On Sun, 29 May 2022 10:24:54 -0400 Tyler Dence <tyzoid.d@gmail.com> wrote:

Other mirrors already have the sources, and you can always get a copy to manually build the package.

Sure. In practice, obtaining the sources of Arch packages from other mirrors is fairly straightforward. However, I'm trying to address the legal risk of the mirror operator who does not mirror the sources themselves. The GPLv2 does not allow distributing compiled software without accompanying the source code or a written offer. If I'm not mistaken, this means that a mirror operator does not get the proverbial get-out-of-jail-free card by simply pointing to another mirror. The GPLv3 does allow directing to a different server (optionally operated by a third party, e.g. a different mirror). However, the requirements for this are quite strict (see subsection 6d) and I don't think that Arch mirrors currently comply with this method.

Distributing the source on your own is really only important if you're hosting binaries compiled from modified sources.

Well let's take 'linux-lts' as an example. The binary package gets built from the upstream source tarball and some Arch-specific patches. However, it does not contain 'clear directions' to these sources, nor do mirror operators actively point to them. What's more, the Linux kernel is GPLv2 licensed, meaning that merely pointing to sources on another server is, as I wrote above, not enough.

See https://www.gnu.org/licenses/gpl-faq.en.html#SourceInCVS

Note that this FAQ entry talks about *your* version control system, not a third-party one.

Perhaps, if it would ease mirror operator's minds (especially our commercial partners), it might be wise to put a "readme.txt" or "sources.txt" file in the root of the mirrored directory explaining how/where one might obtain the sources? On Mon, May 30, 2022 at 3:24 AM Morten Linderud <foxboron@archlinux.org> wrote:

On Sun, May 29, 2022 at 03:45:49PM +0200, Imre Jonk wrote:

...

Hi all,

Yo!

...

I'm not sure if this is the right place to address this issue; as far as I'm aware, there is no Arch mailing list or forum for legal matters. What I'd like to discuss is the (unnecessary?) legal risk that mirror operators are exposed to when they don't mirror source packages.

There isn't any list to discuss legal matter so this is fine.

However, please realize that legal matters are down to interpretations of text which can be interpreted narrowly or broadly. Clarifying which interpretation you decide to understand the legal text under is important.

Neither of us are lawyers so lets hold off on claiming Arch is putting mirrors in legal risk on this list because you decided to read over the license text.

I did however check with someone close with Free Software matters and they believe it should be fine.

...

I believe that most mirrors are violating article 6 of the GPLv3 (or article 3 of the GPLv2). My reasoning goes like this:

- The Arch repositories contain some software that is released under the GPL (or GPL-like) license. - Anyone distributing GPL-licensed software in compiled form is obligated to distribute the source code as well, either alongside the compiled software or, when accompanied by a 'written offer', on request at a later date. (there are a few more ways under the GPLv3 but I don't think they apply) - Few mirrors provide source packages, and as far as I'm aware, there are no mirrors out there that accompany the compiled software with a written offer. - Ergo, most Arch mirrors are violating the GPL.

All of these assumptions are a narrow definition of the GPL2 and GLP3. It's important to realize the GPL licenses are vague enough that any bad faith interpretation of the text can easily be construed to claim "you are violating the license".

Neither GPL2 nor GPL3 makes any strict claims the source needs to be distributed from the same server as the binaries.

Section 6d claims "regardless of what server hosts the corresponding source" and 6e open up for "peer-to-peer" transmission of the source. It is only demanded it's explained how to get it, and that is done on the archwiki free of charge as the license demands.

The main issue is "next to the object source"; If we regard "archlinux.org" as the software distributor, and the mirrors an extension of this service, then a broad definition of the above can be interpreted as having links on "wiki.archlinux.org" for how to access the source would be fine.

Else you can email us and get a link, which you'd promptly get.

The above coupled with the FAQ entry linked earlier and I don't think we can be violating any license under a reasonable interpretation of the GPL.

However, unless you start engaging someone who can deal with legal matters we are only laymans that read the license and come to some conclusion. If you think we are doing something different from what other Linux distributions are doing please do tell us and we can figure out how to solve any discrepancies.

