Le 27/09/2023 à 06:18, aur@nullvoid.me a écrit :
Hi, Hi,
I'm gonna start with I'm not a lawyer, and realistically the best answer provided should be from a German (Arch project TOS list German laws to be followed) or US (SPI nonprofit owns the domain and financial accounts) lawyer. Once again, I think this is more of an "ethical" matter rather than a strictly juridical one for now (at least when it comes the AUR platform itself), as the approach is more "what should or should not be allowed on the AUR (from an "ethical" POV)?" rather than "what are we risking by keeping those packages (from a juridical POV)?".
While the juridical question may be important, it is not the primary concern here and has until then been answered by "we're only hosting the recipes, not the ingredients themself". But fair enough, I assume an answer from a lawyer cannot hurt.
The issue I think will always exist as to what does a platform to do mitigate legal risk when allowing User Generated Content to exis > Arch Linux should not host content that violates laws and is generally immoral everywhere. CSAM or Malware content comes to mind.
Arch Linux should not host content that violates the DMCA or German copyright laws, such as a "minecraft-cracked" package. While the definition of hosts can be up for debate. Torrent sites that only host magnet links have been held liable for pointing to infringing files, so a PKGBUILD might be treated the same way in court.
Regardless of the purely juridical aspect of it, I agree we should not allow/promote such clearly illegal package ethically speaking.
Some programs have been treated as if they violate the DMCA or other copyright laws, like youtube-dl or whipper. Generally speaking as long as they are not advertised or used for illegal actions they themselves are not illegal. Qbittorrent and Deluge are legal. Popcorn-time has been less so.
I agree with that too, I don't see any issue regarding things like youtube-dl, whipper, Qbittorrent or Deluge. While they can be used to perform illegal actions (as many other things in life), they indeed shouldn't be categorized as such in my opinion and thus are not concerned by this debate. However, as you said, there's no much doubt regarding popcorn-time and it should indeed be pointed out regarding this debate in my opinion.
While I believe that freedom of information is a great ideal to strive for in society, I understand the archlinux project would probably prefer to stay apolitical, and avoid harming their goal of being an OS instead of fighting sociopolitical issues with it's infrastructure.
There are several cases for exceptions that have been allowed generally under fair use clauses, abandonware is sometimes permitted to be distributed by not the copyright holders.
I hope that the policies the AUR moderators and arch linux teams adopt are as permissive as possible without taking on any extra legal risk.
In cases such as abgx360, I think we should keep it up until a legal DMCA takedown request comes in, or any form informal complaint from the copyright holder. Censorship is a political action and should be left as a choice only when forced by law, not done preemptively.
First of all, it is important to note that the official AUR FAQ states that "mostly everything is permitted on the AUR, as long as you are in compliance with the licensing terms of the content" [1]. I think that's a valid argument regarding the abgx360 case and a good starting point for this whole debate. Secondly, I don't think it is fair to bring terms like "censorship" and "political action" in here. The removal of that software has only been done because of the assumption that it goes against the AUR guidelines/principles (regarding the above FAQ statement). That doesn't mean there wasn't a judgment mistake there, but it for sure never was with the intention to "censor" anything.
For packages that may be immoral but legal, such as a package that changes everything to racial slurs, sexist, or vulgar language. I think it also should stay in the AUR and users can choose if they want to compile it or not. If the AUR trusted users and policies start taking down content because they do not like it, it opens a very large can of worms.
Software can become extremely politicized quickly, and I view removing code from a repo similarly to burning books by authors you do not agree with. If the AUR team start to decide what is moral instead of what is illegal or harmful (malware), I fear for the overall usefulness of the AUR long term. The <https://aur.archlinux.org/packages/anarchism> would probably be considered immoral by any strong state authoritarian politically aligned user, and subject to removal.
