Re:Distribution

Documentation for re-distribution of our packages by third party package managers

Any third-party package manager (i.e. not under our PkgForge Org Umbrella), must follow these guidelines when re-distributing them. Hence forth, referred to as third-parties .

Failure to comply will force our hands to no longer make the metadata (& other files these third-parties depend on) available. As well as blacklisting these clients from using our apis & other services.

Personal Use Exception: These guidelines don't apply to personal redistribution (dotfiles, private scripts, etc.) that isn't advertised as a public package manager service.

Attribution

Any third-parties, must have a dedicated section on the main README of their project where the following things are made explicitly clear:

Any Official Repositories from Package Forge, must be marked as external & third party i.e. not your default repos & your users must know the actual source.
Any External/Third-Party Repositories from Package Forge, must be marked as external & third party, same as Official Repositories from Package Forge, because for a third-party, all these are also external.
Specify the percentage of packages sourced from PkgForge repositories versus your own repositories
Any data that's used from pkgforge/metadata must be disclosed, especially if a third-party edits/re-edits it to match their own needs.
Issue Tracker link for reporting issues with Packages that originate from PkgForge

Examples:

Mandatory Fields

Any third-parties, must clearly show the following fields (from our metadata) to their user when installing any packages OR querying information on any packages that come from our repositories (Official/External). These can be skipped if & only if these are missing (For instance, from our External Repositories).

Homepage: The homepage entry must show the Homepage URL(s) for the package & is our way of offering attribution/credits to the original Author(s) of the package.
Licenses: The license entry must show the SPDX Identifier of the package & is a legal requirement.
Maintainers: The maintainer entry must show the Recipe (SBUILD) maintainer(s) of the package & is our way of both offering attribution/credits to the maintainer(s) & and transfer responsibility.
Notes: The note entry must show the Note(s) associated with a Package. This often contains crucial information we want the User to be aware of about the package.
Sources: The src_url entry must show the Source URL(s) for the Package & it's purpose is similar to displaying Homepage.
Index: The pkg_webpage entry must show the URL to our online Index, which contains all the fields for the package & serves as a way for users to know everything even when a third-party has decided to exclude most of those fields.

Examples:

Mandatory Files

Any third-parties, must also re-distribute the following files in addition to the main binary for the Package. An option can be offered to users to exclude this, but by default, the third party can't make this decision for the users, & thus must comply. Users may opt-out, but this must be their explicit choice, not your default behavior.

These don't apply if a third-party is a simply a downloader & not an installer i.e if a third party has a sub command to only download a package but not install it, then these files can be skipped.

LICENSE: For legal reasons, the LICENSE file must be downloaded & installed in the user's system.

Examples:

Media

Any third-parties, when posting about their project anywhere through blogs, posts, comments or similar must follow these guidelines:

The third-party must not claim any additions/announcements/deletions/features/ports originating from our Packages/Projects/Repos as their own, unless the third party also directly contributed to it. We, PkgForge reserve the sole rights to publishing these at our own discretion.
The third-party must not advertise Package counts without disclosing the source as their own, unless the majority of the packages are from the third-party's own official repo & not ours (Official/External).
The third-party must not advertise itself as "official" as the only "official" projects are all under our PkgForge Org.

Examples:

Bad press release (without our Permission):

Good Press Release

## Package Repository
- 15,000+ packages available
- Source: 12,000 from PkgForge repositories, 3,000+ maintained locally

## Recent Updates
- New packages added to PkgForge collection
- Read the official announcement: [PkgForge Blog](...)

Avoid:

"We've added 50 new packages!" (when they're from PkgForge)
"Official package manager for..." (without authorization)
Press releases about PkgForge features without permission

Compliance and Support

For questions about these guidelines or to request clarification, contact us through our official channels. We're committed to working with third-party distributors who respect these requirements and help maintain the integrity of the PkgForge ecosystem.

These guidelines ensure proper attribution, legal compliance, and clear communication about package sources while supporting the broader package management community.