Speculating about the meaning of GPL is not really useful.

(None of the above should be taken as legal advice, neither any discussion in this thread.)

-- Morten Linderud PGP: 9C02FF419FECBE16

Hello, Entirely personal opinion here, and not of any company or organization I am/have been associated with.. ------- Original Message ------- On Monday, May 30th, 2022 at 2:44 PM, Imre Jonk <imre@imrejonk.nl> wrote:

On Mon, 30 May 2022 12:11:48 -0400 Tyler Dence tyzoid.d@gmail.com wrote:

...

Perhaps, if it would ease mirror operator's minds (especially our commercial partners), it might be wise to put a "readme.txt" or "sources.txt" file in the root of the mirrored directory explaining how/where one might obtain the sources?

We did something similar to this on the main page of the mirror that had: 1. Where we synced the files from (rsync/http/etc. and source mirror URL) Caveat - There are some exceptions where the source mirror is private and we could not mention their org's internal mirror URL 2. How often/when we sync the files (generally 1-4x a day, stepped over ~6hrs to prevent network saturation) 3. Where to find those files root folder on our mirror 4. Where the ISO files or primary software binaries were located 5. The source organization's website, eg. kernel.org, gnu.org, etc. It would be trivial to link to the page that had the sources from the particular distro (eg, the Arch Linux source folder, or the wiki). It could even be on an index page that mirror operators are provided if it comes to that, somewhat like what Ubuntu does [1, 1a].

Yes, I think that would be wise. The GPLv3 allows pointing to another server where the sources can be obtained in order to fulfill the article 6 obligation. However, the GPLv2 does not seem to allow that, instead requiring a 'written offer' that would basically be a promise from the operator to anyone who obtains the compiled software from their mirror. They would promise to provide a copy of the source code to them at a later date, up to three years in the future. I can see some theoretical issues with that. In practice though, I have never heard of an open source mirror operator who has faced legal threads because they were mirroring GPL-licensed software.

Not a legal threat per-se, but there was one time in 2020 that a major web search provider threatened to de-list our organization's domain name in search results, because of the hosting of an older Mailman package from the /gnu folder on the mirror. They said that if we did not remove the "malware" from the server that we would not be listed in their search results anymore, which would be really bad for our organization since that's (presumably) where we get a lot of site views and promote our organization. We did a lot of investigation because it was a pretty real threat that someone could have compromised the infrastructure of a parent mirror; we looped in the parent organization's seasoned CISSP, we brought down the network infrastructure immediately, and started from the ground up on what was good and what could be bad, looking for threat actors, etc. In reality, after a few days of investigation, what ended up being the problem was the "malware" was the test malware suite that came with Mailman that provided test cases in Mailman 2.1.4. At the time it gave us a false positive on VirusTotal [2], but now it doesn't [3]. Note how the SHA256 sums for the contents match exactly. Our CISSP's original suggestion was to either remove the file from rsync or to just blackhole the file from HTTP and only provide it over rsync. Those have some relatively bad implications for downstream mirrors where we were the source mirror if other large companies asked us to take down stuff or threat stuff. After a lot of discussion with the parent organization, we came to a reasonable solution. We solved it by setting nginx to route all bot user agents to get provided a 403 on the mirror website, which resolved the issue. If that was not sufficient, we were prepared to have nginx 403 anyone that requested that file over HTTP, but that's not a great solution.

What would be even better of course is if more (preferably all) mirrors would start mirroring the source packages alongside the binary packages. As I said in my previous email, other Linux distributions do this too.

I don't mirror sources on my personal mirror because it's a waste of disk space, I could be running other homelab-y stuff in that space. For Arch Linux, the sources are not too bad (one of the smallest Linux distros on that mirror at 3rd/4th?), but in other distros like Fedora, it can be upwards of dozens of terabytes (over ~25TB) [4] to mirror all of the sources and binaries they have available. Granted, most of them are "archives", but most mirrors probably want to mirror that two if they are to be a "useful" public mirror?

