AppDevUploadProcess Automatic reviews

Scott Kitterman ubuntu at kitterman.com
Fri Sep 7 15:41:43 UTC 2012 

On Friday, September 07, 2012 05:35:44 PM Philipp Kern wrote:
> Scott,
> 
> am Fri, Sep 07, 2012 at 10:07:28AM -0400 hast du folgendes geschrieben:
> > The current goal for the Ubuntu archive is to prevent distribution of
> > content which Canonical and the mirror providers don't have legal
> > authorization to distribute.  Changing from a proactive verification
> > model (which is what we use now, although it relies generally on self
> > assertions in the code so it's imperfect) to a reactive model where code
> > is considered distributable based on a third party assertion until
> > someone complains seems like a very substantial change.
> 
> I think that's also because we ask people to mirror stuff that Debian (and
> by extension Ubuntu) does proactive checks.

I think that's part, but not all of it.  Simply ceasing to distributing works 
that are not legally distributable, except in very specific circumstances (safe 
harbor) isn't enough to get an entity off the legal hook entirely.

> > IANAL either, but this seems risky to me.  At the very least, I'd suggest
> > engaging them early to make sure they are comfortable with the concept of
> > not checking (new work item) and you'll need to figure out how you'll
> > deal with take down requests (another new work item).  If it turns out
> > applications have been distributed illegally, do you intend a way to
> > remotely remove them?
> I don't think there is any requirement to remotely remove such content
> (except if it's malicious, maybe). On the contrary I think people would be
> yelling at you, especially if they paid for the content (c.f. Amazon).
> 
> For Android you mainly risk your sign-up fee given that with every upload
> you state that you have the necessary rights. If the distribution point
> ceases to distribute the 3rd party content when he's made aware of a
> violation that seems to be fair. However that wouldn't work go along well
> with mirroring this repository.

I agree it's not necessary and I wasn't trying to imply it was.  I also agree 
that there would be, at a minimum a lot of yelling.  I asked because it's one 
way to deal with parts of the problem, not that it's inherently necessary.

It may be sufficient (IANAL, still), but I think the potential legal questions 
involved go well beyond checking if the ToS need to be updated and the spec 
should reflect that work.

Scott K

More information about the ubuntu-devel mailing list