Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
On Thu, 7 Sep 2017 17:56:32 -0400 Rich Freemanwrote: > And how would I figure it out, considering that simply asking on the > list doesn't seem to yield a straight answer? Do you really need me > to put it on the Council agenda? Or do we unmask it, let QA mask it > 10 minutes later, then go back and forth for a month, and THEN put it > on the Council agenda? > > -- Surely RESTRICT=fetch and then just do a "Hey look, the legal here is not clear so you need to acquire this yourself after making sure you have the rights to do so" You know, like we do for things that can only be installed with a physical copy. pgpXMW8l28_lm.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
Hello, On Thu, Sep 7, 2017 at 8:04 AM, Ulrich Muellerwrote: >> On Thu, 7 Sep 2017, Rich Freeman wrote: > Do we routinely confirm that any site we list in SRC_URI has permission to redistribute files? That seems like a slippery slope. >>> >>> We don't, and for a package that comes with a license (as the vast >>> majority of packages does) it normally isn't necessary. > >> Why isn't this necessary? How do you know the person issuing the >> license actually has the right to issue it? > > Don't you think there is a difference between downloading a package > that has a known upstream and that is also carried by other distros, > and downloading a license-less package from a random location on the > internet? > >>> The package in question doesn't come with any license though, which >>> means that only the copyright holder has the right to distribute >>> it. So I believe that some extra care is justified, especially when >>> the upstream location of the distfile has changed. > >> Why? We don't redistribute anything that is copyrighted. > > Users download the file, and I think that we are responsible to have > only such SRC_URIs in our ebuilds from where they can obtain the > package without being exposed to potential legal issues. > Downloading does not imply committing a felony. As far as anyone can tell it is impossible to prosecute someone for downloading something they already own (regardless of what any EULA has claimed). Further, copyrights lapse if not enforced. Depending on how long that download has been up the original rightsholder has forfeited their claim to their work. It's also really hard to convince a judge or jury that I am to blame if someone follows my instructions (save for specific cases where I could be considered a subject matter expert). E.g. it's possible to sell radio kits that are illegal to put together and operate. >> Are you arguing that merely linking to the file is illegal? If so, >> then you better get the list archives purged. > > Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't > think that such linking is illegal. IANAL, though. > It is at this point I would suggest that you have defeated your own argument. >>> We don't know this for sure unless we ask the author. So whoever is >>> interested in keeping the package in the tree should sort these >>> issues out. > >> Perhaps if we want to enforce a policy like this we should take the >> time to actually write the policy down. As far as I can tell Gentoo >> has no such policy currently. > > The old Games Ebuild Howto [1] has this: > > | LICENSE > | > | The license is an important point in your ebuild. It is also a > | common place for making mistakes. Try to check the license on any > | ebuild that you submit. Often times, the license will be in a > | COPYING file, distributed in the package's tarball. If the license > | is not readily apparent, try contacting the authors of the package > | for clarification. [...] > > I propose to add the paragraph above to the devmanual's licenses > section. > Should the Gentoo foundation include a disclaimer that the software distributed by it is not to be used to build ballistic missiles or run nuclear arms programs? Users might do those things, and Gentoo might be liable for the consequences if they do. On Thu, Sep 7, 2017 at 4:56 PM, Rich Freeman wrote: > Do you really need me to put it on the Council agenda? Sir, please see my above comment about building ballistic missiles. It may be important for the Gentoo Foundation to add a disclaimer similar to the one I mentioned. I would hate for the Foundation or any of its administrators or contributors to be found guilty of aiding and abetting terrorists. Respectfully, R0b0t1
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
