On Fri, Apr 14, 2017 at 08:31:22PM -0300, fauno wrote: > "Nicolás A. Ortega" <[email protected]> writes: > > My proposal is the following: when someone brings up a freedom issue (or > > even privacy, for that matter) they should also links to the information > > that lead them to this conclusion, once we see that these links have > > something behind them (a quick skim through the links) we can put in > > place the temporary quarantine of the package. After this point all > > information regarding the freedom issues with the package should be > > concentrated in one place (public place where everyone can see it) and a > > more thorough investigation of the matter (finding exact files that are > > non-free) should take place. If no actual evidence is found or the > > evidence has *all* been countered after X amount of time (I think a > > month or two should do) then the package is taken out of quarantine > > until more concrete evidence can be found. If evidence is found and > > cannot be countered then the package is labelled permanently as non-free > > until either upstream fixes the freedom issues (which *should be > > reported to upstream when found*) or we create a -libre package for it. > > > > The most important thing I want to be taken away from this is that > > information on the freedom issues of a package should be *easily > > available*. I shouldn't have to be asking absolutely everyone in the > > community who has the actual links so I can verify for my own eyes. > > What's more, the more eyes we have on the issue the more information we > > can obtain and the faster we can solve things. > > > > I brought up the qt5-webengine issue as an example, I did not send this > > e-mail to talk about it directly but something I noticed as a > > consequence of it. So please let's not make this thread about that > > (since I can see it coming). > > > > With a policy similar to this I believe we'll be able to handle these > > freedom issues in a much more orderly, organized, and effective manner. > > +1 would you open a pad? then it can be put on the wiki. > > contacting/involving upstream should be a requisite too, in the past > we've failed to do so and i remember one case where they contacted us > about it. it was about syslog-ng documentation license, which at the > time of blacklisting was cc-by-sa-nc (iirc) and it was going to be > changed to cc-by-sa (which i guess they did, because i see syslog-ng in > repos now). > > -- > http://utopia.partidopirata.com.ar/
Alright, I made an etherpad: https://pad.riseup.net/p/QuarantinePolicyDraft Y'all are greatly encouraged to edit it and improve the draft. Hope this helps. (^_^) -- Nicolás Ortega Froysa (Deathsbreed) https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/[email protected]_pub.asc http://uk7ewohr7xpjuaca.onion/[email protected]_pub.asc
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
