Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Kent Fredric]

On Thu, 7 Sep 2017 17:56:32 -0400
Rich Freeman  wrote:

> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?
> 
> -- 

Surely RESTRICT=fetch and then just do a "Hey look, the legal here is not clear
so you need to acquire this yourself after making sure you have the rights to do
so"

You know, like we do for things that can only be installed with a physical copy.


pgpXMW8l28_lm.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[R0b0t1]

Hello,

On Thu, Sep 7, 2017 at 8:04 AM, Ulrich Mueller  wrote:
>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
 Do we routinely confirm that any site we list in SRC_URI has
 permission to redistribute files? That seems like a slippery
 slope.
>>>
>>> We don't, and for a package that comes with a license (as the vast
>>> majority of packages does) it normally isn't necessary.
>
>> Why isn't this necessary?  How do you know the person issuing the
>> license actually has the right to issue it?
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?
>
>>> The package in question doesn't come with any license though, which
>>> means that only the copyright holder has the right to distribute
>>> it. So I believe that some extra care is justified, especially when
>>> the upstream location of the distfile has changed.
>
>> Why?  We don't redistribute anything that is copyrighted.
>
> Users download the file, and I think that we are responsible to have
> only such SRC_URIs in our ebuilds from where they can obtain the
> package without being exposed to potential legal issues.
>

Downloading does not imply committing a felony. As far as anyone can
tell it is impossible to prosecute someone for downloading something
they already own (regardless of what any EULA has claimed). Further,
copyrights lapse if not enforced. Depending on how long that download
has been up the original rightsholder has forfeited their claim to
their work.

It's also really hard to convince a judge or jury that I am to blame
if someone follows my instructions (save for specific cases where I
could be considered a subject matter expert). E.g. it's possible to
sell radio kits that are illegal to put together and operate.

>> Are you arguing that merely linking to the file is illegal?  If so,
>> then you better get the list archives purged.
>
> Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't
> think that such linking is illegal. IANAL, though.
>

It is at this point I would suggest that you have defeated your own argument.

>>> We don't know this for sure unless we ask the author. So whoever is
>>> interested in keeping the package in the tree should sort these
>>> issues out.
>
>> Perhaps if we want to enforce a policy like this we should take the
>> time to actually write the policy down.  As far as I can tell Gentoo
>> has no such policy currently.
>
> The old Games Ebuild Howto [1] has this:
>
> | LICENSE
> |
> | The license is an important point in your ebuild. It is also a
> | common place for making mistakes. Try to check the license on any
> | ebuild that you submit. Often times, the license will be in a
> | COPYING file, distributed in the package's tarball. If the license
> | is not readily apparent, try contacting the authors of the package
> | for clarification. [...]
>
> I propose to add the paragraph above to the devmanual's licenses
> section.
>

Should the Gentoo foundation include a disclaimer that the software
distributed by it is not to be used to build ballistic missiles or run
nuclear arms programs? Users might do those things, and Gentoo might
be liable for the consequences if they do.


On Thu, Sep 7, 2017 at 4:56 PM, Rich Freeman  wrote:
> Do you really need me to put it on the Council agenda?

Sir, please see my above comment about building ballistic missiles. It
may be important for the Gentoo Foundation to add a disclaimer similar
to the one I mentioned. I would hate for the Foundation or any of its
administrators or contributors to be found guilty of aiding and
abetting terrorists.

