Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

classic Classic list List threaded Threaded
32 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Austin English-2
# Austin English <[hidden email]> (05 Sep 2017)
# Download has been broken for nearly a year, no alternative found
# Bug: https://bugs.gentoo.org/599390
# Removal in 30 days
games-rpg/nwn-shadowlordsdreamcatcherdemon

--
-Austin

Austin English
Gentoo Developer
GPG: 00B3 2957 B94B F3E1


signature.asc (883 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Gordon Pettey
Can these package.mask notes stop saying "no alternative found" when it's obvious five seconds of Google searching was not even performed to find an alternative? https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns has live links, and the exe even matches the sha256sum.

On Tue, Sep 5, 2017 at 4:43 PM, Austin English <[hidden email]> wrote:
# Austin English <[hidden email]> (05 Sep 2017)
# Download has been broken for nearly a year, no alternative found
# Bug: https://bugs.gentoo.org/599390
# Removal in 30 days
games-rpg/nwn-shadowlordsdreamcatcherdemon

--
-Austin

Austin English
Gentoo Developer
GPG: 00B3 2957 B94B F3E1


Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Ulrich Mueller-2
>>>>> On Tue, 5 Sep 2017, Gordon Pettey wrote:

> Can these package.mask notes stop saying "no alternative found" when
> it's obvious five seconds of Google searching was not even performed
> to find an alternative?
> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
> has live links, and the exe even matches the sha256sum.

Do they have permission to redistribute the file, though? The ebuild
is mirror restricted and LICENSE says "all-rights-reserved".

Ulrich

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
On Wed, Sep 6, 2017 at 2:52 AM, Ulrich Mueller <[hidden email]> wrote:

>>>>>> On Tue, 5 Sep 2017, Gordon Pettey wrote:
>
>> Can these package.mask notes stop saying "no alternative found" when
>> it's obvious five seconds of Google searching was not even performed
>> to find an alternative?
>> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
>> has live links, and the exe even matches the sha256sum.
>
> Do they have permission to redistribute the file, though? The ebuild
> is mirror restricted and LICENSE says "all-rights-reserved".
>

Do we routinely confirm that any site we list in SRC_URI has
permission to redistribute files?  That seems like a slippery slope.
In any case, as far as I can tell this is probably one of the largest
sites for hosting this sort of content and I can't imagine that it
would have escaped the author's notice if they didn't want the files
distributed there.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Ulrich Mueller-2
>>>>> On Wed, 6 Sep 2017, Rich Freeman wrote:

> On Wed, Sep 6, 2017 at 2:52 AM, Ulrich Mueller <[hidden email]> wrote:
>>>>>>> On Tue, 5 Sep 2017, Gordon Pettey wrote:
>>
>>> Can these package.mask notes stop saying "no alternative found"
>>> when it's obvious five seconds of Google searching was not even
>>> performed to find an alternative?
>>> https://neverwintervault.org/project/nwn1/module/shadowlords-dreamcatcher-and-demon-campaigns
>>> has live links, and the exe even matches the sha256sum.
>>
>> Do they have permission to redistribute the file, though? The
>> ebuild is mirror restricted and LICENSE says "all-rights-reserved".

> Do we routinely confirm that any site we list in SRC_URI has
> permission to redistribute files?  That seems like a slippery slope.

We don't, and for a package that comes with a license (as the vast
majority of packages does) it normally isn't necessary.

The package in question doesn't come with any license though, which
means that only the copyright holder has the right to distribute it.
So I believe that some extra care is justified, especially when the
upstream location of the distfile has changed.

https://gitweb.gentoo.org/repo/gentoo.git/tree/licenses/all-rights-reserved

> In any case, as far as I can tell this is probably one of the
> largest sites for hosting this sort of content and I can't imagine
> that it would have escaped the author's notice if they didn't want
> the files distributed there.

We don't know this for sure unless we ask the author. So whoever is
interested in keeping the package in the tree should sort these issues
out.

Ulrich

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
On Thu, Sep 7, 2017 at 3:28 AM, Ulrich Mueller <[hidden email]> wrote:
>>>>>> On Wed, 6 Sep 2017, Rich Freeman wrote:
>
>> Do we routinely confirm that any site we list in SRC_URI has
>> permission to redistribute files?  That seems like a slippery slope.
>
> We don't, and for a package that comes with a license (as the vast
> majority of packages does) it normally isn't necessary.