On Thu, Sep 7, 2017 at 5:18 PM, Michał Górnywrote: > W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman > napisał: >> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny wrote: >> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman >> > napisał: >> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller wrote: >> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote: >> > > > >> > > > Don't you think there is a difference between downloading a package >> > > > that has a known upstream and that is also carried by other distros, >> > > > and downloading a license-less package from a random location on the >> > > > internet? >> > > >> > > Most upstreams do not do much checking about the ownership of their >> > > sources. >> > > >> > > Gentoo certainly doesn't - we don't even require developers to submit a >> > > DCO. >> > > >> > > Other projects like the Linux kernel require signing a DCO for each >> > > commit, but do not do any checking beyond this. I have no doubt that >> > > they would remove offending sources if they were contacted, but they >> > > do not actively go out and confirm authorship. >> > > >> > > > >> > > > > > The package in question doesn't come with any license though, which >> > > > > > means that only the copyright holder has the right to distribute >> > > > > > it. So I believe that some extra care is justified, especially when >> > > > > > the upstream location of the distfile has changed. >> > > > > >> > > > > Why? We don't redistribute anything that is copyrighted. >> > > > >> > > > Users download the file, and I think that we are responsible to have >> > > > only such SRC_URIs in our ebuilds from where they can obtain the >> > > > package without being exposed to potential legal issues. >> > > >> > > I'm not aware of any court rulings that have found downloading >> > > something like this to be illegal. >> > > >> > > > >> > > > > Perhaps if we want to enforce a policy like this we should take the >> > > > > time to actually write the policy down. As far as I can tell Gentoo >> > > > > has no such policy currently. >> > > > >> > > > The old Games Ebuild Howto [1] has this: >> > > > >> > > > > LICENSE >> > > > > >> > > > > The license is an important point in your ebuild. It is also a >> > > > > common place for making mistakes. Try to check the license on any >> > > > > ebuild that you submit. Often times, the license will be in a >> > > > > COPYING file, distributed in the package's tarball. If the license >> > > > > is not readily apparent, try contacting the authors of the package >> > > > > for clarification. [...] >> > > > >> > > > I propose to add the paragraph above to the devmanual's licenses >> > > > section. >> > > > >> > > >> > > We already know there isn't a license for redistribution. This >> > > doesn't speak about requiring us to ensure that those distributing our >> > > source files have the rights to do so. It merely says to check the >> > > license. We understand the license already. I don't see how this >> > > paragraph pertains to this situation. >> > >> > AFAIK you're a developer. So if you want to keep this package, then >> > please do the needful and take care of it yourself instead of >> > complaining and demanding others to do the work you want done. >> > >> >> Are you saying it is sufficient to just point the SRC_URI at the new >> URL and remove the mask? As far as I can tell that is all that needs >> to be done. Per the policy the license is readily apparent, so there >> is no need to contact the authors. >> > > I don't know what is sufficient. It's your business as the new > maintainer to figure it out and take the responsibility. If there's > nobody willing to do that, then we don't get to keep the package. Simple > as that. > And how would I figure it out, considering that simply asking on the list doesn't seem to yield a straight answer? Do you really need me to put it on the Council agenda? Or do we unmask it, let QA mask it 10 minutes later, then go back and forth for a month, and THEN put it on the Council agenda? -- Rich
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman napisał: > On Thu, Sep 7, 2017 at 4:36 PM, Michał Górnywrote: > > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman > > napisał: > > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller wrote: > > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote: > > > > > > > > Don't you think there is a difference between downloading a package > > > > that has a known upstream and that is also carried by other distros, > > > > and downloading a license-less package from a random location on the > > > > internet? > > > > > > Most upstreams do not do much checking about the ownership of their > > > sources. > > > > > > Gentoo certainly doesn't - we don't even require developers to submit a > > > DCO. > > > > > > Other projects like the Linux kernel require signing a DCO for each > > > commit, but do not do any checking beyond this. I have no doubt that > > > they would remove offending sources if they were contacted, but they > > > do not actively go out and confirm authorship. > > > > > > > > > > > > > The package in question doesn't come with any license though, which > > > > > > means that only the copyright holder has the right to distribute > > > > > > it. So I believe that some extra care is justified, especially when > > > > > > the upstream location of the distfile has changed. > > > > > > > > > > Why? We don't redistribute anything that is copyrighted. > > > > > > > > Users download the file, and I think that we are responsible to have > > > > only such SRC_URIs in our ebuilds from where they can obtain the > > > > package without being exposed to potential legal issues. > > > > > > I'm not aware of any court rulings that have found downloading > > > something like this to be