Respectfully,
 R0b0t1

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny  wrote:
> W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
> napisał:
>> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
>> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
>> > napisał:
>> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
>> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
>> > > >
>> > > > Don't you think there is a difference between downloading a package
>> > > > that has a known upstream and that is also carried by other distros,
>> > > > and downloading a license-less package from a random location on the
>> > > > internet?
>> > >
>> > > Most upstreams do not do much checking about the ownership of their 
>> > > sources.
>> > >
>> > > Gentoo certainly doesn't - we don't even require developers to submit a 
>> > > DCO.
>> > >
>> > > Other projects like the Linux kernel require signing a DCO for each
>> > > commit, but do not do any checking beyond this.  I have no doubt that
>> > > they would remove offending sources if they were contacted, but they
>> > > do not actively go out and confirm authorship.
>> > >
>> > > >
>> > > > > > The package in question doesn't come with any license though, which
>> > > > > > means that only the copyright holder has the right to distribute
>> > > > > > it. So I believe that some extra care is justified, especially when
>> > > > > > the upstream location of the distfile has changed.
>> > > > >
>> > > > > Why?  We don't redistribute anything that is copyrighted.
>> > > >
>> > > > Users download the file, and I think that we are responsible to have
>> > > > only such SRC_URIs in our ebuilds from where they can obtain the
>> > > > package without being exposed to potential legal issues.
>> > >
>> > > I'm not aware of any court rulings that have found downloading
>> > > something like this to be illegal.
>> > >
>> > > >
>> > > > > Perhaps if we want to enforce a policy like this we should take the
>> > > > > time to actually write the policy down.  As far as I can tell Gentoo
>> > > > > has no such policy currently.
>> > > >
>> > > > The old Games Ebuild Howto [1] has this:
>> > > >
>> > > > > LICENSE
>> > > > >
>> > > > > The license is an important point in your ebuild. It is also a
>> > > > > common place for making mistakes. Try to check the license on any
>> > > > > ebuild that you submit. Often times, the license will be in a
>> > > > > COPYING file, distributed in the package's tarball. If the license
>> > > > > is not readily apparent, try contacting the authors of the package
>> > > > > for clarification. [...]
>> > > >
>> > > > I propose to add the paragraph above to the devmanual's licenses
>> > > > section.
>> > > >
>> > >
>> > > We already know there isn't a license for redistribution.  This
>> > > doesn't speak about requiring us to ensure that those distributing our
>> > > source files have the rights to do so.  It merely says to check the
>> > > license.  We understand the license already.  I don't see how this
>> > > paragraph pertains to this situation.
>> >
>> > AFAIK you're a developer. So if you want to keep this package, then
>> > please do the needful and take care of it yourself instead of
>> > complaining and demanding others to do the work you want done.
>> >
>>
>> Are you saying it is sufficient to just point the SRC_URI at the new
>> URL and remove the mask?  As far as I can tell that is all that needs
>> to be done.  Per the policy the license is readily apparent, so there
>> is no need to contact the authors.
>>
>
> I don't know what is sufficient. It's your business as the new
> maintainer to figure it out and take the responsibility. If there's
> nobody willing to do that, then we don't get to keep the package. Simple
> as that.
>

And how would I figure it out, considering that simply asking on the
list doesn't seem to yield a straight answer?  Do you really need me
to put it on the Council agenda?  Or do we unmask it, let QA mask it
10 minutes later, then go back and forth for a month, and THEN put it
on the Council agenda?

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Michał Górny]

W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
napisał:
> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> > napisał:
> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > > > 
> > > > Don't you think there is a difference between downloading a package
> > > > that has a known upstream and that is also carried by other distros,
> > > > and downloading a license-less package from a random location on the
> > > > internet?
> > > 
> > > Most upstreams do not do much checking about the ownership of their 
> > > sources.
> > > 
> > > Gentoo certainly doesn't - we don't even require developers to submit a 
> > > DCO.
> > > 
> > > Other projects like the Linux kernel require signing a DCO for each
> > > commit, but do not do any checking beyond this.  I have no doubt that
> > > they would remove offending sources if they were contacted, but they
> > > do not actively go out and confirm authorship.
> > > 
> > > > 
> > > > > > The package in question doesn't come with any license though, which
> > > > > > means that only the copyright holder has the right to distribute
> > > > > > it. So I believe that some extra care is justified, especially when
> > > > > > the upstream location of the distfile has changed.
> > > > > 
> > > > > Why?  We don't redistribute anything that is copyrighted.
> > > > 
> > > > Users download the file, and I think that we are responsible to have
> > > > only such SRC_URIs in our ebuilds from where they can obtain the
> > > > package without being exposed to potential legal issues.
> > > 
> > > I'm not aware of any court rulings that have found downloading
> > > something like this to be illegal.
> > > 
> > > > 
> > > > > Perhaps if we want to enforce a policy like this we should take the
> > > > > time to actually write the policy down.  As far as I can tell Gentoo
> > > > > has no such policy currently.
> > > > 
> > > > The old Games Ebuild Howto [1] has this:
> > > > 
> > > > > LICENSE
> > > > > 
> > > > > The license is an important point in your ebuild. It is also a
> > > > > common place for making mistakes. Try to check the license on any
> > > > > ebuild that you submit. Often times, the license will be in a
> > > > > COPYING file, distributed in the package's tarball. If the license
> > > > > is not readily apparent, try contacting the authors of the package
> > > > > for clarification. [...]
> > > > 
> > > > I propose to add the paragraph above to the devmanual's licenses
> > > > section.
> > > > 
> > > 
> > > We already know there isn't a license for redistribution.  This
> > > doesn't speak about requiring us to ensure that those distributing our
> > > source files have the rights to do so.  It merely says to check the
> > > license.  We understand the license already.  I don't see how this
> > > paragraph pertains to this situation.
> > 
> > AFAIK you're a developer. So if you want to keep this package, then
> > please do the needful and take care of it yourself instead of
> > complaining and demanding others to do the work you want done.
> > 
> 
> Are you saying it is sufficient to just point the SRC_URI at the new
> URL and remove the mask?  As far as I can tell that is all that needs
> to be done.  Per the policy the license is readily apparent, so there
> is no need to contact the authors.
> 

I don't know what is sufficient. It's your business as the new
maintainer to figure it out and take the responsibility. If there's
nobody willing to do that, then we don't get to keep the package. Simple
as that.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny  wrote:
> W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> napisał:
>> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
>> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
>> >
>> > Don't you think there is a difference between downloading a package
>> > that has a known upstream and that is also carried by other distros,
>> > and downloading a license-less package from a random location on the
>> > internet?
>>
>> Most upstreams do not do much checking about the ownership of their sources.
>>
>> Gentoo certainly doesn't - we don't even require developers to submit a DCO.
>>
>> Other projects like the Linux kernel require signing a DCO for each
>> commit, but do not do any checking beyond this.  I have no doubt that
>> they would remove offending sources if they were contacted, but they
>> do not actively go out and confirm authorship.
>>
>> >
>> > > > The package in question doesn't come with any license though, which
>> > > > means that only the copyright holder has the right to distribute
>> > > > it. So I believe that some extra care is justified, especially when
>> > > > the upstream location of the distfile has changed.
>> > > Why?  We don't redistribute anything that is copyrighted.
>> >
>> > Users download the file, and I think that we are responsible to have
>> > only such SRC_URIs in our ebuilds from where they can obtain the
>> > package without being exposed to potential legal issues.
>>
>> I'm not aware of any court rulings that have found downloading
>> something like this to be illegal.
>>
>> >
>> > > Perhaps if we want to enforce a policy like this we should take the
>> > > time to actually write the policy down.  As far as I can tell Gentoo
>> > > has no such policy currently.
>> >
>> > The old Games Ebuild Howto [1] has this:
>> >
>> > > LICENSE
>> > >
>> > > The license is an important point in your ebuild. It is also a
>> > > common place for making mistakes. Try to check the license on any
>> > > ebuild that you submit. Often times, the license will be in a
>> > > COPYING file, distributed in the package's tarball. If the license
>> > > is not readily apparent, try contacting the authors of the package
>> > > for clarification. [...]
>> >
>> > I propose to add the paragraph above to the devmanual's licenses
>> > section.
>> >
>>
>> We already know there isn't a license for redistribution.  This
>> doesn't speak about requiring us to ensure that those distributing our
>> source files have the rights to do so.  It merely says to check the
>> license.  We understand the license already.  I don't see how this
>> paragraph pertains to this situation.
>
> AFAIK you're a developer. So if you want to keep this package, then
> please do the needful and take care of it yourself instead of
> complaining and demanding others to do the work you want done.
>

