On Fri, Mar 1, 2024 at 10:08 PM Richard Fontana <rfontana@xxxxxxxxxx> wrote: > > On Fri, Mar 1, 2024 at 5:38 PM Tim Flink <tflink@xxxxxxxxxxxxxxxxx> wrote: > > > > pip, as an example is intended to allow users to install python packages > > > sourced from outside Fedora repos. I don't believe that software which > > > used pip after installation with no direct user interaction would be > > > allowed in Fedora. > > > > > > The pre-trained models that I'm familiar with, however, download things > > > transparently to the user with no warning outside of a log message when > > > the weights are first downloaded. > > I feel like you're raising a more general issue here which I don't > really know the answer to. This is not specific to pretrained models. > Couldn't *any* Fedora package have behavior such that it "downloads > things transparently to the user with no warning"? If so, what if any > Fedora technical or packaging policy regulates this? > > I can imagine a range of cases, such as: > > 1. Package provides a tool that can be used by a user to deliberately > obtain arbitrary third-party content under the user's direction. This > undoubtedly describes lots of existing Fedora packages and I think > it's pretty clear that this should normally be okay. Otherwise we > couldn't package firefox, wget, curl or pip. > > 2. Package causes the download (transparently to the user, unless you > assume a sort of omniscient user) of some content that would not > comply with default Fedora licensing policies if it were packaged > directly in the package. I feel like there must already be examples of > packages like this. > > 3. Package causes the download (transparently to the user ... ) of > some third-party content that violates some non-license-related Fedora > legal policy and which would not be permitted to be packaged directly. > > 4. Package causes the download of some third-party content that > violates some non-legal Fedora policy (for example, some sort of > content Fedora has deemed offensive). > > 5. Package causes the download of some third-party content that gives > rise to a security issue, where knowledge of the security issue would > have prevented direct packaging of the content. > > I just skimmed through the Fedora packaging guidelines and the > FESCo-related documentation and didn't seem to find anything on this > sort of topic. > At this point, this discussion is a bit much. We have game engines with data file downloaders for demo content, we have web browsers that auto-download things on launch, and so on. If you're really worried about it, tweak pytorch to require configuration or make a prompt when it triggers the first time or something. We did this with gdb with the debuginfod, and that's probably the closest pattern to go with for this. But this is not a legal question per se, this is a functionality and philosophy question. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
