Legal Problem: md5 implementation
by Tom Callaway
Some of Fedora's packages are using an MD5 implementation which is under
a GPLv2/v3 incompatible license, specifically, the RSA implementation
which is under BSD with advertising.
You can look at this code here:
http://www.tux.org/pub/security/md5/md5.c
http://www.tux.org/pub/security/md5/md5.h
We've identified packages which are possibly using this implementation,
and all maintainers are on CC. Please take a moment to look at your
packages and check to see if this md5 implementation is used.
GeoIP
abiword
cinepaint
cook
dietlibc
dclib
fedora-ds-base
gammu
gnome-pilot-conduits
gnumeric
htdig
inn
isdn4k-utils
libosip
libosip2
mail-notification
mysql
ser
ssmtp
wv
xdelta
If your package is on this list, please email me back and let me know
once you've checked the md5 implementation. If it is the RSA
implementation, we're going to need to replace it (coreutils has a GPL
compatible implementation that should be a drop in). If your package is
not under GPL or LGPL, then there is no problem, and you can just email
me and let me know that.
Thanks in advance,
~spot
15 years, 2 months
CPAL license acceptable?
by Rahul Sundaram
Hi
http://socialtext.com/cpal
There been a number of projects moving to this license especially ones
that prefer stronger attribution. While GPL and others which are
considered Free software licenses have attribution requirements too,
this goes a bit beyond that.
Do we want to send this to FSF to confirm?
Rahul
15 years, 5 months
Status report
by Tom Callaway
Todd,
Can you run another status report on the Licensing?
Also, please run another report showing just those packages (and owners)
who are License: Artistic (not GPL* or Artistic), just Artistic.
Thanks,
~spot
15 years, 6 months
License correction
by Tom Callaway
Adrian,
Several of your perl packages have an incorrect license tag:
perl-Jcode
perl-Unicode-Map
perl-Unicode-Map8
perl-Unicode-MapUTF8
perl-Unicode-String
The correct license tag should be:
License: GPL+ or Artistic
(The Fedora perl package is special, because the upstream perl tarball
includes several addon components under GPLv2+ or Artistic, but you do
not need to reflect that in your packages.)
Thanks,
~spot
15 years, 6 months
m2crypto license
by Miloslav Trmač
Hello,
m2crypto uses the following variant of the MIT license:
> Permission to use, copy, modify, and distribute this software and its
> documentation for any purpose and without fee is hereby granted,
> provided that the above copyright notice appear in all copies and that
> both that copyright notice and this permission notice appear in
> supporting documentation.
>
> THE AUTHOR PROVIDES THIS SOFTWARE ``AS IS'' AND ANY EXPRESSED OR
> IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
> INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
> NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The first paragraph is "Old style with legal disclaimer", without the
MIT advertising clause. The warranty disclaimer is different from the
licenses at http://fedoraproject.org/wiki/Licensing/MIT .
Is this license OK for Fedora?
Thank you,
Mirek
15 years, 6 months
baekmuk fonts license
by Jens-Ulrik Petersen
Hi,
Below is the license file of the Korean Baekmuk fonts (currently part of
fonts-korean). Naively it looks BSD'ish to me but could please take a look?
Thank you,
Jens
Copyright (c) 1986-2002 Kim Jeong-Hwan
All rights reserved.
Permission to use, copy, modify and distribute this font is
hereby granted, provided that both the copyright notice and
this permission notice appear in all copies of the font,
derivative works or modified versions, and that the following
acknowledgement appear in supporting documentation:
Baekmuk Batang, Baekmuk Dotum, Baekmuk Gulim, and
Baekmuk Headline are registered trademarks owned by
Kim Jeong-Hwan.
15 years, 6 months
liberation-fonts
by Jens-Ulrik Petersen
What should the license field of this package be?
I guess the base license is "GPLv2 with exception" (font embedding
exception)? Do we need any additional annotation for License.txt?
Thanks, Jens
15 years, 6 months
Re: dcraw.c licensing ambiguity
by Nils Philippsen
Hi Dave,
thanks for your quick reply. I'll keep fedora-legal-list on copy,
perhaps they want to comment.