PreviousPackage-Request NextSecurity

Last updated 14 days ago

Was this helpful?

Any third-party package manager (i.e. not under our PkgForge Org Umbrella), must follow these guidelines when re-distributing them. Hence forth, referred to as third-parties .

Failure to comply will force our hands to no longer make the metadata (& other files these third-parties depend on) available. As well as blacklisting these clients from using our apis & other services.

Personal Use Exception: These guidelines don't apply to personal redistribution (dotfiles, private scripts, etc.) that isn't advertised as a public package manager service.

Attribution

Any third-parties, must have a dedicated section on the main README of their project where the following things are made explicitly clear:

Any Official Repositories from Package Forge, must be marked as external & third party i.e. not your default repos & your users must know the actual source.
Any External/Third-Party Repositories from Package Forge, must be marked as external & third party, same as Official Repositories from Package Forge, because for a third-party, all these are also external.
Specify the percentage of packages sourced from PkgForge repositories versus your own repositories
Any data that's used from pkgforge/metadata must be disclosed, especially if a third-party edits/re-edits it to match their own needs.
Issue Tracker link for reporting issues with Packages that originate from PkgForge

Examples:

Mandatory Fields

Any third-parties, must clearly show the following fields (from our metadata) to their user when installing any packages OR querying information on any packages that come from our repositories (Official/External). These can be skipped if & only if these are missing (For instance, from our External Repositories).

Homepage: The homepage entry must show the Homepage URL(s) for the package & is our way of offering attribution/credits to the original Author(s) of the package.
Licenses: The license entry must show the SPDX Identifier of the package & is a legal requirement.
Maintainers: The maintainer entry must show the Recipe (SBUILD) maintainer(s) of the package & is our way of both offering attribution/credits to the maintainer(s) & and transfer responsibility.
Notes: The note entry must show the Note(s) associated with a Package. This often contains crucial information we want the User to be aware of about the package.
Sources: The src_url entry must show the Source URL(s) for the Package & it's purpose is similar to displaying Homepage.
Index: The pkg_webpage entry must show the URL to our online Index, which contains all the fields for the package & serves as a way for users to know everything even when a third-party has decided to exclude most of those fields.

Examples:

Mandatory Files

Any third-parties, must also re-distribute the following files in addition to the main binary for the Package. An option can be offered to users to exclude this, but by default, the third party can't make this decision for the users, & thus must comply. Users may opt-out, but this must be their explicit choice, not your default behavior.

These don't apply if a third-party is a simply a downloader & not an installer i.e if a third party has a sub command to only download a package but not install it, then these files can be skipped.

LICENSE: For legal reasons, the LICENSE file must be downloaded & installed in the user's system.

Examples:

Media

Any third-parties, when posting about their project anywhere through blogs, posts, comments or similar must follow these guidelines:

The third-party must not claim any additions/announcements/deletions/features/ports originating from our Packages/Projects/Repos as their own, unless the third party also directly contributed to it. We, PkgForge reserve the sole rights to publishing these at our own discretion.
The third-party must not advertise Package counts without disclosing the source as their own, unless the majority of the packages are from the third-party's own official repo & not ours (Official/External).
The third-party must not advertise itself as "official" as the only "official" projects are all under our PkgForge Org.

Examples:

Bad press release (without our Permission):

Good Press Release

## Package Repository
- 15,000+ packages available
- Source: 12,000 from PkgForge repositories, 3,000+ maintained locally

## Recent Updates
- New packages added to PkgForge collection
- Read the official announcement: [PkgForge Blog](...)

Avoid:

"We've added 50 new packages!" (when they're from PkgForge)
"Official package manager for..." (without authorization)
Press releases about PkgForge features without permission

Compliance and Support

For questions about these guidelines or to request clarification, contact us through our official channels. We're committed to working with third-party distributors who respect these requirements and help maintain the integrity of the PkgForge ecosystem.

These guidelines ensure proper attribution, legal compliance, and clear communication about package sources while supporting the broader package management community.