[Dev] Policy for Package Quarantines

Nicolás A. Ortega deathsbreed at themusicinnoise.net
Fri Apr 14 23:28:50 BST 2017


Not so long ago there was a big bruhaha over the qt5-webengine package
and whether or not it was free. I am not going to bring up the specifics
of that issue, as it has its own thread, but I dislike the way that the
situation was handled and I believe it can be improved.

First and foremost, I disliked how hard it was for me to find any
evidence whatsoever about the topic. I also dislike how when the
evidence was placed initially it was not put to the test either (much of
it was actually pretty old). I also disliked how long it ended up taking
with the lack of evidence that I saw.

I am not against removing packages temporarily until freedom issues are
either proven non-existent or solved (and permanently if neither), but I
believe there should be a more strict policy on the matter so that one
can easily analyze the information and so we aren't all running around
like headless chickens having something that may be perfectly fine Free
Software being blacklisted.

My proposal is the following: when someone brings up a freedom issue (or
even privacy, for that matter) they should also links to the information
that lead them to this conclusion, once we see that these links have
something behind them (a quick skim through the links) we can put in
place the temporary quarantine of the package. After this point all
information regarding the freedom issues with the package should be
concentrated in one place (public place where everyone can see it) and a
more thorough investigation of the matter (finding exact files that are
non-free) should take place. If no actual evidence is found or the
evidence has *all* been countered after X amount of time (I think a
month or two should do) then the package is taken out of quarantine
until more concrete evidence can be found. If evidence is found and
cannot be countered then the package is labelled permanently as non-free
until either upstream fixes the freedom issues (which *should be
reported to upstream when found*) or we create a -libre package for it.

The most important thing I want to be taken away from this is that
information on the freedom issues of a package should be *easily
available*. I shouldn't have to be asking absolutely everyone in the
community who has the actual links so I can verify for my own eyes.
What's more, the more eyes we have on the issue the more information we
can obtain and the faster we can solve things.

I brought up the qt5-webengine issue as an example, I did not send this
e-mail to talk about it directly but something I noticed as a
consequence of it. So please let's not make this thread about that
(since I can see it coming).

With a policy similar to this I believe we'll be able to handle these
freedom issues in a much more orderly, organized, and effective manner.

-- 
Nicolás Ortega Froysa (Deathsbreed)
https://themusicinnoise.net/
http://uk7ewohr7xpjuaca.onion/
Public PGP Key:
https://themusicinnoise.net/deathsbreed@themusicinnoise.net_pub.asc
http://uk7ewohr7xpjuaca.onion/deathsbreed@themusicinnoise.net_pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170415/5c69c35d/attachment.bin>


More information about the Dev mailing list