[OpenAFS] Providing signed packages (was Re: any experiences
with OpenAFS client ...)
Thu, 23 Oct 2014 18:27:27 -0400
Content-Type: text/plain; charset="UTF-8"; format=flowed
On Thu, 23 Oct 2014, D Brashear wrote:
> Or the developer, if the builder and/or signer are not otherwise
> contractually tied to the foundation's insurance.
> Again, seek actual legal advice.
> Yup. And that's the summary I'd give about the understanding
> Stephen was looking for after Jeff's earlier comments. Jeff
> explained what things looked like, legally, for him. It's not FUD. It's
> what Jeff is willing to do based on Jeff's lawyer. What someone
> else is willing to do should, though, be entered into by that person
> only with an understanding of what their liability is, or with the
> explicit knowledge that they plan to ignore it and hope for the best.
IANAL, but it seems Jeff's company is probably subject to section 4 of the
IPL, "COMMERCIAL DISTRIBUTION". If the Foundation signs binaries and
distributes them, is it necessarily commercial distribution? If so, there's
greater risk involved than if it can be classified non-commercial
The openafs.org website (is that now owned by the Foundation?) provides
binaries now. One could argue that it's the same risk, but that signing
binaries creates more awareness (but I'm not sure I have the energy to
think that critically with my current head cold).
In any case, OpenAFS is not the only project which must decide how to move
forward in this scenario. It might be instructive to see how macports,
homebrew, etc. respond. On the other hand, if the Foundation has a lawyer
to consult, this thread is mostly wasted time...
If one assumes that by signing binaries one is simply verifying their
veracity, not certifying that they'll do no harm.