On Thu, 7 Sep 2017 15:04:34 +0200 Ulrich Mueller wrote: > >>>>> On Thu, 7 Sep 2017, Rich Freeman wrote: > > >>> Do we routinely confirm that any site we list in SRC_URI has > >>> permission to redistribute files? That seems like a slippery > >>> slope. > >> > >> We don't, and for a package that comes with a license (as the vast > >> majority of packages does) it normally isn't necessary. > > > Why isn't this necessary? How do you know the person issuing the > > license actually has the right to issue it? > > Don't you think there is a difference between downloading a package > that has a known upstream and that is also carried by other distros, > and downloading a license-less package from a random location on the > internet?
If downloaded files are the same (e.g. sha512 hash matches), what's the difference? Best regards, Andrew Savchenko
pgp10n1q4cpHA.pgp
Description: PGP signature
