Le 2025-01-07 21:52, Peter Pentchev a écrit :
Hm. That sounds interesting, but I think the Debian project cannot
protect such a mirror from automatically bringing in non-DFSG content
that appears in the remote repository. One might even take this one
step
further and go to content forbidden by law in various jurisdictions.
Then we are going to have the same issue implementing automated upstream
release imports in packaging repositories, e.g. with the Janitor, and
this is a service I would very much like to have.
I would worry more about malicious content getting automatically pulled
in. But anyway this can probably be mitigated the way large platforms
do: make it possible to easily report abuse and being diligent in
investigating them, eventually putting the repository offline until the
issue is cleared. Additional automated checks could be implemented to
suspend updates and require human review e.g. with LICENSE changes
unless the file contents matches a whitelist.
Alternatively the mirroring could be implemented to pull only the
release tags after a package is uploaded to the archive (which means
that someone reviewed the changes), and dealt with on a case-by-case
basis for non-free packages or packages that have +dfsg repacking.
Cheers,
--
Julien Plissonneau Duquène
