On Sun, 29 May 2022 10:24:54 -0400 Tyler Dence <tyzoid.d@gmail.com> wrote:
Other mirrors already have the sources, and you can always get a copy to manually build the package.
Sure. In practice, obtaining the sources of Arch packages from other mirrors is fairly straightforward. However, I'm trying to address the legal risk of the mirror operator who does not mirror the sources themselves. The GPLv2 does not allow distributing compiled software without accompanying the source code or a written offer. If I'm not mistaken, this means that a mirror operator does not get the proverbial get-out-of-jail-free card by simply pointing to another mirror. The GPLv3 does allow directing to a different server (optionally operated by a third party, e.g. a different mirror). However, the requirements for this are quite strict (see subsection 6d) and I don't think that Arch mirrors currently comply with this method.
Distributing the source on your own is really only important if you're hosting binaries compiled from modified sources.
Well let's take 'linux-lts' as an example. The binary package gets built from the upstream source tarball and some Arch-specific patches. However, it does not contain 'clear directions' to these sources, nor do mirror operators actively point to them. What's more, the Linux kernel is GPLv2 licensed, meaning that merely pointing to sources on another server is, as I wrote above, not enough.
See https://www.gnu.org/licenses/gpl-faq.en.html#SourceInCVS
Note that this FAQ entry talks about *your* version control system, not a third-party one.