A quick comment on those commercial partners you mention: it is not at all my intention to fearmonger Arch sponsors (or anyone contributing mirror capacity) into rethinking their involvement in this great community project. Sorry if it might seem this way :(

Those are my two cents. I'm sure there are much more experienced mirror operators out there. But, I hope that the above experiences help to raise these points: 1. Mirror operators do sometimes have to take requests with regards to security from their (parent) organizations and from external organizations, and they may not be able to talk about it. 2. If a distro offers software that has questionable legal status, it may not be able to be hosted by some mirrors. (I'm sure that if Arch Linux offered compiled AUR packages that it would violate a whole bunch of more restrictive software licenses and we would not mirror that folder either) Have a good one, Jared D. [1]: https://mirrors.edge.kernel.org/ubuntu-releases/HEADER.html [1a]: http://releases.ubuntu.com/ [2]: https://www.virustotal.com/gui/file/4d47ca9bb28b602a8245dbdd0384e8326c3c813a... [3]: https://www.virustotal.com/gui/url/aa5e9bab3ec7df18b38d8203a0d001a2ffac818bb... [4]: https://dl.fedoraproject.org/pub/DIRECTORY_SIZES.txt

On Mon, May 30, 2022 at 09:47:32PM +0200, Imre Jonk wrote:

However, if a mirror operator makes the decision to leave out the source packages from the content that they serve (thereby acting as a moderator), wouldn't that make them liable for that very same content?

I don't think so, but then I'm not a lawyer (and you need *your own* lawyer licensed in your jurisdiction to properly answer this question). :)

In other words, if you leave out the sources, can't you be held accountable for leaving out the sources?

I don't believe there's a legal basis for this (but see my note above). You're still a service provider moving bits for someone else. If you put Cloudflare in front of your mirror, but they don't cache some of the source packages because they are too large, that's not going to make Cloudflare liable for license violations.

I'm curious, did you ever get a DMCA or GDPR request for something that happened on your mirror, and have you ever taken something down because of it?

Never, but that doesn't really mean it can't happen. -Konstantin

On Tue, 31 May 2022 21:28:38 +0200 Imre Jonk <imre@imrejonk.nl> wrote:

Yeah this is the right thing to do I suppose. This morning I contacted a Dutch IT lawyer who regularly writes in public about questions his readers ask him. Hopefully he can shine a light on this, at least for mirror operators in the Netherlands (and possibly all of Europe).

He was kind enough to answer my question on this Dutch IT news website: https://www.security.nl/posting/757086/Voldoet+een+Linux-distributie+aan+de+... I'll try to summarize his answer in English here: [begin summary] Software for Arch Linux is often distributed only in compiled form. That poses a challenge under the GPL, which mandates that source code accompanies it. It is of course easy to obtain the sources if you want to, and because of this few would complain. That hasn't ever stopped a copyright lawyer however. A lot of software in Linux context is GPLv2-licensed. This license from 1991 requires that you accompany the compiled software with its sources or a written offer that can be used to obtain the sources. You have to see this in a 1991 context, when it was hard and time-consuming to find and download source code and snail mail was faster. The underlying argument is that the receiver of the compiled software must have easy access to its sources. A contractual obligation will always be interpreted by a judge in the context of the current situation. In 2022, it is easier for most people (especially developers) in the Western world to just download the sources instead of receiving it by snail mail. I therefore expect that a judge will approve of the argument that a URL to the sources is sufficient. GPLv3 article 6 section d allows for distributing the source code through a third party's server. The distributor of the compiled software is however responsible for the availability of the source code at the specified location. [end summary] My takeaway from his answer is that, as long as the sources are easily available to anyone obtaining the compiled software, the "spirit" of the license is being followed, and that's what matters most. It is still debatable whether a mirror operator is a software distributor or simply an intermediary between the Arch Linux project and the end user, and to what extent the mirror operator is responsible for carrying out the obligations under the GPL and other licenses. If a mirror operator is found to be a software distributor, then there may be some responsibilities under those licenses. One thing that a mirror operator can do here is simply link to a place where the sources can be obtained. That makes it easy for anyone interested in the compiled software on their mirror to obtain the source code, and could therefore lower the legal risk. The mirror operator would then need to ensure that the sources are actually available at the location they link to. If the operator has disk space and bandwidth to spare, then the better solution would of course be to mirror sources as well.