Potential R Consortium help with terms of use and other documents

[wlandau]

We are currently drafting a Terms of Use document (c.f. r-multiverse/r-multiverse.github.io#25), and I believe we need other protections such as Acceptable Use (c.f. #88). I know I already mentioned this in passing, and others may disagree, but I am concerned about our lack of formal legal training.

It would be great to borrow a legal expert, ideally from the R Consortium or Linux Foundation, to help us protect ourselves against foreseeable risks. An expert could review our Terms of Use document, Acceptable Use document (TBD), etc., and make sure they are legally sound. In addition, they could help us anticipate other risks we have not yet discussed (e.g. do we need to account for potential sabotage or espionage by a hostile government?) and make sure the appropriate protections are in place. More generally, if there were a way to officially be under the legal auspices of the R Consortium, that would go a long way.

I mentioned this in today's Repositories WG meeting, and the R Consortium leadership in attendance were eager to help. Executive director Terry Christiani invited us to present at a board meeting, either the one on October 23 (approaching fast) or December 3 (more feasible). She requested that in the meantime, we iron out the specific details of what we would request in the meeting.

Sound okay? @shikokuchuo, @jeroen, @maelle? Any specifics you would like to add here?

[shikokuchuo]

I think it's great to use these resources if they're available!

You're right to point out that none of us have formal legal training. Quite frankly any additional pairs of eyes on the documents is useful. If a lawyer is reviewing then even more valuable, as they'll know what to look for.

The legal docs that will need reviewing are the 1. Terms of Use, 2. Acceptable Use Policy, and 3. Code of Conduct, with the 4. Governance Document.

I should emphasize though that whilst useful, we shouldn't count on this to mitigate any actual legal risk. The responsibility isn't shifted to a third party. It would be a different matter if we have a signed engagement with a law firm and they have issued a legal opinion / official document addressed to us.

If R-multiverse were to be run by the R Consortium rather than by us (the RMC), then that should afford an additional layer of legal protection as well.

[wlandau]

Awesome! I drafted a slide deck to present to the R Consortium board:

r-multiverse-r-consortium.pptx

Please let me know what else to include or modify.

[maelle]

Nice! I wouldn't put the very last sentence between parentheses unless there's a specific reason?

[llrs]

Nice summary! I have some comments that I hope they are helpful for this. The most relevant one is on the last paragraph (the other comments are something that picked my interest while following the slides, and I think could be helpful).

Probably not super relevant to the audience but Github documentation is clear regarding the limits which can affect long running tests (cf, slide 2). I only point out this because as in CRAN, users and developers will push/test the limits.

Slides 5-7: r-universe is for organizations. Users might work as organizations but not always. For example, I don't have a github.com/llrs/llrs.r-universe.dev but I have a landing page on r-universe, but I cannot install packages listed there (If I don't add CRAN or the other r-universes) with that universe: install.packages("BOE", repos = c("https://llrs.r-universe.dev")) . Compare that with https://wlandau.r-universe.dev, because you have wlandau.r-universe.dev, you can install from your universe but there isn't anything visually different between those. (Perhaps this is something that it could be improved on the UI/documentation @maelle?)

I see on slide 10 that staging only pulls from CRAN. Doesn't it pull also from Bioconductor?

On slide 16, shouldn't instead of "Government sabotage" be "sabotage"? It reminds me of xkcd.

In risk I would also list that the r-universe relies on Github providing free computational hours, and more importantly the adoption of users and developers. To encourage more users it should include corporate adoption which needs more technical and legal guarantees which is why you ask R consortium for they support.

[wlandau]

Thanks for the feedback. Here is a modified version: r-multiverse-r-consortium.pptx

I wouldn't put the very last sentence between parentheses unless there's a specific reason?

I used parentheses because that last sentence is more of a statement of context, whereas the others are ways to help.

Slides 5-7

I changed the title from "personal package repositories" to "democratized package repositories" to implicitly include both users and orgs.

I see on slide 10 that staging only pulls from CRAN. Doesn't it pull also from Bioconductor?

Seems to be the case, c.f. https://github.com/r-universe/r-multiverse-staging/actions/runs/11433660857/job/31806072250#step:4:36 and https://github.com/r-universe-org/actions/blob/v5/getdeps.R#L5.

On slide 16, shouldn't instead of "Government sabotage" be "sabotage"?

Changed to "Organized sabotage"