On Sun, May 29, 2022 at 03:45:49PM +0200, Imre Jonk wrote:
> Hi all,

Yo!

> I'm not sure if this is the right place to address this issue; as far
> as I'm aware, there is no Arch mailing list or forum for legal matters.
> What I'd like to discuss is the (unnecessary?) legal risk that mirror
> operators are exposed to when they don't mirror source packages.

There isn't any list to discuss legal matter so this is fine.

However, please realize that legal matters are down to interpretations of text
which can be interpreted narrowly or broadly. Clarifying which interpretation
you decide to understand the legal text under is important.

Neither of us are lawyers so lets hold off on claiming Arch is putting mirrors
in legal risk on this list because you decided to read over the license text.

I did however check with someone close with Free Software matters and they
believe it should be fine.

> I believe that most mirrors are violating article 6 of the GPLv3 (or
> article 3 of the GPLv2). My reasoning goes like this:
>
> - The Arch repositories contain some software that is released under the
>   GPL (or GPL-like) license.
> - Anyone distributing GPL-licensed software in compiled form is
>   obligated to distribute the source code as well, either alongside the
>   compiled software or, when accompanied by a 'written offer', on
>   request at a later date. (there are a few more ways under the GPLv3
>   but I don't think they apply)
> - Few mirrors provide source packages, and as far as I'm aware, there
>   are no mirrors out there that accompany the compiled software with a
>   written offer.
> - Ergo, most Arch mirrors are violating the GPL.

All of these assumptions are a narrow definition of the GPL2  and GLP3. It's
important to realize the GPL licenses are vague enough that any bad faith
interpretation of the text can easily be construed to claim "you are violating
the license".

Neither GPL2 nor GPL3 makes any strict claims the source needs to be distributed
from the same server as the binaries.

Section 6d claims "regardless of what server hosts the corresponding source" and
6e open up for "peer-to-peer" transmission of the source. It is only demanded
it's explained how to get it, and that is done on the archwiki free of charge as
the license demands.

The main issue is "next to the object source"; If we regard "archlinux.org" as
the software distributor, and the mirrors an extension of this service, then a
broad definition of the above can be interpreted as having links on
"wiki.archlinux.org" for how to access the source would be fine.

Else you can email us and get a link, which you'd promptly get.

The above coupled with the FAQ entry linked earlier and I don't think we can be
violating any license under a reasonable interpretation of the GPL.

However, unless you start engaging someone who can deal with legal matters we
are only laymans that read the license and come to some conclusion. If you think
we are doing something different from what other Linux distributions are doing
please do tell us and we can figure out how to solve any discrepancies.

Speculating about the meaning of GPL is not really useful.

(None of the above should be taken as legal advice, neither any discussion in this thread.)

--
Morten Linderud
PGP: 9C02FF419FECBE16