Serious concerns about ARB policy (was Re: Basenji)

[Shane Fagan]

On Sat, 2010-10-02 at 14:10 -0400, Elliot Murphy wrote:
> In which the author argues in defense of insane hack jobs...
> 
> 
> On Oct 2, 2010, at 1:21 PM, Shane Fagan <shanepatrickfagan at ubuntu.com>
> wrote:
> > The problem here is a few things. 1. we have to guarantee that the
> > app
> > is appropriately licensed before the app is put anywhere near a repo
> > to
> > cover our ass. Also if they are using patched together libs with
> > different licenses they might be incompatible with each other and
> > thats
> > a problem with distribution too.
> 
> 
> First, thanks for discussing this. So my perspective on this one is
> that we should not have any legal/copyright/licensing/documentation
> requirements more restrictive than the ones for a PPA. PPAs and the
> extras repo are both hosted in the same datacenter by the same legal
> entity, and are providing apps that are not part of the Ubuntu
> platform but instead run on top of it. To submit to ARB people already
> need to have a PPA set up and agree to conform to the terms of
> service. Anyone know why we would need additional requirements or
> checks beyond this?
> 
> > 2. The app should where possible use
> > the libs in the repo rather than using insane hack jobs on libs and
> > patching together their apps with those.
> 
> 
> As an engineer, I'd agree with you (although I'm coming to question
> the engineering merits of this too). As an ARB reviewer and an
> advocate of software freedom, I disagree that we should be penalizing
> apps for this. Insane hack jobs on libs and patching together an app
> that does something cool by copying code from a dozen other free
> software projects is one of the fundamental freedoms that free
> software licenses seek to enable. We should not dissuade people from
> exercising that right, we should celebrate it. Using factored out
> system libraries is an optimization intended to ease maintenance and
> reduce the size of packages, and I think the effort/reward of using
> system libraries vs a monolithic app with bundled libraries is now
> somewhat questionable. The most famous example that comes to mind is
> google chrome, and bundling libraries is a common practice in Android,
> Windows, iOS, OS X, and embedded systems. I think we should reject
> apps that try to modify system libs in a way that impacts other parts
> of the system, but an app that forks or copies chunks of code from
> part of the system and privately bundles it into the app I think
> should be allowed.
> 
> 
> If there is a licensing violation in an app that has been published
> into extras, I think the app should be pulled and the author alerted,
> but the ARB should not be responsible for detecting licensing or
> copyright problems. If the ARB notices a problem then we should
> address it, but I don't think we should be checking the way an archive
> admin does on the NEW queue.
> 
> > For most other apps that this board will review should have <1000
> > lines
> > of code in the main project not including the setup files..etc.
> 
> 
> I disagree with this. 1000 lines is a very tight budget even for
> python. I don't think we should have a lines of code size restriction,
> although a larger app will naturally take longer to go through code
> audit than a tiny app.

All of that sounds fair enough. If the checks and balances are in the
ppa system already and the archive admin for the copyright issues thats
good. The size of the app should be restricted to some extent maybe 1000
lines is seriously low but there should be some upper limit to make sure
we dont end up with something that is too large to give a good quality
review.

For the case of very very large apps we should just tell them to go to
universe since its very hard to check every line of 10000 lines of code
or more in a good way.

On the bundled libraries thing we have a seriously different system to
most of those platforms expect android but most apps dont ship libraries
on android either but they dont restrict it so I can see where you are
coming from. Id say we should suggest not bundling libraries but not
doing it as a hard requirement.


--fagan