Why isn't this necessary?  How do you know the person issuing the
license actually has the right to issue it?

>
> The package in question doesn't come with any license though, which
> means that only the copyright holder has the right to distribute it.
> So I believe that some extra care is justified, especially when the
> upstream location of the distfile has changed.

Why?  We don't redistribute anything that is copyrighted.

Are you arguing that merely linking to the file is illegal?  If so,
then you better get the list archives purged.

>
> We don't know this for sure unless we ask the author. So whoever is
> interested in keeping the package in the tree should sort these issues
> out.
>

Perhaps if we want to enforce a policy like this we should take the
time to actually write the policy down.  As far as I can tell Gentoo
has no such policy currently.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Ulrich Mueller-2
>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote:

>>> Do we routinely confirm that any site we list in SRC_URI has
>>> permission to redistribute files? That seems like a slippery
>>> slope.
>>
>> We don't, and for a package that comes with a license (as the vast
>> majority of packages does) it normally isn't necessary.

> Why isn't this necessary?  How do you know the person issuing the
> license actually has the right to issue it?

Don't you think there is a difference between downloading a package
that has a known upstream and that is also carried by other distros,
and downloading a license-less package from a random location on the
internet?

>> The package in question doesn't come with any license though, which
>> means that only the copyright holder has the right to distribute
>> it. So I believe that some extra care is justified, especially when
>> the upstream location of the distfile has changed.

> Why?  We don't redistribute anything that is copyrighted.

Users download the file, and I think that we are responsible to have
only such SRC_URIs in our ebuilds from where they can obtain the
package without being exposed to potential legal issues.

> Are you arguing that merely linking to the file is illegal?  If so,
> then you better get the list archives purged.

Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't
think that such linking is illegal. IANAL, though.

>> We don't know this for sure unless we ask the author. So whoever is
>> interested in keeping the package in the tree should sort these
>> issues out.

> Perhaps if we want to enforce a policy like this we should take the
> time to actually write the policy down.  As far as I can tell Gentoo
> has no such policy currently.

The old Games Ebuild Howto [1] has this:

| LICENSE
|
| The license is an important point in your ebuild. It is also a
| common place for making mistakes. Try to check the license on any
| ebuild that you submit. Often times, the license will be in a
| COPYING file, distributed in the package's tarball. If the license
| is not readily apparent, try contacting the authors of the package
| for clarification. [...]

I propose to add the paragraph above to the devmanual's licenses
section.

Ulrich

[1] https://wiki.gentoo.org/wiki/Project:Games/Ebuild_howto#LICENSE

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <[hidden email]> wrote:
>>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?

Most upstreams do not do much checking about the ownership of their sources.

Gentoo certainly doesn't - we don't even require developers to submit a DCO.

Other projects like the Linux kernel require signing a DCO for each
commit, but do not do any checking beyond this.  I have no doubt that
they would remove offending sources if they were contacted, but they
do not actively go out and confirm authorship.

>
>>> The package in question doesn't come with any license though, which
>>> means that only the copyright holder has the right to distribute
>>> it. So I believe that some extra care is justified, especially when
>>> the upstream location of the distfile has changed.
>
>> Why?  We don't redistribute anything that is copyrighted.
>
> Users download the file, and I think that we are responsible to have
> only such SRC_URIs in our ebuilds from where they can obtain the
> package without being exposed to potential legal issues.

I'm not aware of any court rulings that have found downloading
something like this to be illegal.

>
>> Perhaps if we want to enforce a policy like this we should take the
>> time to actually write the policy down.  As far as I can tell Gentoo
>> has no such policy currently.
>
> The old Games Ebuild Howto [1] has this:
>
> | LICENSE
> |
> | The license is an important point in your ebuild. It is also a
> | common place for making mistakes. Try to check the license on any
> | ebuild that you submit. Often times, the license will be in a
> | COPYING file, distributed in the package's tarball. If the license
> | is not readily apparent, try contacting the authors of the package
> | for clarification. [...]
>
> I propose to add the paragraph above to the devmanual's licenses
> section.
>

We already know there isn't a license for redistribution.  This
doesn't speak about requiring us to ensure that those distributing our
source files have the rights to do so.  It merely says to check the
license.  We understand the license already.  I don't see how this
paragraph pertains to this situation.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Andrew Savchenko
In reply to this post by Ulrich Mueller-2
On Thu, 7 Sep 2017 15:04:34 +0200 Ulrich Mueller wrote:

> >>>>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
> >>> Do we routinely confirm that any site we list in SRC_URI has
> >>> permission to redistribute files? That seems like a slippery
> >>> slope.
> >>
> >> We don't, and for a package that comes with a license (as the vast
> >> majority of packages does) it normally isn't necessary.
>
> > Why isn't this necessary?  How do you know the person issuing the
> > license actually has the right to issue it?
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?
If downloaded files are the same (e.g. sha512 hash matches), what's
the difference?

