[OpenAFS] Providing signed packages (was Re: any experiences with OpenAFS client ...)

Stephen Joyce stephen@email.unc.edu
Thu, 23 Oct 2014 18:27:27 -0400

Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 8BIT

On Thu, 23 Oct 2014, D Brashear wrote:

> Or the developer, if the builder and/or signer are not otherwise
> contractually tied to the foundation's insurance.
>       Again, seek actual legal advice. 
> Yup. And that's the summary I'd give about the understanding
> Stephen was looking for after Jeff's earlier comments. Jeff
> explained what things looked like, legally, for him. It's not FUD. It's
> what Jeff is willing to do based on Jeff's lawyer. What someone
> else is willing to do should, though, be entered into by that person
> only with an understanding of what their liability is, or with the
> explicit knowledge that they plan to ignore it and hope for the best.

IANAL, but it seems Jeff's company is probably subject to section 4 of the 
IPL, "COMMERCIAL DISTRIBUTION". If the Foundation signs binaries and 
distributes them, is it necessarily commercial distribution? If so, there's 
greater risk involved than if it can be classified non-commercial 

The openafs.org website (is that now owned by the Foundation?) provides 
binaries now. One could argue that it's the same risk[1], but that signing 
binaries creates more awareness (but I'm not sure I have the energy to 
think that critically with my current head cold).

In any case, OpenAFS is not the only project which must decide how to move 
forward in this scenario. It might be instructive to see how macports, 
homebrew, etc. respond. On the other hand, if the Foundation has a lawyer 
to consult, this thread is mostly wasted time...

[1]If one assumes that by signing binaries one is simply verifying their 
veracity, not certifying that they'll do no harm.