[Dev] Policy for Package Quarantines

fauno fauno at endefensadelsl.org
Fri Apr 14 23:31:22 GMT 2017

"Nicolás A. Ortega" <deathsbreed at themusicinnoise.net> writes:
> My proposal is the following: when someone brings up a freedom issue (or
> even privacy, for that matter) they should also links to the information
> that lead them to this conclusion, once we see that these links have
> something behind them (a quick skim through the links) we can put in
> place the temporary quarantine of the package. After this point all
> information regarding the freedom issues with the package should be
> concentrated in one place (public place where everyone can see it) and a
> more thorough investigation of the matter (finding exact files that are
> non-free) should take place. If no actual evidence is found or the
> evidence has *all* been countered after X amount of time (I think a
> month or two should do) then the package is taken out of quarantine
> until more concrete evidence can be found. If evidence is found and
> cannot be countered then the package is labelled permanently as non-free
> until either upstream fixes the freedom issues (which *should be
> reported to upstream when found*) or we create a -libre package for it.
> The most important thing I want to be taken away from this is that
> information on the freedom issues of a package should be *easily
> available*. I shouldn't have to be asking absolutely everyone in the
> community who has the actual links so I can verify for my own eyes.
> What's more, the more eyes we have on the issue the more information we
> can obtain and the faster we can solve things.
> I brought up the qt5-webengine issue as an example, I did not send this
> e-mail to talk about it directly but something I noticed as a
> consequence of it. So please let's not make this thread about that
> (since I can see it coming).
> With a policy similar to this I believe we'll be able to handle these
> freedom issues in a much more orderly, organized, and effective manner.

+1 would you open a pad?  then it can be put on the wiki.

contacting/involving upstream should be a requisite too, in the past
we've failed to do so and i remember one case where they contacted us
about it.  it was about syslog-ng documentation license, which at the
time of blacklisting was cc-by-sa-nc (iirc) and it was going to be
changed to cc-by-sa (which i guess they did, because i see syslog-ng in
repos now).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: not available
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20170414/f9bf48e5/attachment.sig>

More information about the Dev mailing list