Best regards,
Andrew Savchenko

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Michał Górny-5
In reply to this post by Rich Freeman
W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
napisał:

> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <[hidden email]> wrote:
> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> >
> > Don't you think there is a difference between downloading a package
> > that has a known upstream and that is also carried by other distros,
> > and downloading a license-less package from a random location on the
> > internet?
>
> Most upstreams do not do much checking about the ownership of their sources.
>
> Gentoo certainly doesn't - we don't even require developers to submit a DCO.
>
> Other projects like the Linux kernel require signing a DCO for each
> commit, but do not do any checking beyond this.  I have no doubt that
> they would remove offending sources if they were contacted, but they
> do not actively go out and confirm authorship.
>
> >
> > > > The package in question doesn't come with any license though, which
> > > > means that only the copyright holder has the right to distribute
> > > > it. So I believe that some extra care is justified, especially when
> > > > the upstream location of the distfile has changed.
> > > Why?  We don't redistribute anything that is copyrighted.
> >
> > Users download the file, and I think that we are responsible to have
> > only such SRC_URIs in our ebuilds from where they can obtain the
> > package without being exposed to potential legal issues.
>
> I'm not aware of any court rulings that have found downloading
> something like this to be illegal.
>
> >
> > > Perhaps if we want to enforce a policy like this we should take the
> > > time to actually write the policy down.  As far as I can tell Gentoo
> > > has no such policy currently.
> >
> > The old Games Ebuild Howto [1] has this:
> >
> > > LICENSE
> > >
> > > The license is an important point in your ebuild. It is also a
> > > common place for making mistakes. Try to check the license on any
> > > ebuild that you submit. Often times, the license will be in a
> > > COPYING file, distributed in the package's tarball. If the license
> > > is not readily apparent, try contacting the authors of the package
> > > for clarification. [...]
> >
> > I propose to add the paragraph above to the devmanual's licenses
> > section.
> >
>
> We already know there isn't a license for redistribution.  This
> doesn't speak about requiring us to ensure that those distributing our
> source files have the rights to do so.  It merely says to check the
> license.  We understand the license already.  I don't see how this
> paragraph pertains to this situation.

AFAIK you're a developer. So if you want to keep this package, then
please do the needful and take care of it yourself instead of
complaining and demanding others to do the work you want done.

--
Best regards,
Michał Górny


Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny <[hidden email]> wrote:

> W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> napisał:
>> On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <[hidden email]> wrote:
>> > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
>> >
>> > Don't you think there is a difference between downloading a package
>> > that has a known upstream and that is also carried by other distros,
>> > and downloading a license-less package from a random location on the
>> > internet?
>>
>> Most upstreams do not do much checking about the ownership of their sources.
>>
>> Gentoo certainly doesn't - we don't even require developers to submit a DCO.
>>
>> Other projects like the Linux kernel require signing a DCO for each
>> commit, but do not do any checking beyond this.  I have no doubt that
>> they would remove offending sources if they were contacted, but they
>> do not actively go out and confirm authorship.
>>
>> >
>> > > > The package in question doesn't come with any license though, which
>> > > > means that only the copyright holder has the right to distribute
>> > > > it. So I believe that some extra care is justified, especially when
>> > > > the upstream location of the distfile has changed.
>> > > Why?  We don't redistribute anything that is copyrighted.
>> >
>> > Users download the file, and I think that we are responsible to have
>> > only such SRC_URIs in our ebuilds from where they can obtain the
>> > package without being exposed to potential legal issues.
>>
>> I'm not aware of any court rulings that have found downloading
>> something like this to be illegal.
>>
>> >
>> > > Perhaps if we want to enforce a policy like this we should take the
>> > > time to actually write the policy down.  As far as I can tell Gentoo
>> > > has no such policy currently.
>> >
>> > The old Games Ebuild Howto [1] has this:
>> >
>> > > LICENSE
>> > >
>> > > The license is an important point in your ebuild. It is also a
>> > > common place for making mistakes. Try to check the license on any
>> > > ebuild that you submit. Often times, the license will be in a
>> > > COPYING file, distributed in the package's tarball. If the license
>> > > is not readily apparent, try contacting the authors of the package
>> > > for clarification. [...]
>> >
>> > I propose to add the paragraph above to the devmanual's licenses
>> > section.
>> >
>>
>> We already know there isn't a license for redistribution.  This
>> doesn't speak about requiring us to ensure that those distributing our
>> source files have the rights to do so.  It merely says to check the
>> license.  We understand the license already.  I don't see how this
>> paragraph pertains to this situation.
>
> AFAIK you're a developer. So if you want to keep this package, then
> please do the needful and take care of it yourself instead of
> complaining and demanding others to do the work you want done.
>