I wasn't including such packages in the debate in the first place, but that's a legit point to raise. First off, TU duties imply to stick to and enforce the AUR rules and guidelines when dealing with requests. Once again, that doesn't mean there never was some eventual mistakes during that process but "taking down content because they do not like it" is not a thing. Now, regarding the examples you gave, while there are no clear statement/guidelines about such packages on the AUR side (yet?), such controversial topics are already pointed out by the Arch Linux Code of Conduct [2] (as raised by Ralf as well [3]). Now the question is, should the Arch Linux CoC applies to the AUR too? This is what I raised by saying "I think that the AUR itself should be maintained with the same ethics we try to apply to the Arch project as whole" in my initial answer. For what it's worth, I've already seen protest-wares been removed from the AUR as per the Code of Conduct. Also, here as well, I think that viewing "removing code from a repo similarly to burning books by authors you do not agree with" is unfair in your given example. Restricting or banning subjects like "racial slurs, sexism or vulgar language" is a common action when it comes to moderation in a project (it's not Arch specific) and doesn't feel "abusive" to me. I hope you're aware that such restrictions are taken in good faith for the sake of community as whole rather to act with an authoritarian policy. Anyway, regarding the different reactions to the currently grey area this subject represent, I think it is important that taking future decisions regarding such AUR requests are made upon the AUR rules/guidelines and not let to the personal appreciation of the person dealing with it (as it is currently the case). My intention with this thread is to conclude on an actual statement leading to an update of the AUR guidelines/rules (if needed) to be able to act legitimately (or not, depending on what the conclusion is) upon such judged "illegal/unethical/controversial" packages in the future.
I hope my points bring a new way of looking at this issue.
Thanks for your input in this thread!
On September 26, 2023 9:53:36 PM UTC, Robin Candau <antiz@archlinux.org> wrote:
Le 26/09/2023 à 22:02, Connor Behan a écrit :
Sorry but I don't buy the logic here. That's fine, that thread is there to debate :D
On Tue, Sep 26, 2023 at 4:21 PM Robin Candau <antiz@archlinux.org <mailto:antiz@archlinux.org>> wrote:
Le 26/09/2023 à 20:11, netsysfire@das-labor.org <mailto:netsysfire@das-labor.org> a écrit : > abgx360 has been deleted recently (see > https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/t... <https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/thread/VPDQERST63DRZFYFS7JH6YIDWXSFE5TX/#VPDQERST63DRZFYFS7JH6YIDWXSFE5TX>). I noticed it because https://wiki.archlinux.org/title/Burning_Xbox_360_games <https://wiki.archlinux.org/title/Burning_Xbox_360_games> has a broken link. > > There are two reasons for the deletion: > 1. Legality of home backups. Though we have stuff like popcorntime in > the AUR or even whipper in extra, so it should not matter. > 2. Bad licensing. > > There is no upstream license set, thus applying the default copyright > rules: > >> You're under no obligation to choose a license. However, without a >> license, the default copyright laws apply, meaning that you retain all >> rights to your source code and no one may reproduce, distribute, or >> create derivative works from your work. > > However, as the AUR only ships PKGBUILDs we are neither reproducing or > distributing it and it does also not seem like a derivative work. > Alad already poked upstream about this. > https://github.com/BakasuraRCE/abgx360/issues/7 <https://github.com/BakasuraRCE/abgx360/issues/7> > > This was also painstakingly discussed on IRC in both -aur and -wiki, > leading to walls of text. > Antiz made the decision to delete in good faith and there was apparently > also an internal discussion in the staff channel, which we agreed on > should have been public. > > My opinion is that the package should be restored. I do not even use it > and only noticed because of said dead link, yet the decision feels off. > Antiz said that they are rethinking it, too.
Hi,
Thanks for bringing this up in a ML thread!
Allow me to bring a bit more context about this whole situation and the "painstakingly" discussion that followed: Some time ago, we had to deal with a deletion request about an unofficial game launcher allowing you to play the said paid game for free (basically a pirated game and thus illegal. That was even clearly written on upstream's website). A quick debate has then been launched in the private TU channel at the time to discuss whether we should reject it (and thus allow or simply don't care about quoted "illegal" stuff on the AUR) or accept it and take a position regarding this.
The main argument in favor of rejecting this request basically was that the AUR is only hosting PKGBUILDs, not the actual sources. Meaning that we cannot be accused of redistributing illegal/copyrighted/whatever stuff as we are actually not redistributing anything, thus we shouldn't care about it.
The main argument in favor of accepting this request is that, while the AUR only hosts PKGBUILDs and not sources, and that it is made clear that AUR packages are not officially supported; the AUR itself (meaning the actual platform) is an official Arch ressources that is managed, maintained and moderator by official Arch staff. As such we should keep a good image of this official ressource and not allow such quoted "illegal" software, whatever the reason could be: piracy, licensing violation (like it's the case for the software listed as an example), etc...
