RESTRICT="bindist mirror" has to be set for legal reasons, but this will destroy the ebuild. Please provide a new legal SRC_URI shortly to prevent the removal of this package. Reproducible: Always
(In reply to Jonas Stein from comment #0) > RESTRICT="bindist mirror" has to be set for legal reasons, but this will > destroy the ebuild. What does that even mean? Please be clearer next time. So the only thing in SRC_URI is a small binary patch that's added to the game at runtime. The rest is installed from CD. I suppose the CD part means it should at least be RESTRICT="bindist". Unsurprisingly, the patch has no license and given that UT2003 was never as popular as UT2004, the only non-Gentoo references I can find to it are these. It fixes this exploit: https://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0 It was uploaded to this user's server following a forum discussion between the patch's author and former Gentoo dev wolf31o2: https://forums.epicgames.com/unreal-tournament-2003-2004/server-administration/34987-updates-on-security-master-server-stats-and-email?p=749543#post749543 That server has now gone. The zip is all of 2.7KB so I can easily just stick it in my devspace. Maybe that doesn't fit with RESTRICT="mirror" but I don't know what else to do. Evidently the author had no problem with it being mirrored at the time.
(In reply to James Le Cuirot from comment #1) > That server has now gone. The zip is all of 2.7KB so I can easily just stick > it in my devspace. Maybe that doesn't fit with RESTRICT="mirror" but I don't > know what else to do. Evidently the author had no problem with it being > mirrored at the time. If the file is copyrightable but has no license allowing redistribution, then it cannot be distributed. Especially it cannot be hosted on Gentoo infra (which includes mirrors and devspace).
(In reply to Ulrich Müller from comment #2) > (In reply to James Le Cuirot from comment #1) > > That server has now gone. The zip is all of 2.7KB so I can easily just stick > > it in my devspace. Maybe that doesn't fit with RESTRICT="mirror" but I don't > > know what else to do. Evidently the author had no problem with it being > > mirrored at the time. > > If the file is copyrightable but has no license allowing redistribution, > then it cannot be distributed. Especially it cannot be hosted on Gentoo > infra (which includes mirrors and devspace). I understand where you're coming from but please also understand where I'm coming from. This is a ridiculous situation where you're threatening to drop a major game over a 16 year old 2.7KB patch that was blatantly intended to be freely distributed. If I drop the patch then I'll have the security team on my back instead. In the past, I thought we allowed users to take on the risk, be it legal or security, themselves. Now I have managed to establish the real identity of the author so I'll try reaching out but I'm not optimistic. Assuming he won't be interested in hosting the patch himself, what do I need to ask of him to make this okay?
Nobody is going to stop you from hosting it on your private webspace (i.e. one where you take the legal risk).
(In reply to Michał Górny from comment #4) > Nobody is going to stop you from hosting it on your private webspace (i.e. > one where you take the legal risk). I wasn't sure if that was an option. I'm willing to do that but I'd like to try the above first so please let me know what is required.
In the ideal case the author would agree that his patch is distributed under a free but non-copyleft license, e.g., BSD-2, ISC, MIT, or WTFPL-2.
(In reply to Ulrich Müller from comment #6) > In the ideal case the author would agree that his patch is distributed under > a free but non-copyleft license, e.g., BSD-2, ISC, MIT, or WTFPL-2. I got that much but do we need a public record of that or is it sufficient if I say that he agreed to this in a private mail?
A public record would be preferable, of course. If that's not possible, please post Message-ID and Date headers of the e-mail message here.
Just letting you all know that after reaching out, initial indications are good but it's not a done deal yet.
Created attachment 674587 [details] Email thread with new MIT license attached as docx Success! Epic themselves have given this the MIT license. They attached it as a docx so pasting the mail thread wouldn't really work. I have therefore attached the raw email here instead. I have now put the fix in my devspace.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9db48380d3d2dc5372a6cf78957959d95864d6ce commit 9db48380d3d2dc5372a6cf78957959d95864d6ce Author: James Le Cuirot <chewi@gentoo.org> AuthorDate: 2020-11-23 22:16:09 +0000 Commit: James Le Cuirot <chewi@gentoo.org> CommitDate: 2020-11-23 22:16:59 +0000 games-fps/ut2003-data: RESTRICT bindist, fix SRC_URI, crash fix is MIT Closes: https://bugs.gentoo.org/754360 Package-Manager: Portage-3.0.10, Repoman-3.0.1 Signed-off-by: James Le Cuirot <chewi@gentoo.org> games-fps/ut2003-data/ut2003-data-2107.ebuild | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