illegal. > > > > > > > > > > > > Perhaps if we want to enforce a policy like this we should take the > > > > > time to actually write the policy down. As far as I can tell Gentoo > > > > > has no such policy currently. > > > > > > > > The old Games Ebuild Howto [1] has this: > > > > > > > > > LICENSE > > > > > > > > > > The license is an important point in your ebuild. It is also a > > > > > common place for making mistakes. Try to check the license on any > > > > > ebuild that you submit. Often times, the license will be in a > > > > > COPYING file, distributed in the package's tarball. If the license > > > > > is not readily apparent, try contacting the authors of the package > > > > > for clarification. [...] > > > > > > > > I propose to add the paragraph above to the devmanual's licenses > > > > section. > > > > > > > > > > We already know there isn't a license for redistribution. This > > > doesn't speak about requiring us to ensure that those distributing our > > > source files have the rights to do so. It merely says to check the > > > license. We understand the license already. I don't see how this > > > paragraph pertains to this situation. > > > > AFAIK you're a developer. So if you want to keep this package, then > > please do the needful and take care of it yourself instead of > > complaining and demanding others to do the work you want done. > > > > Are you saying it is sufficient to just point the SRC_URI at the new > URL and remove the mask? As far as I can tell that is all that needs > to be done. Per the policy the license is readily apparent, so there > is no need to contact the authors. > I don't know what is sufficient. It's your business as the new maintainer to figure it out and take the responsibility. If there's nobody willing to do that, then we don't get to keep the package. Simple as that. -- Best regards, Michał Górny
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
On Thu, Sep 7, 2017 at 4:36 PM, Michał Górnywrote: > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman > napisał: >> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller wrote: >> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote: >> > >> > Don't you think there is a difference between downloading a package >> > that has a known upstream and that is also carried by other distros, >> > and downloading a license-less package from a random location on the >> > internet? >> >> Most upstreams do not do much checking about the ownership of their sources. >> >> Gentoo certainly doesn't - we don't even require developers to submit a DCO. >> >> Other projects like the Linux kernel require signing a DCO for each >> commit, but do not do any checking beyond this. I have no doubt that >> they would remove offending sources if they were contacted, but they >> do not actively go out and confirm authorship. >> >> > >> > > > The package in question doesn't come with any license though, which >> > > > means that only the copyright holder has the right to distribute >> > > > it. So I believe that some extra care is justified, especially when >> > > > the upstream location of the distfile has changed. >> > > Why? We don't redistribute anything that is copyrighted. >> > >> > Users download the file, and I think that we are responsible to have >> > only such SRC_URIs in our ebuilds from where they can obtain the >> > package without being exposed to potential legal issues. >> >> I'm not aware of any court rulings that have found downloading >> something like this to be illegal. >> >> > >> > > Perhaps if we want to enforce a policy like this we should take the >> > > time to actually write the policy down. As far as I can tell Gentoo >> > > has no such policy currently. >> > >> > The old Games Ebuild Howto [1] has this: >> > >> > > LICENSE >> > > >> > > The license is an important point in your ebuild. It is also a >> > > common place for making mistakes. Try to check the license on any >> > > ebuild that you submit. Often times, the license will be in a >> > > COPYING file, distributed in the package's tarball. If the license >> > > is not readily apparent, try contacting the authors of the package >> > > for clarification. [...] >> > >> > I propose to add the paragraph above to the devmanual's licenses >> > section. >> > >> >> We already know there isn't a license for redistribution. This >> doesn't speak about requiring us to ensure that those distributing our >> source files have the rights to do so. It merely says to check the >> license. We understand the license already. I don't see how this >> paragraph pertains to this situation. > > AFAIK you're a developer. So if you want to keep this package, then > please do the needful and take care of it yourself instead of > complaining and demanding others to do the work you want done. > Are you saying it is sufficient to just point the SRC_URI at the new URL and remove the mask? As far as I can tell that is all that needs to be done. Per the policy the license is readily apparent, so there is no need to contact the authors. -- Rich