Are you saying it is sufficient to just point the SRC_URI at the new
URL and remove the mask?  As far as I can tell that is all that needs
to be done.  Per the policy the license is readily apparent, so there
is no need to contact the authors.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Michał Górny]

W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
napisał:
> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > 
> > Don't you think there is a difference between downloading a package
> > that has a known upstream and that is also carried by other distros,
> > and downloading a license-less package from a random location on the
> > internet?
> 
> Most upstreams do not do much checking about the ownership of their sources.
> 
> Gentoo certainly doesn't - we don't even require developers to submit a DCO.
> 
> Other projects like the Linux kernel require signing a DCO for each
> commit, but do not do any checking beyond this.  I have no doubt that
> they would remove offending sources if they were contacted, but they
> do not actively go out and confirm authorship.
> 
> > 
> > > > The package in question doesn't come with any license though, which
> > > > means that only the copyright holder has the right to distribute
> > > > it. So I believe that some extra care is justified, especially when
> > > > the upstream location of the distfile has changed.
> > > Why?  We don't redistribute anything that is copyrighted.
> > 
> > Users download the file, and I think that we are responsible to have
> > only such SRC_URIs in our ebuilds from where they can obtain the
> > package without being exposed to potential legal issues.
> 
> I'm not aware of any court rulings that have found downloading
> something like this to be illegal.
> 
> > 
> > > Perhaps if we want to enforce a policy like this we should take the
> > > time to actually write the policy down.  As far as I can tell Gentoo
> > > has no such policy currently.
> > 
> > The old Games Ebuild Howto [1] has this:
> > 
> > > LICENSE
> > > 
> > > The license is an important point in your ebuild. It is also a
> > > common place for making mistakes. Try to check the license on any
> > > ebuild that you submit. Often times, the license will be in a
> > > COPYING file, distributed in the package's tarball. If the license
> > > is not readily apparent, try contacting the authors of the package
> > > for clarification. [...]
> > 
> > I propose to add the paragraph above to the devmanual's licenses
> > section.
> > 
> 
> We already know there isn't a license for redistribution.  This
> doesn't speak about requiring us to ensure that those distributing our
> source files have the rights to do so.  It merely says to check the
> license.  We understand the license already.  I don't see how this
> paragraph pertains to this situation.

AFAIK you're a developer. So if you want to keep this package, then
please do the needful and take care of it yourself instead of
complaining and demanding others to do the work you want done.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] Server hardaware give away (misc archs)

[William L. Thomson Jr.]

On Thu, 7 Sep 2017 07:44:00 -0700
Rich Freeman  wrote:
>
> In general I would just comment that if anything we get too few
> requests for spending money and not too many. 

Not surprising, though I had ideas on lots of spending, events, travel
reimbursement, developer systems, etc.

> I don't think the  Foundation would be able to just go buying PCs for
> every dev on request, but for one-offs like these they might chip in.

More like the Foundation/Gentoo should have some plan and/or budget as
to how to put the funds to use etc. Which gives others reasons to
donate more when they can see where the funds are being used, the
benefit etc.

Example
https://www.freebsdfoundation.org/wp-content/uploads/2015/12/Budget2016.pdf

> One thing that should be considered in these sorts of requests is who
> owns the hardware and where it will be kept and what kind of access
> other devs on the relevant teams would have.  I think there ought to
> be a difference between how we treat hardware that is owned by the
> Foundation and always available to devs, vs something that somebody
> intends to use for Gentoo work right now, but where ownership resides
> with the individual and there is no obligation to give the hardware to
> somebody else if they stop contributing.  To the extent that the costs
> are more nominal the Foundation should probably exercise more leeway.

