Thank you everyone for your responses! I have a few updates for you that made it to production this morning as part of our weekly release cycle: * Thanks to Ankur Sinha, the pull requests created by Packit now have a clear list of tasks/reminders to check in the description. (E.g. https://src.fedoraproject.org/rpms/python-ogr/pull-request/479) * If you are not comfortable with lookaside uploads before the review, you can newly set `upload_sources` to `false` and Packit won't do the upload. The downside is, of course, the reduced benefit of the automation since you need to do this yourself and the failed CI builds. The default behaviour is preserved to not break the workflow of the existing users but it's clearly mentioned in the onboarding guide (https://packit.dev/docs/fedora-releases-guide#upload-archive-to-lookaside-cache). František On Fri, Sep 15, 2023 at 7:07 PM Adam Williamson <adamwill@xxxxxxxxxxxxxxxxx> wrote: > > On Fri, 2023-09-15 at 16:02 +0200, Frantisek Lachman wrote: > > Thanks Dan and Daniel for the responses. You both are right. For our > > defence, this is always setup by an existing Fedora user (=human). > > > > I can't speak of rel-eng (and honestly don't know) how problematic > > this "physical removal" on request is. > > We can at least promote the licence check more > > and provide instructions on what to do if something does not fulfil the rules. > > (E.g. as a part of the issue Ankur created and mentioned > > (https://github.com/packit/packit/issues/2035)) > > > > Does anyone have any realistic solution (or an improvement) to this > > for Packit itself? > > > > We can also stop uploading the source to the lookaside cache (or make > > it configurable), > > but the benefit of such automation is significantly reduced. > > To be honest it seems a little unfair to 'pick on' Packit about this. > > practically speaking, we do not somehow enforce that every packager > does a thorough license review of every new upstream version of > everything they package before uploading it to the lookaside. We do not > really have any protections against packagers running scratch builds > with unredistributable content. Ultimately, we are trusting packagers > to do this right. > > Packit is intended for folks/teams who are both upstream maintainers > and downstream packagers. Such folks should already be aware of the > licensing of the upstream and able to address any issues with it. They > likely already pull new releases of their project downstream as a > matter of course. Automating it doesn't really seem like it's exposing > us to any radical increase in potential licensing problems. > -- > Adam Williamson (he/him/his) > Fedora QA > Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw@xxxxxxxxxxxxx > https://www.happyassassin.net > > > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue