The old Games Ebuild Howto [1] has this: |
39 |
> |
40 |
> | LICENSE |
41 |
> | |
42 |
> | The license is an important point in your ebuild. It is also a |
43 |
> | common place for making mistakes. Try to check the license on any |
44 |
> | ebuild that you submit. Often times, the license will be in a |
45 |
> | COPYING file, distributed in the package's tarball. If the license |
46 |
> | is not readily apparent, try contacting the authors of the package |
47 |
> | for clarification. [...] |
48 |
> |
49 |
> I propose to add the paragraph above to the devmanual's licenses |
50 |
> section. |
51 |
> |
52 |
|
53 |
We already know there isn't a license for redistribution. This |
54 |
doesn't speak about requiring us to ensure that those distributing our |
55 |
source files have the rights to do so. It merely says to check the |
56 |
license. We understand the license already. I don't see how this |
57 |
paragraph pertains to this situation. |
58 |
|
59 |
-- |
60 |
Rich |