On Tue, Feb 05, 2013 at 15:54 -0500, Terry Reedy wrote: > On 2/5/2013 11:35 AM, Lennart Regebro wrote: > >On Tue, Feb 5, 2013 at 5:03 PM, Donald Stufft <donald.stu...@gmail.com> > >wrote: > >>Besides the issues with validating that the package We are mirroring > >>is the authentic one there's also a legal issue. We don't know for sure > >>that we have the legal rights to redistribute those files. When you upload > >>a file to PyPI you grant the PSF a license to do that, no upload from the > >>author = no license. IANAL but i think i'm correct on that. > > > >Absolutely, but if the package is marked with a license that allows > >redistribution in the metadata, then we can. > > The last I read (and I cannot find the seemingly hidden page) the > author (or rights-holder) of code must grant PSF something more than > just redistribution rights before uploading it. The same must also > certify some mumbo-jumbo about compliance with national laws and > cryptography. No 3rd party can do that.
Not sure i understand. Are you referring to a procedure that is in place already or that should be in place? I consider the activity of caching 3rd party packages that are offered through PyPI's metadata and which can be downloaded freely from everwhere as similar to what web caches like squid do. A quick scan produced this sentence from http://en.wikipedia.org/wiki/Web_cache : In 1998, the DMCA added rules to the United States Code (17 U.S.C. ยง: 512) that relinquishes system operators from copyright liability for the purposes of caching. best, holger _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig