Re: Legal possibility of more open package reviews.
Hi Charles, On 10-04-13 00:56, Charles Plessy wrote: Le Tue, Apr 09, 2013 at 05:54:14PM +0200, Bernd Zeimetz a écrit : Suggestion #3: have a system where any other DD can review a package in the NEW queue, not only the FTP masters or the FTP assistants. That would include publishing the contents of the NEW queue, at least to all Debian Developers - so we might violate licenses already. I have not read any convincing argument in favor of our current practice, not to mention that most arguments are guesses on the reasons of the persons in charge rather than a clear statement from the persons in charge themselves. We do not have much measures in place to ensure that our archive does not contain packages that start to violate licenses after their first upload. In parallel, we have a lot of download points that are not subjected to copyright and license review. I do not see a reason why the NEW queue must be more perfect than both our archive and the rest of the non-aptable files we distribute. It is a mistake to believe that NEW queue handling only exists for the benefit of license compliance checking. Yes, that is a big part of it, but AIUI, the ftp-masters need to do a lot more than that for packages in NEW. -- Copyshops should do vouchers. So that next time some bureaucracy requires you to mail a form in triplicate, you can mail it just once, add a voucher, and save on postage. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51650ec7.5050...@debian.org
Re: Legal possibility of more open package reviews.
Hi, Am Dienstag, den 09.04.2013, 17:54 +0200 schrieb Bernd Zeimetz: Suggestion #3: have a system where any other DD can review a package in the NEW queue, not only the FTP masters or the FTP assistants. That would include publishing the contents of the NEW queue, at least to all Debian Developers - so we might violate licenses already. I have long stopped buying this argument, with things like alioth.debian.org, people.debian.org and mentors.debian.net¹ full of software without license review. Greetings, Joachim ¹ ok, it’s .net... but still. -- Joachim nomeata Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata signature.asc Description: This is a digitally signed message part
Re: Legal possibility of more open package reviews.
* Joachim Breitner nome...@debian.org [2013-04-10 10:13:25 +0200]: Hi, Am Dienstag, den 09.04.2013, 17:54 +0200 schrieb Bernd Zeimetz: Suggestion #3: have a system where any other DD can review a package in the NEW queue, not only the FTP masters or the FTP assistants. That would include publishing the contents of the NEW queue, at least to all Debian Developers - so we might violate licenses already. I have long stopped buying this argument, with things like alioth.debian.org, people.debian.org and mentors.debian.net¹ full of software without license review. ¹ ok, it’s .net... but still. mentors.d.n admin hat on For mentors.debian.net, there are two main blockers for a .org transition: - Seeking an answer to this redistribution without verification problem - Making the codebase acceptable for DSA administration The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Basically, everyone is still allowed to upload packages, and those packages are distributed directly, the admins need to leave the copyright owners a way to claim that a package infringes on their copyright and act swiftly to hide such packages, pending a possible counterclaim from the uploader. We need to publish that policy, and then we should be compliant with DMCA safe harbor policies. For the second point... well... we're working on it, albeit slowly. People are welcome to join :) mentors.d.n admin hat off Cheers, -- Nicolas Dandrimont I once witnessed a long-winded, month-long flamewar over the use of mice vs. trackballs...It was very silly. (By Matt Welsh) signature.asc Description: Digital signature
Re: Legal possibility of more open package reviews.
On 04/10/2013 05:36 PM, Nicolas Dandrimont wrote: The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Does it mean that it is mandatory that mentors is hosted in USA? Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/516548d1.2030...@goirand.fr
Re: Legal possibility of more open package reviews.
On Wed, Apr 10, 2013 at 07:11:13PM +0800, Thomas Goirand wrote: On 04/10/2013 05:36 PM, Nicolas Dandrimont wrote: The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Does it mean that it is mandatory that mentors is hosted in USA? I thought to ask the opposite: could this work be avoided simply by hosting m.d.o in a country which does not honour the DMCA? Assuming we have some DSA assets in such countries. But I presume the mentors admins and/or DSA have thought of that… -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130410125235.GA31605@debian
Re: Legal possibility of more open package reviews.
]] Jonathan Dowland On Wed, Apr 10, 2013 at 07:11:13PM +0800, Thomas Goirand wrote: On 04/10/2013 05:36 PM, Nicolas Dandrimont wrote: The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Does it mean that it is mandatory that mentors is hosted in USA? I thought to ask the opposite: could this work be avoided simply by hosting m.d.o in a country which does not honour the DMCA? It would mean possible interesting legal challenges for people uploading crypto software from the US, since there would have been an export with no corresponding BXA declaration. IANAL, but my understanding is that it could land the person doing the export in quite a bit of trouble. Assuming we have some DSA assets in such countries. But I presume the mentors admins and/or DSA have thought of that… We have machines outside the US, yes, the biggest ones are/will be in .ca, .de, .uk and .gr. -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/m2vc7u34qp@rahvafeir.err.no
Re: Legal possibility of more open package reviews.
On Wed, Apr 10, 2013 at 07:11:13PM +0800, Thomas Goirand wrote: On 04/10/2013 05:36 PM, Nicolas Dandrimont wrote: The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Does it mean that it is mandatory that mentors is hosted in USA? Of course not. It means that if we decide to host in the US, where DMCA is in effect, then we have the needed legal advice to go forward there. Hosting it elsewhere means learning about similar legal challenges that exist in the country of choice [1] and possibly seeking similar advice *if* there are DMCA-like worries. FWIW, as a project we have very good access to high quality, pro bono, US lawyers at SFLC, but nothing equivalent (all factors considered) for other countries. Cheers. [1] unfortunately, DMCA is not the only bad draconian law that exists around the world, many other countries have similar laws -- Stefano Zacchiroli . . . . . . . z...@upsilon.cc . . . . o . . . o . o Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o Debian Project Leader . . . . . . @zack on identi.ca . . o o o . . . o . « the first rule of tautology club is the first rule of tautology club » signature.asc Description: Digital signature
Re: Legal possibility of more open package reviews.
Le Wed, Apr 10, 2013 at 11:36:03AM +0200, Nicolas Dandrimont a écrit : For mentors.debian.net, there are two main blockers for a .org transition: - Seeking an answer to this redistribution without verification problem - Making the codebase acceptable for DSA administration The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Basically, everyone is still allowed to upload packages, and those packages are distributed directly, the admins need to leave the copyright owners a way to claim that a package infringes on their copyright and act swiftly to hide such packages, pending a possible counterclaim from the uploader. We need to publish that policy, and then we should be compliant with DMCA safe harbor policies. Hi, I do not understand the following: - If mentors.debian.org needs to follow the DMCA, why would mentors.debian.net be exempt of it ? Also, how do the safer harbor procedures differ from your current practices ? Surely, if a copyright holder reports an infringement to supp...@mentors.debian.net, you will remove the package, isn't it ? - If mentors.debian.org can distribute unreviewed packages by becomming a DMCA safe harbor, wouldn't it be possible for ftp-master.debian.org/NEW.html ? - Bonus question: since mentors.debian.net seems to be hosted in Germany, does it mean that developers living in the US should refrain from uploading crypto to it ? How do other distributions solve that problem ? Cheers, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130410135139.gh19...@falafel.plessy.net
Re: Legal possibility of more open package reviews.
On Wed, Apr 10, 2013 at 10:51:39PM +0900, Charles Plessy wrote: - If mentors.debian.org needs to follow the DMCA, why would mentors.debian.net be exempt of it ? It's not, but Debian is not hosting mentors, the .net domain is a forwarding service of sorts, so to take on the responsibility for hosting, Debian also needs to address the DMCA issue. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130410143907.GA4314@debian
Re: Legal possibility of more open package reviews.
On Wed, Apr 10, 2013 at 03:37:39PM +0200, Stefano Zacchiroli wrote: On Wed, Apr 10, 2013 at 07:11:13PM +0800, Thomas Goirand wrote: On 04/10/2013 05:36 PM, Nicolas Dandrimont wrote: The first point has been handled by zack, and we have on hand a legal document, vetted by SFLC lawyers, that makes the mentors platform a DMCA safe harbor. Does it mean that it is mandatory that mentors is hosted in USA? Of course not. It means that if we decide to host in the US, where DMCA is in effect, then we have the needed legal advice to go forward there. Hosting it elsewhere means learning about similar legal challenges that exist in the country of choice [1] and possibly seeking similar advice *if* there are DMCA-like worries. FWIW, as a project we have very good access to high quality, pro bono, US lawyers at SFLC, but nothing equivalent (all factors considered) for other countries. Cheers. [1] unfortunately, DMCA is not the only bad draconian law that exists around the world, many other countries have similar laws The DMCA 'safe harbor' rules are comparatively *good* for service providers, though not so much for service users that have enemies. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130410152602.gk2...@decadent.org.uk
Re: Legal possibility of more open package reviews.
[Charles Plessy] - If mentors.debian.org needs to follow the DMCA, why would mentors.debian.net be exempt of it ? It's not exempt, but it's also not Debian's problem. - If mentors.debian.org can distribute unreviewed packages by becomming a DMCA safe harbor, wouldn't it be possible for ftp-master.debian.org/NEW.html ? The difference is that one is open to the public and the other is not. If a service is open to the public without any control over who can post content, then basically you have grounds to claim you do not and cannot reasonably police the content. - Bonus question: since mentors.debian.net seems to be hosted in Germany, does it mean that developers living in the US should refrain from uploading crypto to it ? How do other distributions solve that problem ? Correct, it means developers living in the US need to follow US laws. I suspect other distributions solve the problem by ignoring it, thus leaving individuals responsible for obeying their local laws. Which is a fine principle, but in practice it probably means some individuals violate US law without really noticing. (The US government harrassment of Phil Zimmermann was a long time ago, so I suspect that object lesson has been mostly lost.) Peter -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130410170916.gx4...@p12n.org
Re: Legal possibility of more open package reviews.
Le Wed, Apr 10, 2013 at 12:09:16PM -0500, Peter Samuelson a écrit : - If mentors.debian.org can distribute unreviewed packages by becomming a DMCA safe harbor, wouldn't it be possible for ftp-master.debian.org/NEW.html ? The difference is that one is open to the public and the other is not. If a service is open to the public without any control over who can post content, then basically you have grounds to claim you do not and cannot reasonably police the content. Is there a legal ground that disqualifies Debian as service provider is the sense of the DMCA ? I can not upload to Youtube without authentifcating myself, how different is it from the impossibility to upload to Debian without signing my packages ? Alternatively, if there is no safe harbor for the NEW queue because it is private to Debian, why its contents can not be open privately to the Debian developers ? - Bonus question: since mentors.debian.net seems to be hosted in Germany, does it mean that developers living in the US should refrain from uploading crypto to it ? How do other distributions solve that problem ? Correct, it means developers living in the US need to follow US laws. I suspect other distributions solve the problem by ignoring it, thus leaving individuals responsible for obeying their local laws. Which is a fine principle, but in practice it probably means some individuals violate US law without really noticing. (The US government harrassment of Phil Zimmermann was a long time ago, so I suspect that object lesson has been mostly lost.) I am still puzzled: if we host a service in the US, this helps the US developers, but this still leaves the other developers living in other countries under the threat of export restrictions from their local law. Does that mean that we chose US because it minimises the total number of developers who have to care about export restrictions, or does that mean that in the end, if only considering cryptograhpy, the servers could be hosted in other countries, because anyway there will always be a majority of developers who need to cross a border ? Alternatively, doesn't the fact that we seem to be the only ones to self-inflict so many procedures suggest that we are the ones overinterpreting or misinterpreting the laws ? Cheers -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130410230500.ga7...@falafel.plessy.net
Crypto export (was: Legal possibility of more open package reviews.)
Charles Plessy ple...@debian.org writes: Le Wed, Apr 10, 2013 at 11:36:03AM +0200, Nicolas Dandrimont a écrit : - Bonus question: since mentors.debian.net seems to be hosted in Germany, does it mean that developers living in the US should refrain from uploading crypto to it ? How do other distributions solve that problem ? More interesting (in my opinion): if US developers can safely upload crypto packages to US hosted debian servers, but Debian then makes these packages available to everyone in the world for download, why isn't this export of cryptographic packages a problem for Debian? Best, -Nikolaus -- »Time flies like an arrow, fruit flies like a Banana.« PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87a9p51xw9.fsf...@vostro.rath.org
Legal possibility of more open package reviews.
Le Tue, Apr 09, 2013 at 05:54:14PM +0200, Bernd Zeimetz a écrit : Suggestion #3: have a system where any other DD can review a package in the NEW queue, not only the FTP masters or the FTP assistants. That would include publishing the contents of the NEW queue, at least to all Debian Developers - so we might violate licenses already. I have not read any convincing argument in favor of our current practice, not to mention that most arguments are guesses on the reasons of the persons in charge rather than a clear statement from the persons in charge themselves. We do not have much measures in place to ensure that our archive does not contain packages that start to violate licenses after their first upload. In parallel, we have a lot of download points that are not subjected to copyright and license review. I do not see a reason why the NEW queue must be more perfect than both our archive and the rest of the non-aptable files we distribute. Conversely, the existence of sites such as Ubuntu's PPA, SourceForge, GitHub and many others show that a large number of software providers are confident that a policy of a posteriori removals is sufficient. I do not understand why we do not reach the same conclusion for the NEW queue, which is not even a software distribution in the sense of the Debian archive or the sites mentionned above. Fedora for instance publicly reviews the new packages in a bugtracker, with download links that sometimes are pointing to Fedora-hosted machines. I think that reaching that level of transparency would have a positive impact on our capacity to keep on attracting new contributors. Cheers, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130409225639.ga16...@falafel.plessy.net
Re: Legal possibility of more open package reviews.
On 04/10/2013 06:56 AM, Charles Plessy wrote: Le Tue, Apr 09, 2013 at 05:54:14PM +0200, Bernd Zeimetz a écrit : Suggestion #3: have a system where any other DD can review a package in the NEW queue, not only the FTP masters or the FTP assistants. That would include publishing the contents of the NEW queue, at least to all Debian Developers - so we might violate licenses already. I have not read any convincing argument in favor of our current practice, not to mention that most arguments are guesses on the reasons of the persons in charge rather than a clear statement from the persons in charge themselves. We do not have much measures in place to ensure that our archive does not contain packages that start to violate licenses after their first upload. In parallel, we have a lot of download points that are not subjected to copyright and license review. I do not see a reason why the NEW queue must be more perfect than both our archive and the rest of the non-aptable files we distribute. Conversely, the existence of sites such as Ubuntu's PPA, SourceForge, GitHub and many others show that a large number of software providers are confident that a policy of a posteriori removals is sufficient. I do not understand why we do not reach the same conclusion for the NEW queue, which is not even a software distribution in the sense of the Debian archive or the sites mentionned above. Fedora for instance publicly reviews the new packages in a bugtracker, with download links that sometimes are pointing to Fedora-hosted machines. I think that reaching that level of transparency would have a positive impact on our capacity to keep on attracting new contributors. Cheers, Exactly. Very well said! Thomas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5164be8d.1090...@debian.org
Re: Legal possibility of more open package reviews.
Charles Plessy wrote: Conversely, the existence of sites such as Ubuntu's PPA, SourceForge, GitHub and many others show that a large number of software providers are confident that a policy of a posteriori removals is sufficient. I do not understand why we do not reach the same conclusion for the NEW queue, which is not even a software distribution in the sense of the Debian archive or the sites mentionned above. One significant difference between those sites and the Debian NEW queue, or Debian in general is that sites that allow anyone register and upload content probably operate under the DMCA safe harbor provisions that only require they take down infringing material when informed of it. -- see shy jo signature.asc Description: Digital signature