In an ideal sense, equipment like this would go to something like OSU
OSL or some other hosting provider. Though there is the cost of
bandwidth, power, and man power to service hardware issues. Not to
mention rack, provision, etc.

Donate gear to Gentoo to be used/accessed by any dev, and maybe some
others. I think Gentoo should have more internal resources available
for developers to use. Then again I had lots of ideas for Gentoo

-- 
William L. Thomson Jr.


pgpERLkDydGS8.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Server hardaware give away (misc archs)

[Rich Freeman]

On Thu, Sep 7, 2017 at 7:32 AM, William L. Thomson Jr.
 wrote:
> On Thu, 7 Sep 2017 10:26:10 -0400
> "William L. Thomson Jr."  wrote:
>
>> On Thu, 7 Sep 2017 18:03:21 +0800 (HKT)
>> Brendan Horan  wrote:
>>
>> > Just an update for everyone :
>> > R0b0t1, has the Power 6+
>> > Johnson, has the Sparc T5120
>> >
>> > Still working out shipping/logistics
>>
>> If someone has access to say a company UPS or FedEx account. They may
>> have discounted rates based on volume.  Maybe something to consider or
>> look into. Also may help with customs to ship to a work/business
>> address and/or coming from one business to another vs individuals.
>>
>
> Another thought
>
> Why not have Gentoo Foundation cover shipping costs?

Can't speak for the Trustees, but the process for this is at:
https://wiki.gentoo.org/wiki/Foundation:Funding_Request

(I wouldn't overthink it - just spell out what you want/need.  I bet
you could make it shorter than some of the emails in this thread.)

In general I would just comment that if anything we get too few
requests for spending money and not too many.  I don't think the
Foundation would be able to just go buying PCs for every dev on
request, but for one-offs like these they might chip in.

One thing that should be considered in these sorts of requests is who
owns the hardware and where it will be kept and what kind of access
other devs on the relevant teams would have.  I think there ought to
be a difference between how we treat hardware that is owned by the
Foundation and always available to devs, vs something that somebody
intends to use for Gentoo work right now, but where ownership resides
with the individual and there is no obligation to give the hardware to
somebody else if they stop contributing.  To the extent that the costs
are more nominal the Foundation should probably exercise more leeway.

That's all just my opinion though.  If you want the Trustees to
consider it then just fill out the "form" and post it in a bug
assigned to them using the Foundation "product" in bugzilla. It never
hurts to ask...

-- 
Rich

Re: [gentoo-dev] Server hardaware give away (misc archs)

[William L. Thomson Jr.]

On Thu, 7 Sep 2017 10:26:10 -0400
"William L. Thomson Jr."  wrote:

> On Thu, 7 Sep 2017 18:03:21 +0800 (HKT)
> Brendan Horan  wrote:
> 
> > Just an update for everyone :
> > R0b0t1, has the Power 6+
> > Johnson, has the Sparc T5120
> > 
> > Still working out shipping/logistics   
> 
> If someone has access to say a company UPS or FedEx account. They may
> have discounted rates based on volume.  Maybe something to consider or
> look into. Also may help with customs to ship to a work/business
> address and/or coming from one business to another vs individuals.
> 

Another thought

Why not have Gentoo Foundation cover shipping costs?
What else is Gentoo doing with its $100k to help further development?

May want to go talk to Trustees. This seems like a legit use of funds.

-- 
William L. Thomson Jr.


pgpNuyHNmydxP.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] [RFC] sys-boot/grub:0 (GRUB legacy) sunset planning

[William L. Thomson Jr.]

On Sat, 2 Sep 2017 15:56:04 +
"Robin H. Johnson"  wrote:

> Open questions:
> --
> - Are there existing use cases that I've missed, where migration to
>   grub-2 CANNOT be done?

