On 02/20/2015 03:31 AM, Pierre-Yves Chibon wrote:
Earlier this week we pushed in production a system that automatically downloads
new sources of projects packaged in Fedora, adjust the spec file in distgit to
match the new version and runs a scratch build on koji.
The system takes the new-release information from anitya , opens a ticket on
bugzilla for package flagged for monitoring on pkgdb and report whether the
scratch build was successful or not in that bugzilla ticket opened.
Today, I was asked the question whether there could be some legal issue about
automatically downloading new sources and running scratch builds with them.
I guess this could be a problem if a project suddenly went closed source or
started including non-free component(s).
On the other hand, I do not see this any different from scratch build performed
on packages before their review on bugzilla.
To clear this, could I have legal's opinion on this question?
I don't see any reason this is any more concerning than people doing
pre-review scratch builds. It might be nice for a message to be
generated for the packager when this happens that says something like:
"A new release of your package ($foo) has been detected and a scratch
build has been attempted. Please keep in mind that with any upstream
change, there may also be packaging changes that need to be made.
Specifically, please remember that it is your responsibility to review
the new version to ensure that the licensing is still correct and that
no non-free or legally problematic items have been added upstream."
... but it isn't required. Consider that a "nice-to-have" request. ;)