As you probably guessed, my opinion goes into the above paragraph. While the argument of "the AUR is only hosting PKGBUILDs" is valid in situations where we would be accused of redistributing something without the proper permissions, I personally wouldn't want the AUR to become a privileged source to share/download/install illegal stuff because of the gray area the above brings in term of moderation and legality. What I'd like to highlight here is that it is an ethical matter more than a technical/juridical one.
In that sense, I think it's totally fine to have a spotify AUR package, despite the fact it may not be authorized to redistribute it (because we're not actually redistributing it, that's the whole point). However, I don't think it's fine having "Minecraft-cracked" AUR package, not because of the (not) redistributing part but because of ethically of letting/allowing a **clearly** illegal package on the AUR.
Minecraft-cracked is an extreme example because we know full well that the publisher of Minecraft intends to make an income from its sale. Such is not the case here. 1 - This "extreme example" actually happened [1][2] (multiple other times than that in fact, those are just the 2 most recent examples), yet people were debating whether this should be kept/allowed on the AUR or not. That's actually the requests that started the discussion in the TU channel I was referring to. As extreme as it might be, this example is valid enough to be brought here in my opinion as that's actually the one that started it all. 2 - I purposely expanded the debate beyond the actual the abgx360 example as, in my opinion, the purpose of this thread should be about debating if and where we draw the line about "illegality/ethic" in a general way on the AUR. If anything, debating about the abgx360 specific should probably be done in the related AUR request thread instead [3].
By the way, I insist on the **clearly** part. To take the 2 examples given in the initial message: I think the licensing violation/issue of the abgx360 package was clear enough to accept its deletion. As for whipper, I don't see any issue with it. While you can do illegal stuff with it, a ripping software itself as nothing illegal. Everybody own knives after all :p As for popcorntime if it is **clearly** categorized as illegal, I would personally vote for its removal.
If it turns out that the GitHub user BakasauraRCE has been acting with authorization from Seacrest the entire time, it will turn out that the package is legal. So it seems that the opposite standard has been applied here. I.e. deleting a PKGBUILD unless what it links to is clearly legal. The deletion request wasn't blindly accepted. Upstream expressed themself about the deletion request [4] and basically said that only the original author (Seacrest) should have the right to legitimately call them out regarding the fact they use copyrighted code without authorization (in their opinion). That makes it pretty clear that they've been acting without permissions on that front, I don't think it can still be turned out the other way around.
Though, if upstream ever change/clarify this situation with Seacrest [5], they could re-upload their package on the AUR in total legitimacy.
Anyway, once again, I don't think this thread should be about the abgx360 specific case. It is the case that motivated it but I think this thread should actually be a broader debate about if we should allow "illegal/unethical" packages on the AUR or not and, if not, what should be categorized and treated as such (in the aim of having a clear guideline regarding this and avoid having such questioning about this currently grey area in the future).
Just a quick note about the painstakingly discussion that happened on IRC regarding this: I do agree that such a debate should have been discussed publicly and lead to a clear and established statement/decision (which we'll hopefully get now that it has been exposed here). As such, I want to say that the decision of removing the abgx360 AUR package was purely my own personal decision.
To sum up, I think that the AUR itself should be maintained with the same ethics we try to apply to the Arch project as whole. In my opinion, stating not to care of such things can (and probably will) be interpreted as simply allowing/accepting it.
Now, regardless of my opinion, my primary wish there is that we're able to conclude on an actual statement that I will accept, whatever the final decision is. It would just be great to have a proper guideline on this to avoid any more miss-understanding.
-- Regards, Robin Candau / Antiz
[1] https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/t... [2] https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/t... [3] https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/t... [4] https://lists.archlinux.org/archives/list/aur-requests@lists.archlinux.org/m... [5] https://github.com/BakasuraRCE/abgx360/issues/7
[1] https://wiki.archlinux.org/title/Arch_User_Repository#What_kind_of_packages_... [2] https://terms.archlinux.org/docs/code-of-conduct/#controversycontroversial-t... [3] https://lists.archlinux.org/archives/list/aur-general@lists.archlinux.org/me... -- Regards, Robin Candau / Antiz