On 04/02/2018 06:39 PM, Christopher wrote:
On 04/02/2018 11:15 AM, Tom Callaway wrote:
> Most of you are very good about this, and I appreciate it. However,
> lately, at least one package cleared review and landed in Fedora which
> was obviously infringing upon both copyrights and trademarks (in
> egregious ways), so I felt it useful to remind everyone of this.
>
> Thanks,
>
> ~tom
> (your friendly neighborhood Fedora Legal enforcer)
What are Fedora's mitigation procedures, when an infringement is
discovered? Are these documented anywhere?
I should probably document them, as they currently only live in my head. :)
Essentially, the flow is:
* If there is not a Fedora bug open on it, go ahead and get one open.
Block it on FE-Legal. (Anyone can do this, doesn't need to be me.)
* If, for some reason, there is a need for the issue to be private, I
at least bring the maintainer into the loop via email.
* Check to see if this is resolved already upstream. If it is, apply the
fix. If not, open a ticket with the upstream (whenever there is a way
to do that) explaining the concern as specifically as I can (it is not
always possible for me to be precise, especially if patents are in
play).
* Is this something that I can simply fix without having any functional
impact on the package? (e.g. removing trademarked images)
* If yes, I go ahead and do it. Also send our fix upstream.
* Is this risky to keep as-is while we get the issues resolved?
(This is admittedly a bit of a judgment call, but I always try to
minimize impact on Fedora.)
* If yes, we take steps to immediately halt distribution, like
removing builds from Koji and the compose trees. In some extreme
cases, we might also remove builds from EOL releases.
* If no, document how we can get this resolved and make a plan with
the maintainer & upstream.
*****
We really want to get these caught _before_ they go into Fedora whenever
possible, which is a big part of why we do Review Requests.
~tom