On Tue, 31 May 2022 21:28:38 +0200 Imre Jonk <imre@imrejonk.nl> wrote:
Yeah this is the right thing to do I suppose. This morning I contacted a Dutch IT lawyer who regularly writes in public about questions his readers ask him. Hopefully he can shine a light on this, at least for mirror operators in the Netherlands (and possibly all of Europe).
He was kind enough to answer my question on this Dutch IT news website: https://www.security.nl/posting/757086/Voldoet+een+Linux-distributie+aan+de+... I'll try to summarize his answer in English here: [begin summary] Software for Arch Linux is often distributed only in compiled form. That poses a challenge under the GPL, which mandates that source code accompanies it. It is of course easy to obtain the sources if you want to, and because of this few would complain. That hasn't ever stopped a copyright lawyer however. A lot of software in Linux context is GPLv2-licensed. This license from 1991 requires that you accompany the compiled software with its sources or a written offer that can be used to obtain the sources. You have to see this in a 1991 context, when it was hard and time-consuming to find and download source code and snail mail was faster. The underlying argument is that the receiver of the compiled software must have easy access to its sources. A contractual obligation will always be interpreted by a judge in the context of the current situation. In 2022, it is easier for most people (especially developers) in the Western world to just download the sources instead of receiving it by snail mail. I therefore expect that a judge will approve of the argument that a URL to the sources is sufficient. GPLv3 article 6 section d allows for distributing the source code through a third party's server. The distributor of the compiled software is however responsible for the availability of the source code at the specified location. [end summary] My takeaway from his answer is that, as long as the sources are easily available to anyone obtaining the compiled software, the "spirit" of the license is being followed, and that's what matters most. It is still debatable whether a mirror operator is a software distributor or simply an intermediary between the Arch Linux project and the end user, and to what extent the mirror operator is responsible for carrying out the obligations under the GPL and other licenses. If a mirror operator is found to be a software distributor, then there may be some responsibilities under those licenses. One thing that a mirror operator can do here is simply link to a place where the sources can be obtained. That makes it easy for anyone interested in the compiled software on their mirror to obtain the source code, and could therefore lower the legal risk. The mirror operator would then need to ensure that the sources are actually available at the location they link to. If the operator has disk space and bandwidth to spare, then the better solution would of course be to mirror sources as well.