From: andreas@an3as.eu 
  
 Am Sun, Oct 05, 2025 at 05:18:33AM +0200 schrieb Philipp Kern: 
 > On 10/3/25 10:16 AM, Adrian Bunk wrote: 
 > > Are we able to create new point releases of stable and oldstable within 
 48h, 
 > > to withdraw the package (and withdraw/update reverse dependencies) there? 
 > > 
 > > A well-known case of claimed copyright infringement that was in the 
 > > courts for two decades affected the Linux kernel.[1] Even in the best 
 > > case where a code fix is available immediately, updating src:linux and 
 > > then rebuilding the installers and then creating new point releases 
 > > would be challenging to do within 48h. 
 > 
 > I also find the 48h questionable. 
  
 I would very much welcome better suggestions for what might qualify as 
 "speedy" on the one hand and "realistic" on the other. There's no real 
 need to specify an exact number of hours €€€ I only wrote "_e.g._ within 
 48 h" as an example. 
  
 My intention was simply to propose a more structured response than just 
 telling someone who claims there's a copyright issue to "please file a 
 removal bug." It's about having a formalized process that shows we take 
 such reports seriously and that helps protect our developers from 
 potential legal exposure. 
  
 > If anyone without a contract is relying on 
 > us here, that's squarely their problem. 
  
 I was told that this is precisely our view €€€ which I personally shared 
 as well €€€ and I would also prefer if it were true. However, if it turns 
 out that this assumption is wrong and that Debian as a project, or even 
 an individual developer, might face consequences, it's better to be 
 prepared in advance. 
  
 > And if there is 
 > legislation/regulation, it'd be nice to know what the letter is. On the 
 > other hand I trust us to get the relevant advise here. 
  
 I would be more than happy if the concern I described above turns out to 
 be unfounded. 
  
 > However we could in theory remove the file without rebuilding the indexes. 
 > Not a great user experience, especially if all we technically need to do is 
 > to e.g. remove a single file. But if it's temporary, maybe it would be an 
 > option. OTOH I'd expect stuff post pulling the package to resolve in the 
 > matter of weeks to months, right? 
  
 I'm happy to consider any technical suggestions for implementing a 
 solution that, hopefully, will never actually be needed. The goal here 
 is simply to be prepared. Returning to my earlier question about 
 delegations, I tend to think that handling this should fall under the 
 Archive Operations Team. 
  
 What do you think? 
  
 Kind regards 
     Andreas. 
  
 -- 
 https://fam-tille.de 
  
 --- SoupGate-Win32 v1.05 
  * Origin: you cannot sedate... all the things you hate (1:229/2)