Hi,
Earlier this week we pushed in production a system that automatically downloads new sources of projects packaged in Fedora, adjust the spec file in distgit to match the new version and runs a scratch build on koji. The system takes the new-release information from anitya [1], opens a ticket on bugzilla for package flagged for monitoring on pkgdb and report whether the scratch build was successful or not in that bugzilla ticket opened.
Today, I was asked the question whether there could be some legal issue about automatically downloading new sources and running scratch builds with them. I guess this could be a problem if a project suddenly went closed source or started including non-free component(s). On the other hand, I do not see this any different from scratch build performed on packages before their review on bugzilla.
To clear this, could I have legal's opinion on this question?
Thanks, Pierre
On 02/20/2015 03:31 AM, Pierre-Yves Chibon wrote:
Hi,
Earlier this week we pushed in production a system that automatically downloads new sources of projects packaged in Fedora, adjust the spec file in distgit to match the new version and runs a scratch build on koji. The system takes the new-release information from anitya [1], opens a ticket on bugzilla for package flagged for monitoring on pkgdb and report whether the scratch build was successful or not in that bugzilla ticket opened.
Today, I was asked the question whether there could be some legal issue about automatically downloading new sources and running scratch builds with them. I guess this could be a problem if a project suddenly went closed source or started including non-free component(s). On the other hand, I do not see this any different from scratch build performed on packages before their review on bugzilla.
To clear this, could I have legal's opinion on this question?
I don't see any reason this is any more concerning than people doing pre-review scratch builds. It might be nice for a message to be generated for the packager when this happens that says something like:
"A new release of your package ($foo) has been detected and a scratch build has been attempted. Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream."
... but it isn't required. Consider that a "nice-to-have" request. ;)
~tom
== Red Hat
On Thu, Feb 26, 2015 at 10:53:47AM -0500, Tom Callaway wrote:
I don't see any reason this is any more concerning than people doing pre-review scratch builds. It might be nice for a message to be generated for the packager when this happens that says something like:
"A new release of your package ($foo) has been detected and a scratch build has been attempted. Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream."
... but it isn't required. Consider that a "nice-to-have" request. ;)
Introduced upstream here: https://github.com/fedora-infra/the-new-hotness/pull/27
It'll go out to our systems after the alpha infra freeze is up.