[arch-dev-public] AUR ToS: Brainstorming

Lukas Fleischer lfleischer at archlinux.org
Fri Mar 24 19:03:05 UTC 2017


As discussed previously [1], it is high time to look into terms and
conditions for the AUR. Optimally, these terms should be as short as
possible with everything relevant covered. I would like to collect
things we should include. A sketch of what came into my mind is given
below, please complement if anything is missing. For convenience, I
split the terms into ToS and a Privacy Statement.

Let us start with the ToS:

* Introduction saying that using the service means accepting the terms.
* Liability clause, say that users are responsible for uploaded content.
* Forbid to upload unlawful, harmful or copyrighted content.
* Explicitly forbid illegal software copies and malware.
* Licensing of things uploaded to the AUR.
* Notes on what happens when the ToS are changed.
* Notes on what happens when the AUR is shut down.

Things that should be covered in the Privacy Statement:

* What kind of personal information we collect and where it is stored.
* How the information is used.
* Notes on what happens when there are changes to the Privacy Statement.

More explicitly, we should explain what is stored as part of the web
server logs, that we store the personal information provided voluntarily
upon account registration and that we store the time stamp and the
public IP address of the last login in the database. Maybe also add some
note on cookies.

We should explain that content transmitted with a registered account is
public (including, but not limited to, user names, the full Git history
of packages, the content of comments and the content of package
requests). Additional personal information provided voluntarily upon
registration, such as the real name, is visible to all registered users.
This also applies to email addresses, unless one explicitly makes use of
the option to hide it in the account settings. We should also mention
that the email address is always visible to the staff, including Trusted
Users and developers, even if this option is enabled. Then, some
paragraph that we will not disclose any other personal information that
is collected apart from the usual exceptions.

Am I missing anything? It would be awesome to have some volunteer
writing a first draft of these two documents. Preferably somebody who is
a native speaker and has *some* experience with this kind of legal
stuff. If nobody else steps up, I will give it a try myself even though
I have neither of these two requirements/skills. It might also be
helpful to look for some (public domain) templates of sentences we might

As mentioned in the other thread, we should also agree on whether we
want the final terms be checked by a lawyer.


[1] https://lists.archlinux.org/pipermail/arch-dev-public/2017-March/028726.html

More information about the arch-dev-public mailing list