Are you saying it is sufficient to just point the SRC_URI at the new
URL and remove the mask?  As far as I can tell that is all that needs
to be done.  Per the policy the license is readily apparent, so there
is no need to contact the authors.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Michał Górny-5
W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
napisał:

> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny <[hidden email]> wrote:
> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> > napisał:
> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <[hidden email]> wrote:
> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > > >
> > > > Don't you think there is a difference between downloading a package
> > > > that has a known upstream and that is also carried by other distros,
> > > > and downloading a license-less package from a random location on the
> > > > internet?
> > >
> > > Most upstreams do not do much checking about the ownership of their sources.
> > >
> > > Gentoo certainly doesn't - we don't even require developers to submit a DCO.
> > >
> > > Other projects like the Linux kernel require signing a DCO for each
> > > commit, but do not do any checking beyond this.  I have no doubt that
> > > they would remove offending sources if they were contacted, but they
> > > do not actively go out and confirm authorship.
> > >
> > > >
> > > > > > The package in question doesn't come with any license though, which
> > > > > > means that only the copyright holder has the right to distribute
> > > > > > it. So I believe that some extra care is justified, especially when
> > > > > > the upstream location of the distfile has changed.
> > > > >
> > > > > Why?  We don't redistribute anything that is copyrighted.
> > > >
> > > > Users download the file, and I think that we are responsible to have
> > > > only such SRC_URIs in our ebuilds from where they can obtain the
> > > > package without being exposed to potential legal issues.
> > >
> > > I'm not aware of any court rulings that have found downloading
> > > something like this to be illegal.
> > >
> > > >
> > > > > Perhaps if we want to enforce a policy like this we should take the
> > > > > time to actually write the policy down.  As far as I can tell Gentoo
> > > > > has no such policy currently.
> > > >
> > > > The old Games Ebuild Howto [1] has this:
> > > >
> > > > > LICENSE
> > > > >
> > > > > The license is an important point in your ebuild. It is also a
> > > > > common place for making mistakes. Try to check the license on any
> > > > > ebuild that you submit. Often times, the license will be in a
> > > > > COPYING file, distributed in the package's tarball. If the license
> > > > > is not readily apparent, try contacting the authors of the package
> > > > > for clarification. [...]
> > > >
> > > > I propose to add the paragraph above to the devmanual's licenses
> > > > section.
> > > >
> > >
> > > We already know there isn't a license for redistribution.  This
> > > doesn't speak about requiring us to ensure that those distributing our
> > > source files have the rights to do so.  It merely says to check the
> > > license.  We understand the license already.  I don't see how this
> > > paragraph pertains to this situation.
> >
> > AFAIK you're a developer. So if you want to keep this package, then
> > please do the needful and take care of it yourself instead of
> > complaining and demanding others to do the work you want done.
> >
>
> Are you saying it is sufficient to just point the SRC_URI at the new
> URL and remove the mask?  As far as I can tell that is all that needs
> to be done.  Per the policy the license is readily apparent, so there
> is no need to contact the authors.
>

I don't know what is sufficient. It's your business as the new
maintainer to figure it out and take the responsibility. If there's
nobody willing to do that, then we don't get to keep the package. Simple
as that.

--
Best regards,
Michał Górny


Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny <[hidden email]> wrote:

> W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
> napisał:
>> On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny <[hidden email]> wrote:
>> > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
>> > napisał:
>> > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <[hidden email]> wrote:
>> > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
>> > > >
>> > > > Don't you think there is a difference between downloading a package
>> > > > that has a known upstream and that is also carried by other distros,
>> > > > and downloading a license-less package from a random location on the
>> > > > internet?
>> > >
>> > > Most upstreams do not do much checking about the ownership of their sources.
>> > >
>> > > Gentoo certainly doesn't - we don't even require developers to submit a DCO.
>> > >
>> > > Other projects like the Linux kernel require signing a DCO for each
>> > > commit, but do not do any checking beyond this.  I have no doubt that
>> > > they would remove offending sources if they were contacted, but they
>> > > do not actively go out and confirm authorship.
>> > >
>> > > >
>> > > > > > The package in question doesn't come with any license though, which
>> > > > > > means that only the copyright holder has the right to distribute
>> > > > > > it. So I believe that some extra care is justified, especially when
>> > > > > > the upstream location of the distfile has changed.
>> > > > >
>> > > > > Why?  We don't redistribute anything that is copyrighted.
>> > > >
>> > > > Users download the file, and I think that we are responsible to have
>> > > > only such SRC_URIs in our ebuilds from where they can obtain the
>> > > > package without being exposed to potential legal issues.
>> > >
>> > > I'm not aware of any court rulings that have found downloading
>> > > something like this to be illegal.
>> > >
>> > > >
>> > > > > Perhaps if we want to enforce a policy like this we should take the
>> > > > > time to actually write the policy down.  As far as I can tell Gentoo
>> > > > > has no such policy currently.
>> > > >
>> > > > The old Games Ebuild Howto [1] has this:
>> > > >
>> > > > > LICENSE
>> > > > >
>> > > > > The license is an important point in your ebuild. It is also a
>> > > > > common place for making mistakes. Try to check the license on any
>> > > > > ebuild that you submit. Often times, the license will be in a
>> > > > > COPYING file, distributed in the package's tarball. If the license
>> > > > > is not readily apparent, try contacting the authors of the package
>> > > > > for clarification. [...]
>> > > >
>> > > > I propose to add the paragraph above to the devmanual's licenses
>> > > > section.
>> > > >
>> > >
>> > > We already know there isn't a license for redistribution.  This
>> > > doesn't speak about requiring us to ensure that those distributing our
>> > > source files have the rights to do so.  It merely says to check the
>> > > license.  We understand the license already.  I don't see how this
>> > > paragraph pertains to this situation.
>> >
>> > AFAIK you're a developer. So if you want to keep this package, then
>> > please do the needful and take care of it yourself instead of
>> > complaining and demanding others to do the work you want done.
>> >
>>
>> Are you saying it is sufficient to just point the SRC_URI at the new
>> URL and remove the mask?  As far as I can tell that is all that needs
>> to be done.  Per the policy the license is readily apparent, so there
>> is no need to contact the authors.
>>
>
> I don't know what is sufficient. It's your business as the new
> maintainer to figure it out and take the responsibility. If there's
> nobody willing to do that, then we don't get to keep the package. Simple
> as that.
>

And how would I figure it out, considering that simply asking on the
list doesn't seem to yield a straight answer?  Do you really need me
to put it on the Council agenda?  Or do we unmask it, let QA mask it
10 minutes later, then go back and forth for a month, and THEN put it
on the Council agenda?

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

R0b0t1
Hello,

On Thu, Sep 7, 2017 at 8:04 AM, Ulrich Mueller <[hidden email]> wrote:

>>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote:
>
>>>> Do we routinely confirm that any site we list in SRC_URI has
>>>> permission to redistribute files? That seems like a slippery
>>>> slope.
>>>
>>> We don't, and for a package that comes with a license (as the vast
>>> majority of packages does) it normally isn't necessary.
>
>> Why isn't this necessary?  How do you know the person issuing the
>> license actually has the right to issue it?
>
> Don't you think there is a difference between downloading a package
> that has a known upstream and that is also carried by other distros,
> and downloading a license-less package from a random location on the
> internet?
>
>>> The package in question doesn't come with any license though, which
>>> means that only the copyright holder has the right to distribute
>>> it. So I believe that some extra care is justified, especially when
>>> the upstream location of the distfile has changed.
>
>> Why?  We don't redistribute anything that is copyrighted.
>
> Users download the file, and I think that we are responsible to have
> only such SRC_URIs in our ebuilds from where they can obtain the
> package without being exposed to potential legal issues.
>

Downloading does not imply committing a felony. As far as anyone can
tell it is impossible to prosecute someone for downloading something
they already own (regardless of what any EULA has claimed). Further,
copyrights lapse if not enforced. Depending on how long that download
has been up the original rightsholder has forfeited their claim to
their work.

