Bug#826379: codeblocks: incompatibility between GPL and RSA md5 license makes package non-distributable

Sat, 04 Jun 2016 22:21:22 -0700 

Source: codeblocks
Version: 16.01+dfsg-1
Severity: serious
X-Debbugs-CC: g...@debian.org

Codeblocks is licensed under GPL v3, but some files in the source
tarball contain code that is licensed as per the terms of RSA Data
Security, Inc.'s MD5 Message Digest Algorithm; this license is as
follows:

src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfencrypt.cpp
src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfxml.cpp

/*
 **********************************************************************
 ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. **
 **                                                                  **
 ** License to copy and use this software is granted provided that   **
 ** it is identified as the "RSA Data Security, Inc. MD5 Message     **
 ** Digest Algorithm" in all material mentioning or referencing this **
 ** software or this function.                                       **
 **                                                                  **
 ** License is also granted to make and use derivative works         **
 ** provided that such works are identified as "derived from the RSA **
 ** Data Security, Inc. MD5 Message Digest Algorithm" in all         **
 ** material mentioning or referencing the derived work.             **
 **                                                                  **
 ** RSA Data Security, Inc. makes no representations concerning      **
 ** either the merchantability of this software or the suitability   **
 ** of this software for any particular purpose.  It is provided "as **
 ** is" without express or implied warranty of any kind.             **
 **                                                                  **
 ** These notices must be retained in any copies of any part of this **
 ** documentation and/or software.                                   **
 **********************************************************************
 */

This license is problematic for codeblocks because while it is free /
DFSG-compatible, it contains an advertising clause akin to the
original / 4-clause BSD license that renders it incompatible with the
GPL, which is what the majority of codeblocks' codebase is licensed
under. The GNU project has documented this incompatibility at [1].
There's also some discussion of this issue on debian-legal [2].

The RSA md5 license only applies to code used by the exporter plugin
in codeblocks, so we can avoid shipping a non-distributable codeblocks
package merely by not including that plugin (no DFSG violation here,
no need to repack source tarball). This is what I plan to do until
upstream replaces the current md5 implementation with one that does
not happen to be GPL-incompatible.

Regards,
Vincent

[1] http://www.gnu.org/licenses/license-list.html#OriginalBSD
[2] https://lists.debian.org/debian-legal/2016/05/msg00011.html

Reply via email to