The Forgotten "F": A Tale of Fedora's Foundations

Christian Schaller cschalle at redhat.com
Thu Apr 24 22:06:15 UTC 2014


----- Original Message -----
> From: "Stephen John Smoogen" <smooge at gmail.com>
> To: "Development discussions related to Fedora" <devel at lists.fedoraproject.org>
> Sent: Thursday, April 24, 2014 6:46:03 PM
> Subject: Re: The Forgotten "F": A Tale of Fedora's Foundations
> 
> 
> 
> 
> On 24 April 2014 09:56, Stephen Gallagher < sgallagh at redhat.com > wrote:
> 
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 04/24/2014 11:01 AM, Stephen John Smoogen wrote:
> > 
> > 
> > 
> > On 24 April 2014 02:49, Christian Schaller < cschalle at redhat.com
> > <mailto: cschalle at redhat.com >> wrote:
> > 
> > Well my point is I spoke to Red Hat legal before I even posted the
> > original proposal to open up to more 3rd party repositories some
> > Months ago. There are a lot of repositories that it is perfectly
> > fine for Fedora to include from a legal perspective. But they will
> > need to be reviewed by legal on a case to case basis, going to
> > legal up front and saying 'hey can I include a hypothetical
> > repository' will only yield you the answer 'depends on the
> > repository'.
> > 
> > 
> > OK cool. What is the plan for when repositories change what they
> > are carrying and add stuff that may be legal for them but not for
> > others? Will there be periodic reviews to make sure that this
> > hasn't happened or some way that we roll back what repositories we
> > recommend?
> > 
> 
> 
> At the risk of being glib: What's the plan for periodically
> re-reviewing every package in Fedora to make sure that its sources
> always remain legal?
> 
> It's the same problem and it can only realistically be dealt with by
> "If someone notices, deal with it then."
> 
> There are a couple of differences. If we find that dvdcss was added to a
> package, we can rip out that package, put an update in the repository and
> people who do updates get a package without dvdcss. A third party repository
> is one we don't have any control over. If code that the 3rd party has no
> legal right to ship or fill in problem here, what is our remediation to our
> users? Are we in contributary infringement because we gave the users a way
> access to pirated software that we never intended in the first place? Is
> there an agreement between us and the third party that they are to be
> offering X, that they are legally able to offer X, and that if they are not
> they are to take all liability of offering X?
> 
> These were things that people were wondering when this came up in the past.

Once again this is becoming a debate about hypotheticals which rarely leads anywhere
constructive. 

To take a concrete case instead. Are you really worried about Google starting to ship
dvdcss as part of their Chrome repository? Do you really think that is a question 
keeping our lawyers up at night?

Are there repositories out there where we can not trust the person or company behind
it enough to include it by default for legal reasons? Sure there is, but you can't say 
that just because we would not want to risk shipping the rpm-warez.tor.net repo by default 
all 3rd party repos are high risk and something our lawyers would be concerned about. Because 
that is the argument you in practice is making when you are posing hypothetical questions about 
the risk of 3rd party repos.

Christian


More information about the devel mailing list