>>>>> On Thu, 7 Sep 2017, Rich Freeman wrote: > On Thu, Sep 7, 2017 at 5:18 PM, Michał Górny <mgo...@gentoo.org> wrote: >> W dniu czw, 07.09.2017 o godzinie 16∶42 -0400, użytkownik Rich Freeman >> napisał: >>> Are you saying it is sufficient to just point the SRC_URI at the >>> new URL and remove the mask? As far as I can tell that is all that >>> needs to be done. Per the policy the license is readily apparent, >>> so there is no need to contact the authors.
Huh? The very problem here is that the package has *no* license. The LICENSE variable was always mandatory, so originally a package without a license (like the one mentioned in the subject) could not be added to the tree. Or, devs would tag it with the infamous "as-is" license label. Cleaning up the resulting mess was quite a nightmare [1]. Later it was noticed that there is a specific class of software where there is no license, but that are up for download at their author's site. Examples were dev-libs/djb and other packages related to qmail. We then came up with the "all-rights-reserved" license label [2], in order to permit such software in the tree. (You should be aware of this, because you were a trustee back then). Quoting from "all-rights-reserved": | This package has an explicit "all rights reserved" clause, or comes | without any license, or only with a disclaimer. This means that you | have only the rights that are granted to you by law. If you have | lawfully acquired a copy of the program (e.g., by buying it or by | downloading it from the author's site) then in many legislations you | are allowed to compile it, run it, make a backup, and to patch it as | necessary, without permission from the copyright holder. Note that it explicitly says "downloading from the author's site". I still think that we should handle this in a restrictive way, and permit only sites where we can be reasonably certain that they distribute the software with the copyright holder's approval. >> I don't know what is sufficient. It's your business as the new >> maintainer to figure it out and take the responsibility. If there's >> nobody willing to do that, then we don't get to keep the package. >> Simple as that. > And how would I figure it out, considering that simply asking on the > list doesn't seem to yield a straight answer? Do you really need me > to put it on the Council agenda? Or do we unmask it, let QA mask it > 10 minutes later, then go back and forth for a month, and THEN put it > on the Council agenda? Why not follow kentnl's suggestion? If you don't want to figure out what the connection between the author and the download site is, then make the ebuild fetch restricted, and have the user download the file manually. I'd also suggest to put only the file's basename in SRC_URI then. Ulrich [1] https://bugs.gentoo.org/436214 [2] https://bugs.gentoo.org/444424
pgpfrj8f19GzK.pgp
Description: PGP signature
