One issue that's come up: we're currently doing nothing to guarantee that we're distributing source for three years after binaries have been shipped on GPLed code.
In my opinion, this is a policy matter. We should probably tag packages with a source retention clause in their license (with the duration required), and we should have a policy which somehow guarantees that this requirement is met. [There will obviously be technical issues, too, once we have the policy nailed down.] But I'm unsure just how much detail needs to go into policy. Opinions? -- Raul