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman napisał: > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Muellerwrote: > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote: > > > > Don't you think there is a difference between downloading a package > > that has a known upstream and that is also carried by other distros, > > and downloading a license-less package from a random location on the > > internet? > > Most upstreams do not do much checking about the ownership of their sources. > > Gentoo certainly doesn't - we don't even require developers to submit a DCO. > > Other projects like the Linux kernel require signing a DCO for each > commit, but do not do any checking beyond this. I have no doubt that > they would remove offending sources if they were contacted, but they > do not actively go out and confirm authorship. > > > > > > > The package in question doesn't come with any license though, which > > > > means that only the copyright holder has the right to distribute > > > > it. So I believe that some extra care is justified, especially when > > > > the upstream location of the distfile has changed. > > > Why? We don't redistribute anything that is copyrighted. > > > > Users download the file, and I think that we are responsible to have > > only such SRC_URIs in our ebuilds from where they can obtain the > > package without being exposed to potential legal issues. > > I'm not aware of any court rulings that have found downloading > something like this to be illegal. > > > > > > Perhaps if we want to enforce a policy like this we should take the > > > time to actually write the policy down. As far as I can tell Gentoo > > > has no such policy currently. > > > > The old Games Ebuild Howto [1] has this: > > > > > LICENSE > > > > > > The license is an important point in your ebuild. It is also a > > > common place for making mistakes. Try to check the license on any > > > ebuild that you submit. Often times, the license will be in a > > > COPYING file, distributed in the package's tarball. If the license > > > is not readily apparent, try contacting the authors of the package > > > for clarification. [...] > > > > I propose to add the paragraph above to the devmanual's licenses > > section. > > > > We already know there isn't a license for redistribution. This > doesn't speak about requiring us to ensure that those distributing our > source files have the rights to do so. It merely says to check the > license. We understand the license already. I don't see how this > paragraph pertains to this situation. AFAIK you're a developer. So if you want to keep this package, then please do the needful and take care of it yourself instead of complaining and demanding others to do the work you want done. -- Best regards, Michał Górny
Re: [gentoo-dev] Server hardaware give away (misc archs)
On Thu, 7 Sep 2017 07:44:00 -0700 Rich Freemanwrote: > > In general I would just comment that if anything we get too few > requests for spending money and not too many. Not surprising, though I had ideas on lots of spending, events, travel reimbursement, developer systems, etc. > I don't think the Foundation would be able to just go buying PCs for > every dev on request, but for one-offs like these they might chip in. More like the Foundation/Gentoo should have some plan and/or budget as to how to put the funds to use etc. Which gives others reasons to donate more when they can see where the funds are being used, the benefit etc. Example https://www.freebsdfoundation.org/wp-content/uploads/2015/12/Budget2016.pdf > One thing that should be considered in these sorts of requests is who > owns the hardware and where it will be kept and what kind of access > other devs on the relevant teams would have. I think there ought to > be a difference between how we treat hardware that is owned by the > Foundation and always available to devs, vs something that somebody > intends to use for Gentoo work right now, but where ownership resides > with the individual and there is no obligation to give the hardware to > somebody else if they stop contributing. To the extent that the costs > are more nominal the Foundation should probably exercise more leeway. In an ideal sense, equipment like this would go to something like OSU OSL or some other hosting provider. Though there is the cost of bandwidth, power, and man power to service hardware issues. Not to mention rack, provision, etc. Donate gear to Gentoo to be used/accessed by any dev, and maybe some others. I think Gentoo should have more internal resources available for developers to use. Then again I had lots of ideas for Gentoo -- William L. Thomson Jr. pgpERLkDydGS8.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Server hardaware give away (misc archs)
On Thu, Sep 7, 2017 at 7:32 AM, William L. Thomson Jr.wrote: > On Thu, 7 Sep 2017 10:26:10 -0400 > "William L. Thomson Jr." wrote: > >> On Thu, 7 Sep 2017 18:03:21 +0800 (HKT) >> Brendan Horan wrote: >> >> > Just an update for everyone : >> > R0b0t1, has the Power 6+ >> > Johnson, has the Sparc T5120 >> > >> > Still working out shipping/logistics >> >> If someone has access to say a company UPS or FedEx account. They may >> have discounted rates based on volume. Maybe something to consider or >> look into. Also may help with customs to ship to a work/business >> address and/or coming from one business to another vs individuals. >> > > Another thought > > Why not have Gentoo Foundation cover shipping costs? Can't speak for the Trustees, but the process for this is at: https://wiki.gentoo.org/wiki/Foundation:Funding_Request (I wouldn't overthink it - just spell out what you want/need. I bet you could make it shorter than some of the emails in this thread.) In general I would just comment that if anything we get too few requests for spending money and not too many. I don't think the Foundation would be able to just go buying PCs for every dev on request, but for one-offs like these they might chip in. One thing that should be considered in these sorts of requests is who owns the hardware and where it will be kept and what kind of access other devs on the relevant teams would have. I think there ought to be a difference between how we treat hardware that is owned by the Foundation and always available to devs, vs something that somebody intends to use for Gentoo work right now, but where ownership resides with the individual and there is no obligation to give the hardware to somebody else if they stop contributing. To the extent that the costs are more nominal the Foundation should probably exercise more leeway. That's all just my opinion though. If you want the Trustees to consider it then just fill out the "form" and post it in a bug assigned to them using the Foundation "product" in bugzilla. It never hurts to ask... -- Rich
Re: [gentoo-dev] Server hardaware give away (misc archs)
On Thu, 7 Sep 2017 10:26:10 -0400 "William L. Thomson Jr."wrote: > On Thu, 7 Sep 2017 18:03:21 +0800 (HKT) > Brendan Horan wrote: > > > Just an update for everyone : > > R0b0t1, has the Power 6+ > > Johnson, has the Sparc T5120 > > > > Still working out shipping/logistics > > If someone has access to say a company UPS or FedEx account. They may > have discounted rates based on volume. Maybe something to consider or > look into. Also may help with customs to ship to a work/business > address and/or coming from one business to another vs individuals. > Another thought Why not have Gentoo Foundation cover shipping costs? What else is Gentoo doing with its $100k to help further development? May want to go talk to Trustees. This seems like a legit use of funds. -- William L. Thomson Jr. pgpNuyHNmydxP.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] [RFC] sys-boot/grub:0 (GRUB legacy) sunset planning
On Sat, 2 Sep 2017 15:56:04 + "Robin H. Johnson"wrote: > Open questions: > -- > - Are there existing use cases that I've missed, where migration to > grub-2 CANNOT be done? I left grub sometime ago for syslinux/pxelinux/extlinux. I run that on everything now even UEFI. I much prefer it to grub. That maybe an option for grub:0 users, who cannot or do not want to use grub:2. I had issues with grub pxe hardware support. Given that you tend to use syslinux on like usb and iso's. I just stick to one for all. -- William L. Thomson Jr. pgpovGHqHz3LI.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] Server hardaware give away (misc archs)
On Thu, 7 Sep 2017 18:03:21 +0800 (HKT) Brendan Horanwrote: > Just an update for everyone : > R0b0t1, has the Power 6+ > Johnson, has the Sparc T5120 > > Still working out shipping/logistics If someone has access to say a company UPS or FedEx account. They may have discounted rates based on volume. Maybe something to consider or look into. Also may help with customs to ship to a work/business address and/or coming from one business to another vs individuals. -- William L. Thomson Jr.
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
On Thu, 7 Sep 2017 15:04:34 +0200 Ulrich Mueller wrote: > > On Thu, 7 Sep 2017, Rich Freeman wrote: > > >>> Do we routinely confirm that any site we list in SRC_URI has > >>> permission to redistribute files? That seems like a slippery > >>> slope. > >> > >> We don't, and for a package that comes with a license (as the vast > >> majority of packages does) it normally isn't necessary. > > > Why isn't this necessary? How do you know the person issuing the > > license actually has the right to issue it? > > Don't you think there is a difference between downloading a package > that has a known upstream and that is also carried by other distros, > and downloading a license-less package from a random location on the > internet? If downloaded files are the same (e.g. sha512 hash matches), what's the difference? Best regards, Andrew Savchenko pgp10n1q4cpHA.pgp Description: PGP signature
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Muellerwrote: >> On Thu, 7 Sep 2017, Rich Freeman wrote: > > Don't you think there is a difference between downloading a package > that has a known upstream and that is also carried by other distros, > and downloading a license-less package from a random location on the > internet? Most upstreams do not do much checking about the ownership of their sources. Gentoo certainly doesn't - we don't even require developers to submit a DCO. Other projects like the Linux kernel require signing a DCO for each commit, but do not do any checking beyond this. I have no doubt that they would remove offending sources if they were contacted, but they do not actively go out and confirm authorship. > >>> The package in question doesn't come with any license though, which >>> means that only the copyright holder has the right to distribute >>> it. So I believe that some extra care is justified, especially when >>> the upstream location of the distfile has changed. > >> Why? We don't redistribute anything that is copyrighted. > > Users download the file, and I think that we are responsible to have > only such SRC_URIs in our ebuilds from where they can obtain the > package without being exposed to potential legal issues. I'm not aware of any court rulings that have found downloading something like this to be illegal. > >> Perhaps if we want to enforce a policy like this we should take the >> time to actually write the policy down. As far as I can tell Gentoo >> has no such policy currently. > > The old Games Ebuild Howto [1] has this: > > | LICENSE > | > | The license is an important point in your ebuild. It is also a > | common place for making mistakes. Try to check the license on any > | ebuild that you submit. Often times, the license will be in a > | COPYING file, distributed in the package's tarball. If the license > | is not readily apparent, try contacting the authors of the package > | for clarification. [...] > > I propose to add the paragraph above to the devmanual's licenses > section. > We already know there isn't a license for redistribution. This doesn't speak about requiring us to ensure that those distributing our source files have the rights to do so. It merely says to check the license. We understand the license already. I don't see how this paragraph pertains to this situation. -- Rich
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
> On Thu, 7 Sep 2017, Rich Freeman wrote: >>> Do we routinely confirm that any site we list in SRC_URI has >>> permission to redistribute files? That seems like a slippery >>> slope. >> >> We don't, and for a package that comes with a license (as the vast >> majority of packages does) it normally isn't necessary. > Why isn't this necessary? How do you know the person issuing the > license actually has the right to issue it? Don't you think there is a difference between downloading a package that has a known upstream and that is also carried by other distros, and downloading a license-less package from a random location on the internet? >> The package in question doesn't come with any license though, which >> means that only the copyright holder has the right to distribute >> it. So I believe that some extra care is justified, especially when >> the upstream location of the distfile has changed. > Why? We don't redistribute anything that is copyrighted. Users download the file, and I think that we are responsible to have only such SRC_URIs in our ebuilds from where they can obtain the package without being exposed to potential legal issues. > Are you arguing that merely linking to the file is illegal? If so, > then you better get the list archives purged. Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't think that such linking is illegal. IANAL, though. >> We don't know this for sure unless we ask the author. So whoever is >> interested in keeping the package in the tree should sort these >> issues out. > Perhaps if we want to enforce a policy like this we should take the > time to actually write the policy down. As far as I can tell Gentoo > has no such policy currently. The old Games Ebuild Howto [1] has this: | LICENSE | | The license is an important point in your ebuild. It is also a | common place for making mistakes. Try to check the license on any | ebuild that you submit. Often times, the license will be in a | COPYING file, distributed in the package's tarball. If the license | is not readily apparent, try contacting the authors of the package | for clarification. [...] I propose to add the paragraph above to the devmanual's licenses section. Ulrich [1] https://wiki.gentoo.org/wiki/Project:Games/Ebuild_howto#LICENSE pgpKzfaecwAFg.pgp Description: PGP signature
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
On Thu, Sep 7, 2017 at 3:28 AM, Ulrich Muellerwrote: >> On Wed, 6 Sep 2017, Rich Freeman wrote: > >> Do we routinely confirm that any site we list in SRC_URI has >> permission to redistribute files? That seems like a slippery slope. > > We don't, and for a package that comes with a license (as the vast > majority of packages does) it normally isn't necessary. Why isn't this necessary? How do you know the person issuing the license actually has the right to issue it? > > The package in question doesn't come with any license though, which > means that only the copyright holder has the right to distribute it. > So I believe that some extra care is justified, especially when the > upstream location of the distfile has changed. Why? We don't redistribute anything that is copyrighted. Are you arguing that merely linking to the file is illegal? If so, then you better get the list archives purged. > > We don't know this for sure unless we ask the author. So whoever is > interested in keeping the package in the tree should sort these issues > out. > Perhaps if we want to enforce a policy like this we should take the time to actually write the policy down. As far as I can tell Gentoo has no such policy currently. -- Rich