On Wed, 2007-09-05 at 20:39 -0400, dcoffin(a)cybercom.net wrote:
> Hi Nils,
>
> I changed the text because some customers are paranoid
> about the letters "GPL". It seems that Debian is bothered by:
>
> > (a) include full source code*
>
> Now I don't need to exactly match the GPL, but I must
> require something that commercial software companies would
> never accept, without creating problems for distributors of
> free software.
>
> How about changing "include" to "offer, at no extra
> charge,"?
I'm not a lawyer ;-), but the source code provisions in the GPL are a
bit complicated -- to stay compatible, one would have to formulate
something compatible to 32 lines of legalese in the GPL license ;-). I
don't know about your customers, but I think an easy way to stay
compatible to the GPL would be dual-licensing, e.g. extend the text to
something like:
"... *If you have not modified dcraw.c in any way, a link to my homepage
qualifies as "full source code". ALTERNATIVELY, at your option, you may
distribute the code under the conditions of the GNU [Lesser] General
Public License Version 2[.1] [(or, at your option, any later version)]
[continue with standard GPL blurb]"
Of course, the version of the [L]GPL and whether you allow later
versions is up to you (it's your code). Would your customers be scared
away by that?
Thanks,
Nils
> Dave Coffin 9/5/2007
>
> On Wed, Sep 05, 2007 at 05:08:33PM +0200, Nils Philippsen wrote:
> > Hi Dave,
> >
> > I'm the Fedora/Red Hat Enterprise Linux package maintainer for dcraw and
> > when going over the licenses of some of my packages I found that the
> > licensing blurb of dcraw.c has changed like this ("-": old, "+": new
> > version):
> >
> > --- 8< ---
> > - Attention! Some parts of this program are restricted under the
> > - terms of the GNU General Public License. Such code is enclosed
> > - in "BEGIN GPL BLOCK" and "END GPL BLOCK" declarations.
> > - Any code not declared GPL is free for all uses.
> > + No license is required to download and use dcraw.c. However,
> > + to lawfully redistribute this code, you must either (a) include
> > + full source code* for all executable files containing RESTRICTED
> > + functions, (b) remove all RESTRICTED functions, re-implement them,
> > + or copy them from an earlier, unrestricted Revision of dcraw.c,
> > + or (c) purchase a license from the author.
> >
> > - Starting in Revision 1.237, the code to support Foveon cameras
> > - is under GPL.
> > + The functions that process Foveon images have been RESTRICTED
> > + since Revision 1.237. All other code remains free for all uses.
> >
> > - To lawfully redistribute dcraw.c, you must either (a) include
> > - full source code for all executable files containing restricted
> > - functions, (b) remove these functions, re-implement them, or
> > - copy them from an earlier, non-GPL Revision of dcraw.c, or (c)
> > - purchase a license from the author.
> > + *If you have not modified dcraw.c in any way, a link to my
> > + homepage qualifies as "full source code".
> > --- >8 ---
> >
> > With the upcoming Fedora version 8, we want all packages' licensing
> > terms be listed in the package (e.g. "GPLv2+" for GNU GPL Version 2 or
> > later"). Now I'm a bit unsure about what to do about the terms of
> > dcraw.c and whether they are still GPL compatible(*) and so forth.
> >
> > (*): IIRC, GPL allows distribution of a binary without source code but a
> > written offer to ship it on request. The source code provisions in the
> > dcraw terms might be "additional restrictions" that aren't GPL
> > compatible.
> >
> > Would you please shed some light on this? I'd very much appreciate it.
> >
> > Thanks in advance,
> > Nils
> > --
> > Nils Philippsen / Red Hat / nphilipp(a)redhat.com
> > "Those who would give up Essential Liberty to purchase a little Temporary
> > Safety, deserve neither Liberty nor Safety." -- B. Franklin, 1759
> > PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
--
Nils Philippsen / Red Hat / nphilipp(a)redhat.com
"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
15 years, 6 months
License short name: LGPLv2 or LGPLv2.1?
by Michel Salim
There is no release of LGPLv2, so the short names for LGPL listed on
the Licensing page are a bit unclear.
Would it be better to use LGPLv2.1, LGPLv2.1+ etc. as opposed to
LGPLv2 et. al.? It seems odd to refer to a non-existent license.
Thanks,
--
Michel Salim
15 years, 6 months