I left grub sometime ago for syslinux/pxelinux/extlinux. I run that on
everything now even UEFI. I much prefer it to grub. That maybe an
option for grub:0 users, who cannot or do not want to use grub:2.

I had issues with grub pxe hardware support. Given that you tend to
use syslinux on like usb and  iso's. I just stick to one for all.

-- 
William L. Thomson Jr.


pgpovGHqHz3LI.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] Server hardaware give away (misc archs)

[William L. Thomson Jr.]

On Thu, 7 Sep 2017 18:03:21 +0800 (HKT)
Brendan Horan  wrote:

> Just an update for everyone :
> R0b0t1, has the Power 6+
> Johnson, has the Sparc T5120
> 
> Still working out shipping/logistics 

If someone has access to say a company UPS or FedEx account. They may
have discounted rates based on volume.  Maybe something to consider or
look into. Also may help with customs to ship to a work/business
address and/or coming from one business to another vs individuals.

-- 
William L. Thomson Jr.

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Andrew Savchenko]

On Thu, 7 Sep 2017 15:04:34 +0200 Ulrich Mueller wrote:
> > On Thu, 7 Sep 2017, Rich Freeman wrote:
> 
> >>> Do we routinely confirm that any site we list in SRC_URI has
> >>> permission to redistribute files? That seems like a slippery
> >>> slope.
> >> 
> >> We don't, and for a package that comes with a license (as the vast
> >> majority of packages does) it normally isn't necessary.
> 
> > Why isn't this necessary?  How do you know the person issuing the
> > license actually has the right to issue it?
> 
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?

If downloaded files are the same (e.g. sha512 hash matches), what's
the difference?

Best regards,
Andrew Savchenko


pgp10n1q4cpHA.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller  wrote:
>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?

Most upstreams do not do much checking about the ownership of their sources.

Gentoo certainly doesn't - we don't even require developers to submit a DCO.

Other projects like the Linux kernel require signing a DCO for each
commit, but do not do any checking beyond this.  I have no doubt that
they would remove offending sources if they were contacted, but they
do not actively go out and confirm authorship.

>
>>> The package in question doesn't come with any license though, which
>>> means that only the copyright holder has the right to distribute
>>> it. So I believe that some extra care is justified, especially when
>>> the upstream location of the distfile has changed.
>
>> Why?  We don't redistribute anything that is copyrighted.
>
> Users download the file, and I think that we are responsible to have
> only such SRC_URIs in our ebuilds from where they can obtain the
> package without being exposed to potential legal issues.

I'm not aware of any court rulings that have found downloading
something like this to be illegal.

>
>> Perhaps if we want to enforce a policy like this we should take the
>> time to actually write the policy down.  As far as I can tell Gentoo
>> has no such policy currently.
>
> The old Games Ebuild Howto [1] has this:
>
> | LICENSE
> |
> | The license is an important point in your ebuild. It is also a
> | common place for making mistakes. Try to check the license on any
> | ebuild that you submit. Often times, the license will be in a
> | COPYING file, distributed in the package's tarball. If the license
> | is not readily apparent, try contacting the authors of the package
> | for clarification. [...]
>
> I propose to add the paragraph above to the devmanual's licenses
> section.
>

We already know there isn't a license for redistribution.  This
doesn't speak about requiring us to ensure that those distributing our
source files have the rights to do so.  It merely says to check the
license.  We understand the license already.  I don't see how this
paragraph pertains to this situation.

-- 
Rich

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Thu, 7 Sep 2017, Rich Freeman wrote:

>>> Do we routinely confirm that any site we list in SRC_URI has
>>> permission to redistribute files? That seems like a slippery
>>> slope.
>> 
>> We don't, and for a package that comes with a license (as the vast
>> majority of packages does) it normally isn't necessary.

> Why isn't this necessary?  How do you know the person issuing the
> license actually has the right to issue it?

Don't you think there is a difference between downloading a package
that has a known upstream and that is also carried by other distros,
and downloading a license-less package from a random location on the
internet?