Re: [gentoo-dev] Server hardaware give away (misc archs)
Just an update for everyone : R0b0t1, has the Power 6+ Johnson, has the Sparc T5120 Still working out shipping/logistics No takers on the HPPA or the Ia64 The HPPA box is nice , really! :) Thanks brendan - On 7 Sep, 2017, at 1:39 AM, R0b0t1 r03...@gmail.com wrote:
Re: [gentoo-dev] [PATCH v3] eclass/kernel-2.eclass: Remove use of tr in global scope
On Thu, 07 Sep 2017 07:42:31 +0200 Michał Górnywrote: > >+if [[ "${EAPI}" -lt 6 ]]; then > > EAPI is not a number. The next one we'll call gray-grizzly just to > prove the point. Careful, you're turning into me. -- Ciaran McCreesh
Re: [gentoo-portage-dev] [PATCH] ebuild.sh: Completely ban external commands in global scope
Dnia 31 sierpnia 2017 22:45:42 CEST, "Michał Górny"napisał(a): >Set PATH to /dev/null when sourcing the ebuild for dependency >resolution >in order to prevent shell from finding external commands via PATH >lookup. While this does not prevent executing programs via full path, >it >should catch the majority of accidental uses. > >Closes: https://github.com/gentoo/portage/pull/199 > >// Note: this can't be merged right now since we still have ebuilds >// calling external commands; see: >// https://bugs.gentoo.org/show_bug.cgi?id=629222 Update: gentoo is green now >--- > bin/ebuild.sh | 6 +- > bin/isolated-functions.sh | 4 > 2 files changed, 9 insertions(+), 1 deletion(-) > >diff --git a/bin/ebuild.sh b/bin/ebuild.sh >index c23561651..94a44d534 100755 >--- a/bin/ebuild.sh >+++ b/bin/ebuild.sh >@@ -80,8 +80,12 @@ else > done > unset funcs x > >+ # prevent the shell from finding external executables >+ # note: we can't use empty because it implies current directory >+ _PORTAGE_ORIG_PATH=${PATH} >+ export PATH=/dev/null > command_not_found_handle() { >- die "Command not found while sourcing ebuild: ${*}" >+ die "External commands disallowed while sourcing ebuild: ${*}" > } > fi > >diff --git a/bin/isolated-functions.sh b/bin/isolated-functions.sh >index e320f7132..b28e44f18 100644 >--- a/bin/isolated-functions.sh >+++ b/bin/isolated-functions.sh >@@ -121,6 +121,10 @@ __helpers_die() { > } > > die() { >+ # restore PATH since die calls basename & sed >+ # TODO: make it pure bash >+ [[ -n ${_PORTAGE_ORIG_PATH} ]] && PATH=${_PORTAGE_ORIG_PATH} >+ > set +x # tracing only produces useless noise here > local IFS=$' \t\n' > -- Best regards, Michał Górny (by phone)
Re: [gentoo-dev] Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon
> On Wed, 6 Sep 2017, Rich Freeman wrote: > On Wed, Sep 6, 2017 at 2:52 AM, Ulrich Muellerwrote: >>> On Tue, 5 Sep 2017, Gordon Pettey wrote: >> >>> Can these package.mask notes stop saying "no alternative found" >>> when it's obvious five seconds of Google searching was not even >>> performed to find an alternative? >>> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns >>> has live links, and the exe even matches the sha256sum. >> >> Do they have permission to redistribute the file, though? The >> ebuild is mirror restricted and LICENSE says "all-rights-reserved". > Do we routinely confirm that any site we list in SRC_URI has > permission to redistribute files? That seems like a slippery slope. We don't, and for a package that comes with a license (as the vast majority of packages does) it normally isn't necessary. The package in question doesn't come with any license though, which means that only the copyright holder has the right to distribute it. So I believe that some extra care is justified, especially when the upstream location of the distfile has changed. https://gitweb.gentoo.org/repo/gentoo.git/tree/licenses/all-rights-reserved > In any case, as far as I can tell this is probably one of the > largest sites for hosting this sort of content and I can't imagine > that it would have escaped the author's notice if they didn't want > the files distributed there. We don't know this for sure unless we ask the author. So whoever is interested in keeping the package in the tree should sort these issues out. Ulrich pgpRUcSjKVqyB.pgp Description: PGP signature
[gentoo-dev] Re: [PATCH v3] eclass/kernel-2.eclass: Remove use of tr in global scope
Floyd Anderson posted on Thu, 07 Sep 2017 03:13:45 +0200 as excerpted: >>+# To use, an ebuild could contain a line like: >>+# AMD64_URI=http//linktothearchspecificpatch > > Even it’s just a comment: > > # AMD64_URI="http://link-to-the-arch-specific-patch; > > looks friendlier to my eyes. However at least the colon after the scheme > should be given. ... And please, even in examples, use https://, to encourage the at least somewhat better security than plain http. (While https may not be particularly resistant to state-level actors able to lean on CAs, it should hopefully at least resist the trivial stuff like insecure wifi and ISP content-insertion games.) -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman