Francesco Poli <invernom...@paranoici.org> writes: > I thought the basis was the fact that copyright and licensing bugs may > have bad legal consequences (lawsuits against the Project for > distributing legally undistributable packages, things like that), while > technical bugs do not cause issues with lawyers and are, in this sense, > "easier" to fix.
Sure, everyone says this, but is this *true*? The free software community has a tendency to assume a lot of things about laws that aren't actually true. Sometimes this is useful conservatism, since there are a lot of legal areas for which the answer is not clear-cut, and if it doesn't matter much either way, better to avoid any sharp corners. But in this case, this assumption has a very high cost for the project, so maybe it's worth finding out whether it actually matters. As people have pointed out in the numerous previous iterations of this discussion, it's not like the ftp-master screen eliminates all copyright and licensing bugs on project services. I'm sure that we've accidentally pushed non-distributable material to Salsa, we did to Alioth before that, ftp-master will occasionally make mistakes, etc. We should act with alacrity to remedy serious copyright and licensing bugs; no one is arguing against that. But is it legally necessary to take the very specific measure that we are currently taking against them? It's also worth remembering that absolutely nothing that we can do will guarantee the project or some members of the project will not be sued. As the saying goes in the US, you can sue anyone for anything; you just might not *win*. If we're protecting ourselves against *losing* a lawsuit, or can draw a direct line between the measures we're taking and decreased liability, better settlements, etc., that would be useful to know, including the rough shape of the parameters around that. But I'm a little worried that we've fallen into a reflexive defense of a specific mitigation that may not be doing very much about the project's actual legal risks, but which has accumulated enough weight of tradition that everyone thinks it's necessary. > I am under the impression that the pre-screening in the NEW queue is an > attempt to catch legal issues *before* the package is introduced into > the archive. I also agree that this is the case, but I don't think it's obvious that this attempt is necessary or that it's the most effective place to put that level of effort and friction. > Personally, I think the legal pre-screening by the FTP masters in the > NEW queue is useful and should be kept. Is this on advice of legal counsel? Do you have some concrete reference for this belief that we can rely on? I do think that the amount of effort that the project puts into this pre-screening is of sufficiently high magnitude that it would be worth paying a lawyer for a legal opinion about whether or not we need to do it. The savings to the project if we found out that we didn't, or that we could do something simpler and more easily automated, would be more than the cost of the legal opinion. > In fact, I wish the pre-screening were stricter. > I've seen cases, where a bug is reported against a legally > undistributable package and the issue is left unaddressed for ages with > nobody apparently caring enough. Doesn't this argue that it is not as important to pre-screen as we think it is, given that this has happened multiple times and none of the horrible consequences from which pre-screening is intended to protect us have occurred? (I know the argument is that we've just gotten lucky, but I think it's worth being careful of that argument since it's inherently irrefutable. "We have to do this thing because horrible things will happen if we don't, and those horrible things have never happened in the past only because we've gotten lucky" is a circular argument that cannot be disproven, and therefore we should be a bit skeptical about it.) What if we took all the effort we put into pre-screening and instead devoted it to resolving actual problems that have been reported to us? Is it possible that would resolve our legal issues *faster* than investing huge amounts of project time and resources into pre-screening? This is the point that this same argument for pre-screening could be made about *any* bug. For *any* type of bug, doing additional pre-screening will reduce the incidence of that bug. The question is whether that's the most effective use of resources, not whether it has any positive effect at all. Clearly it does help, but does it help more than other things we could be doing with the same time and energy? The counterfactual is not "Debian stops caring about legal issues at all." The alternative is instead "the primary responsibility for legal issues lies with the person uploading the package, here are the rules that we follow, we encourage audits and other analysis and will automate them to the degree possible, and if anyone reports a copyright or licensing bug, we will prioritize resolving it." In other words, pretty much exactly the policy we use right now for security issues, which I suspect are far more dangerous to Debian users on the whole than copyright and licensing issues (although both are important!). -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
