AlmaLinux's response to Red Hat's policy change

Posted Jul 3, 2023 12:43 UTC (Mon) by farnz (subscriber, #17727)
In reply to: AlmaLinux's response to Red Hat's policy change by Wol
Parent article: AlmaLinux's response to Red Hat's policy change

Then you get into the problem of defining "upstream source" sufficiently well to avoid the shell game, without other unintended consequences.

The shell game has party A modify the source, and distribute binaries. Party B gets source and binaries from A, and passes on an unmodified binary to party C. Party C is now in a position to claim that as far as they know, they're distributing binaries from unmodified upstream source; this is backed by an affidavit from party B that they are distributing the binary as supplied to them by party A.

You find out that party C is distributing a binary that doesn't match your source, and start the enforcement process; party C notifies party B who notifies party A, causing party A to be wound up by its owner. Now you have a problem - party C does not have source, but is distributing a binary that's unmodified from the sources party A published (but has stopped publishing now they're out of business). Party B has source, so can seed a new party A, but you've run out of enforcement options, since party B can also prove that they distributed a binary built from unmodified sources from A, and thus they do not have a requirement to publish source, either. Party A does have an obligation to publish their sources, but they no longer exist, so you can't enforce against them.

This is why I've proposed an "ensure people can get the source" requirement, instead of a "distribute sources" requirement - C is then requirement to make sure that people can get the source, but if A is distributing sources, then C meets their requirements by pointing to A's distribution, for as long as A continues to distribute. If A stops distributing, C can't do that any more, and has to find a new way to meet their obligations.