It's also really hard to convince a judge or jury that I am to blame
if someone follows my instructions (save for specific cases where I
could be considered a subject matter expert). E.g. it's possible to
sell radio kits that are illegal to put together and operate.

>> Are you arguing that merely linking to the file is illegal?  If so,
>> then you better get the list archives purged.
>
> Arguably, items in SRC_URI aren't even hyperlinks. And no, I don't
> think that such linking is illegal. IANAL, though.
>

It is at this point I would suggest that you have defeated your own argument.

>>> We don't know this for sure unless we ask the author. So whoever is
>>> interested in keeping the package in the tree should sort these
>>> issues out.
>
>> Perhaps if we want to enforce a policy like this we should take the
>> time to actually write the policy down.  As far as I can tell Gentoo
>> has no such policy currently.
>
> The old Games Ebuild Howto [1] has this:
>
> | LICENSE
> |
> | The license is an important point in your ebuild. It is also a
> | common place for making mistakes. Try to check the license on any
> | ebuild that you submit. Often times, the license will be in a
> | COPYING file, distributed in the package's tarball. If the license
> | is not readily apparent, try contacting the authors of the package
> | for clarification. [...]
>
> I propose to add the paragraph above to the devmanual's licenses
> section.
>

Should the Gentoo foundation include a disclaimer that the software
distributed by it is not to be used to build ballistic missiles or run
nuclear arms programs? Users might do those things, and Gentoo might
be liable for the consequences if they do.


On Thu, Sep 7, 2017 at 4:56 PM, Rich Freeman <[hidden email]> wrote:
> Do you really need me to put it on the Council agenda?

Sir, please see my above comment about building ballistic missiles. It
may be important for the Gentoo Foundation to add a disclaimer similar
to the one I mentioned. I would hate for the Foundation or any of its
administrators or contributors to be found guilty of aiding and
abetting terrorists.

Respectfully,
     R0b0t1

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Kent Fredric-2
In reply to this post by Rich Freeman
On Thu, 7 Sep 2017 17:56:32 -0400
Rich Freeman <[hidden email]> wrote:

> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?
>
> --

Surely RESTRICT=fetch and then just do a "Hey look, the legal here is not clear
so you need to acquire this yourself after making sure you have the rights to do
so"

You know, like we do for things that can only be installed with a physical copy.

attachment0 (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Michał Górny-5
In reply to this post by Rich Freeman
W dniu czw, 07.09.2017 o godzinie 17∶56 -0400, użytkownik Rich Freeman
napisał:

> On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny <[hidden email]> wrote:
> > W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
> > napisał:
> > > On Thu, Sep 7, 2017 at 4:36 PM, Michał Górny <[hidden email]> wrote:
> > > > W dniu czw, 07.09.2017 o godzinie 06∶21 -0700, użytkownik Rich Freeman
> > > > napisał:
> > > > > On Thu, Sep 7, 2017 at 6:04 AM, Ulrich Mueller <[hidden email]> wrote:
> > > > > > > > > > > On Thu, 7 Sep 2017, Rich Freeman wrote:
> > > > > >
> > > > > > Don't you think there is a difference between downloading a package
> > > > > > that has a known upstream and that is also carried by other distros,
> > > > > > and downloading a license-less package from a random location on the
> > > > > > internet?
> > > > >
> > > > > Most upstreams do not do much checking about the ownership of their sources.
> > > > >
> > > > > Gentoo certainly doesn't - we don't even require developers to submit a DCO.
> > > > >
> > > > > Other projects like the Linux kernel require signing a DCO for each
> > > > > commit, but do not do any checking beyond this.  I have no doubt that
> > > > > they would remove offending sources if they were contacted, but they
> > > > > do not actively go out and confirm authorship.
> > > > >
> > > > > >
> > > > > > > > The package in question doesn't come with any license though, which
> > > > > > > > means that only the copyright holder has the right to distribute
> > > > > > > > it. So I believe that some extra care is justified, especially when
> > > > > > > > the upstream location of the distfile has changed.
> > > > > > >
> > > > > > > Why?  We don't redistribute anything that is copyrighted.
> > > > > >
> > > > > > Users download the file, and I think that we are responsible to have
> > > > > > only such SRC_URIs in our ebuilds from where they can obtain the
> > > > > > package without being exposed to potential legal issues.
> > > > >
> > > > > I'm not aware of any court rulings that have found downloading
> > > > > something like this to be illegal.
> > > > >
> > > > > >
> > > > > > > Perhaps if we want to enforce a policy like this we should take the
> > > > > > > time to actually write the policy down.  As far as I can tell Gentoo
> > > > > > > has no such policy currently.
> > > > > >
> > > > > > The old Games Ebuild Howto [1] has this:
> > > > > >
> > > > > > > LICENSE
> > > > > > >
> > > > > > > The license is an important point in your ebuild. It is also a
> > > > > > > common place for making mistakes. Try to check the license on any
> > > > > > > ebuild that you submit. Often times, the license will be in a
> > > > > > > COPYING file, distributed in the package's tarball. If the license
> > > > > > > is not readily apparent, try contacting the authors of the package
> > > > > > > for clarification. [...]
> > > > > >
> > > > > > I propose to add the paragraph above to the devmanual's licenses
> > > > > > section.
> > > > > >
> > > > >
> > > > > We already know there isn't a license for redistribution.  This
> > > > > doesn't speak about requiring us to ensure that those distributing our
> > > > > source files have the rights to do so.  It merely says to check the
> > > > > license.  We understand the license already.  I don't see how this
> > > > > paragraph pertains to this situation.
> > > >
> > > > AFAIK you're a developer. So if you want to keep this package, then
> > > > please do the needful and take care of it yourself instead of
> > > > complaining and demanding others to do the work you want done.
> > > >
> > >
> > > Are you saying it is sufficient to just point the SRC_URI at the new
> > > URL and remove the mask?  As far as I can tell that is all that needs
> > > to be done.  Per the policy the license is readily apparent, so there
> > > is no need to contact the authors.
> > >
> >
> > I don't know what is sufficient. It's your business as the new
> > maintainer to figure it out and take the responsibility. If there's
> > nobody willing to do that, then we don't get to keep the package. Simple
> > as that.
> >
>
> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?

