Andreas Tille <andr...@an3as.eu> writes: ... > May be some intermediate step would be to not hide packages in NEW queue > but exposing them as an apt source. If I'm correct this is not the case > since it had certain legal consequences for the project if code with > certain non-free licenses would be downloadable from some debian.org > address. May be NEW could be considered as some kind of pre-non-free as > long as it is not checked and the legal consequences are not valid for > us any more. But I'm not educated in international law - just asking > whether somebody might know better.
I have a repository on salsa: https://salsa.debian.org/installer-team/branch2repo that allows one to easily take a collection of branches (with the same branch name) from several repos, and assemble the (u)debs that one can build from all those branches into an apt repo. The motivation for that is for testing patches to Debian-Installer, but it should work for anything, so if that (or something like it) got merged into the main salsa-CI pipeline then people could more easily decouple the testing of new packages from their progress through NEW. This does of course raise the question of whether I ought to be able to do that, since it creates apt repos, such as this (trivial) example: https://salsa.debian.org/installer-team/branch2repo/-/jobs/2365384/artifacts/browse/public/ that publish .debs from a debian.org host, that could easily be created from sources that have never been near NEW. Of course, the URL is not exactly obvious there, and the artifacts will get deleted, so maybe that's a difference, but I don't suppose it would be too hard to make that into a stable 'pages' URL and ensure that it got built often enough to keep the repo there permanently. Would that cross the line? I think the important distinction is probably that once packages get through NEW they are mirrored all over the world, by unsuspecting third parties, who live in every jurisdiction under the sun. They are also incorporated into down-stream distros, often with little/no manual oversight, some of whom then do things like selling their resulting distribution for profit. That involves other people in a lot of risks that might not apply to Debian itself, so I'd suggest requires rather more caution than trying to see what we alone can expect to get away with. Do we need to shut down salsa's ability to do the above (given that one can do all of that from a guest account, using any old code you uploaded), or is that OK because the URLs are unstable and/or obscure? (obviously, given that I did it, I think it's OK) If obscure URLs are enough, I'd think it would be OK to have things in the NEW queue available from repo URLs that were not something that one could easily mirror, and would not be an "all of current NEW repo" but rather something like an apt repo per upload, so that one could easily test stuff stuck in NEW, but wouldn't be tempted to just install everything that hits NEW by default. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
signature.asc
Description: PGP signature
