On Fri, Mar 1, 2024 at 5:38 PM Tim Flink <tflink@xxxxxxxxxxxxxxxxx> wrote: > > pip, as an example is intended to allow users to install python packages > > sourced from outside Fedora repos. I don't believe that software which > > used pip after installation with no direct user interaction would be > > allowed in Fedora. > > > > The pre-trained models that I'm familiar with, however, download things > > transparently to the user with no warning outside of a log message when > > the weights are first downloaded. I feel like you're raising a more general issue here which I don't really know the answer to. This is not specific to pretrained models. Couldn't *any* Fedora package have behavior such that it "downloads things transparently to the user with no warning"? If so, what if any Fedora technical or packaging policy regulates this? I can imagine a range of cases, such as: 1. Package provides a tool that can be used by a user to deliberately obtain arbitrary third-party content under the user's direction. This undoubtedly describes lots of existing Fedora packages and I think it's pretty clear that this should normally be okay. Otherwise we couldn't package firefox, wget, curl or pip. 2. Package causes the download (transparently to the user, unless you assume a sort of omniscient user) of some content that would not comply with default Fedora licensing policies if it were packaged directly in the package. I feel like there must already be examples of packages like this. 3. Package causes the download (transparently to the user ... ) of some third-party content that violates some non-license-related Fedora legal policy and which would not be permitted to be packaged directly. 4. Package causes the download of some third-party content that violates some non-legal Fedora policy (for example, some sort of content Fedora has deemed offensive). 5. Package causes the download of some third-party content that gives rise to a security issue, where knowledge of the security issue would have prevented direct packaging of the content. I just skimmed through the Fedora packaging guidelines and the FESCo-related documentation and didn't seem to find anything on this sort of topic. Richard -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