Maybe find yourself a lawyer, and ask him. We're all volunteers,
and we're no in way obligated to give legal advices to you or anyone
in particular. Especially if it all started with the tone 'how dare you
remove this?!'

--
Best regards,
Michał Górny


Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Ulrich Mueller-2
In reply to this post by R0b0t1
>>>>> On Thu, 7 Sep 2017, R0b0t1  wrote:

> Downloading does not imply committing a felony. As far as anyone can
> tell it is impossible to prosecute someone for downloading something
> they already own (regardless of what any EULA has claimed).

Sure, if the user already has rightfully obtained the software then
nothing can stop him from downloading it again.

> Further, copyrights lapse if not enforced. Depending on how long
> that download has been up the original rightsholder has forfeited
> their claim to their work.

Copyright expires no sooner than 50 years after the author's death:
https://en.wikipedia.org/wiki/Berne_Convention
In most countries that term is even longer, e.g. 70 years in the
European Union.

Also contrary to popular belief, there is no such concept as
"abandonware". In some legislations, there are some provisions to
allow archiving of orphan works, but only for public institutions
(e.g. in the EU, museums and digital archives).

> Sir, please see my above comment about building ballistic missiles.
> It may be important for the Gentoo Foundation to add a disclaimer
> similar to the one I mentioned. I would hate for the Foundation or
> any of its administrators or contributors to be found guilty of
> aiding and abetting terrorists.

Yeah. Stop trolling, please.

Ulrich

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
In reply to this post by Michał Górny-5
On Fri, Sep 8, 2017 at 2:52 AM, Michał Górny <[hidden email]> wrote:
>
> Maybe find yourself a lawyer, and ask him. We're all volunteers,

I've already done the research.  There is no legal requirement to
contact the authors before changing the SRC_URI.

> and we're no in way obligated to give legal advices to you or anyone
> in particular.

I'm not asking for legal advice.

Somebody suggested a solution.  ulm objected to that solution.  I'm
merely asking that those trying to stop a problem from being solved to
point to a written policy, because that is how virtually every
organization on the planet works.  If you don't put the impetus on the
person trying to block action, then nothing gets done, because posting
an objection on a mailing list costs nothing.

> Especially if it all started with the tone 'how dare you
> remove this?!'
>

I certainly never objected to the removal of the package.  It didn't
fetch and was unmaintained.  Of course it should have been
treecleaned.  Maybe somebody else had that tone, and if that concerns
you I suggest you take it up with them.

--
Rich

Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Ulrich Mueller-2
In reply to this post by Rich Freeman
>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote:

> On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny <[hidden email]> wrote:
>> W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman
>> napisał:
>>> Are you saying it is sufficient to just point the SRC_URI at the
>>> new URL and remove the mask? As far as I can tell that is all that
>>> needs to be done. Per the policy the license is readily apparent,
>>> so there is no need to contact the authors.

Huh? The very problem here is that the package has *no* license.

The LICENSE variable was always mandatory, so originally a package
without a license (like the one mentioned in the subject) could
not be added to the tree. Or, devs would tag it with the infamous
"as-is" license label. Cleaning up the resulting mess was quite a
nightmare [1].

Later it was noticed that there is a specific class of software where
there is no license, but that are up for download at their author's
site. Examples were dev-libs/djb and other packages related to qmail.
We then came up with the "all-rights-reserved" license label [2], in
order to permit such software in the tree. (You should be aware of
this, because you were a trustee back then).

Quoting from "all-rights-reserved":

| This package has an explicit "all rights reserved" clause, or comes
| without any license, or only with a disclaimer. This means that you
| have only the rights that are granted to you by law. If you have
| lawfully acquired a copy of the program (e.g., by buying it or by
| downloading it from the author's site) then in many legislations you
| are allowed to compile it, run it, make a backup, and to patch it as
| necessary, without permission from the copyright holder.

Note that it explicitly says "downloading from the author's site".
I still think that we should handle this in a restrictive way, and
permit only sites where we can be reasonably certain that they
distribute the software with the copyright holder's approval.

>> I don't know what is sufficient. It's your business as the new
>> maintainer to figure it out and take the responsibility. If there's
>> nobody willing to do that, then we don't get to keep the package.
>> Simple as that.

> And how would I figure it out, considering that simply asking on the
> list doesn't seem to yield a straight answer?  Do you really need me
> to put it on the Council agenda?  Or do we unmask it, let QA mask it
> 10 minutes later, then go back and forth for a month, and THEN put it
> on the Council agenda?

Why not follow kentnl's suggestion? If you don't want to figure out
what the connection between the author and the download site is, then
make the ebuild fetch restricted, and have the user download the
file manually. I'd also suggest to put only the file's basename in
SRC_URI then.

Ulrich


[1] https://bugs.gentoo.org/436214
[2] https://bugs.gentoo.org/444424

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Last rites: games-rpg/nwn-shadowlordsdreamcatcherdemon

Rich Freeman
On Fri, Sep 8, 2017 at 6:09 AM, Ulrich Mueller <[hidden email]> wrote:

>
> Quoting from "all-rights-reserved":
>
> | This package has an explicit "all rights reserved" clause, or comes
> | without any license, or only with a disclaimer. This means that you
> | have only the rights that are granted to you by law. If you have
> | lawfully acquired a copy of the program (e.g., by buying it or by
> | downloading it from the author's site) then in many legislations you
> | are allowed to compile it, run it, make a backup, and to patch it as
> | necessary, without permission from the copyright holder.
>
> Note that it explicitly says "downloading from the author's site".

It also explicitly says "e.g."  This means that this is merely one way
of lawfully acquiring a copy of the program, and that other ways may
exist.  It sounds pedantic but this is the whole reason that "e.g."
exists as opposed to "i.e." and courts certainly would read the policy
in this way because lawyers distinguish between the two all the time.

> I still think that we should handle this in a restrictive way, and
> permit only sites where we can be reasonably certain that they
> distribute the software with the copyright holder's approval.

Sure, that's you opinion, and I have a different opinion, and kentnl
has another opinion.

This is why we have processes to turn those opinions into documented
policies so that we can be consistent.  Failing to do this can cause
all kinds of problems.  Suppose we remove this package.  Suppose we
don't remove some other package with the same problem.  In the absence
of a written policy one way or another somebody could cite your
statement as a concession.

>
> Why not follow kentnl's suggestion? If you don't want to figure out
> what the connection between the author and the download site is, then
> make the ebuild fetch restricted, and have the user download the
> file manually. I'd also suggest to put only the file's basename in
> SRC_URI then.
>

It would be inconvenient for the user.  That's why we don't
fetch-restrict every package in the tree, even though doing so would
lower our risk of getting sued.  Maybe the Linux foundation
redistributes something it shouldn't.  I doubt it, but it could
happen.  If we fetch-restricted the kernel then we'd be covered if
another SCO comes along.  But, that would be ridiculous.  We don't
even do that with things like libcss which are higher risk.

--
Rich

12