>> The package in question doesn't come with any license though, which
>> means that only the copyright holder has the right to distribute
>> it. So I believe that some extra care is justified, especially when
>> the upstream location of the distfile has changed.

> Why?  We don't redistribute anything that is copyrighted.

Users download the file, and I think that we are responsible to have
only such SRC_URIs in our ebuilds from where they can obtain the
package without being exposed to potential legal issues.

> Are you arguing that merely linking to the file is illegal?  If so,
> then you better get the list archives purged.

Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't
think that such linking is illegal. IANAL, though.

>> We don't know this for sure unless we ask the author. So whoever is
>> interested in keeping the package in the tree should sort these
>> issues out.

> Perhaps if we want to enforce a policy like this we should take the
> time to actually write the policy down.  As far as I can tell Gentoo
> has no such policy currently.

The old Games Ebuild Howto [1] has this:

| LICENSE
|
| The license is an important point in your ebuild. It is also a
| common place for making mistakes. Try to check the license on any
| ebuild that you submit. Often times, the license will be in a
| COPYING file, distributed in the package's tarball. If the license
| is not readily apparent, try contacting the authors of the package
| for clarification. [...]

I propose to add the paragraph above to the devmanual's licenses
section.

Ulrich

[1] https://wiki.gentoo.org/wiki/Project:Games/Ebuild_howto#LICENSE


pgpKzfaecwAFg.pgp
Description: PGP signature

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Rich Freeman]

On Thu, Sep 7, 2017 at 3:28 AM, Ulrich Mueller  wrote:
>> On Wed, 6 Sep 2017, Rich Freeman wrote:
>
>> Do we routinely confirm that any site we list in SRC_URI has
>> permission to redistribute files?  That seems like a slippery slope.
>
> We don't, and for a package that comes with a license (as the vast
> majority of packages does) it normally isn't necessary.

Why isn't this necessary?  How do you know the person issuing the
license actually has the right to issue it?

>
> The package in question doesn't come with any license though, which
> means that only the copyright holder has the right to distribute it.
> So I believe that some extra care is justified, especially when the
> upstream location of the distfile has changed.

Why?  We don't redistribute anything that is copyrighted.

Are you arguing that merely linking to the file is illegal?  If so,
then you better get the list archives purged.

>
> We don't know this for sure unless we ask the author. So whoever is
> interested in keeping the package in the tree should sort these issues
> out.
>

Perhaps if we want to enforce a policy like this we should take the
time to actually write the policy down.  As far as I can tell Gentoo
has no such policy currently.

-- 
Rich

Re: [gentoo-dev] Server hardaware give away (misc archs)

[Brendan Horan]

Just an update for everyone :
R0b0t1, has the Power 6+
Johnson, has the Sparc T5120

Still working out shipping/logistics 


No takers on the HPPA or the Ia64
The HPPA box is nice , really! :)

Thanks
brendan

- On 7 Sep, 2017, at 1:39 AM, R0b0t1 r03...@gmail.com wrote:

Re: [gentoo-dev] [PATCH v3] eclass/kernel-2.eclass: Remove use of tr in global scope

[Ciaran McCreesh]

On Thu, 07 Sep 2017 07:42:31 +0200
Michał Górny  wrote:
> >+if [[ "${EAPI}" -lt 6 ]]; then   
> 
> EAPI is not a number. The next one we'll call gray-grizzly just to
> prove the point.

Careful, you're turning into me.

-- 
Ciaran McCreesh

Re: [gentoo-portage-dev] [PATCH] ebuild.sh: Completely ban external commands in global scope

[Michał Górny]

Dnia 31 sierpnia 2017 22:45:42 CEST, "Michał Górny"  
napisał(a):
>Set PATH to /dev/null when sourcing the ebuild for dependency
>resolution
>in order to prevent shell from finding external commands via PATH
>lookup. While this does not prevent executing programs via full path,
>it
>should catch the majority of accidental uses.
>
>Closes: https://github.com/gentoo/portage/pull/199
>
>// Note: this can't be merged right now since we still have ebuilds
>// calling external commands; see:
>// https://bugs.gentoo.org/show_bug.cgi?id=629222

Update: gentoo is green now 

>---
> bin/ebuild.sh | 6 +-
> bin/isolated-functions.sh | 4 
> 2 files changed, 9 insertions(+), 1 deletion(-)
>
>diff --git a/bin/ebuild.sh b/bin/ebuild.sh
>index c23561651..94a44d534 100755
>--- a/bin/ebuild.sh
>+++ b/bin/ebuild.sh
>@@ -80,8 +80,12 @@ else
>   done
>   unset funcs x
> 
>+  # prevent the shell from finding external executables
>+  # note: we can't use empty because it implies current directory
>+  _PORTAGE_ORIG_PATH=${PATH}
>+  export PATH=/dev/null
>   command_not_found_handle() {
>-  die "Command not found while sourcing ebuild: ${*}"
>+  die "External commands disallowed while sourcing ebuild: ${*}"
>   }
> fi
> 
>diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh
>index e320f7132..b28e44f18 100644
>--- a/bin/isolated-functions.sh
>+++ b/bin/isolated-functions.sh
>@@ -121,6 +121,10 @@ __helpers_die() {
> }
> 
> die() {
>+  # restore PATH since die calls basename & sed
>+  # TODO: make it pure bash
>+  [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH}
>+
>   set +x # tracing only produces useless noise here
>   local IFS=$' \t\n'
> 


-- 
Best regards,
Michał Górny (by phone)

Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

[Ulrich Mueller]

> On Wed, 6 Sep 2017, Rich Freeman wrote:

> On Wed, Sep 6, 2017 at 2:52 AM, Ulrich Mueller  wrote:
>>> On Tue, 5 Sep 2017, Gordon Pettey wrote:
>> 
>>> Can these package.mask notes stop saying "no alternative found"
>>> when it's obvious five seconds of Google searching was not even
>>> performed to find an alternative?
>>> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
>>> has live links, and the exe even matches the sha256sum.
>> 
>> Do they have permission to redistribute the file, though? The
>> ebuild is mirror restricted and LICENSE says "all-rights-reserved".

> Do we routinely confirm that any site we list in SRC_URI has
> permission to redistribute files?  That seems like a slippery slope.

We don't, and for a package that comes with a license (as the vast
majority of packages does) it normally isn't necessary.

The package in question doesn't come with any license though, which
means that only the copyright holder has the right to distribute it.
So I believe that some extra care is justified, especially when the
upstream location of the distfile has changed.

https://gitweb.gentoo.org/repo/gentoo.git/tree/licenses/all-rights-reserved

> In any case, as far as I can tell this is probably one of the
> largest sites for hosting this sort of content and I can't imagine
> that it would have escaped the author's notice if they didn't want
> the files distributed there.

We don't know this for sure unless we ask the author. So whoever is
interested in keeping the package in the tree should sort these issues
out.

Ulrich


pgpRUcSjKVqyB.pgp
Description: PGP signature

[gentoo-dev] Re: [PATCH v3] eclass/kernel-2.eclass: Remove use of tr in global scope

[Duncan]

Floyd Anderson posted on Thu, 07 Sep 2017 03:13:45 +0200 as excerpted:

>>+# To use, an ebuild could contain a line like:
>>+# AMD64_URI=http//linktothearchspecificpatch
> 
> Even it’s just a comment:
> 
> # AMD64_URI="http://link-to-the-arch-specific-patch;
> 
> looks friendlier to my eyes. However at least the colon after the scheme
> should be given.

...  And please, even in examples, use https://, to encourage the at 
least somewhat better security than plain http.

(While https may not be particularly resistant to state-level actors able 
to lean on CAs, it should hopefully at least resist the trivial stuff 
like insecure wifi and ISP content-insertion games.)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman