Am 28.06.23 um 00:13 schrieb Richard Laager:
Wait a minute... You are a maintainer for cyrus-sasl.
Just the package maintainer in Debian.
You have already addressed the BSD-4-clause-KTH in the latest upload.
That is true, which I have noted on the other bug.
You also fixed debian/copyright to reference BSD-3-Clause-Attribution in the latest upload. That license is fine for the
reasons I mentioned.
That is your legal take on it. My take is that BSD-3-Clause-Attribution is GPL-incompatible because it has a further
restriction on distribution.
That just leaves the MD5 stuff, right? You have authored a fix for that, which
it looks like will be merged shortly:
https://github.com/cyrusimap/cyrus-sasl/pull/767
If BSD-3-Clause-Attribution was GPL-compatible then, yes, RSA-MD license is the last license that causes an
GPL-incompatibility.
It seems like you can have this fixed any time (by merging in upstream #767)
and will have it fixed shortly.
I do not have commit access to upstream nor do I have any particular role there.
The last bugfix release took them more than 3 years and when #767 is released
is unknown.
Even when that happens, upstream still has to eliminate the last instance of
the RSA-MD license.
So why do I need to do anything?
You don't need to. But you should if you want to keep pidgin in testing.
License compliance will not just magically happen by ignoring the problematic
parts in Debian.
Actually, I am also happy when you appeal to any of the Debian bodies (TC?) about the severity of this bug so that there
is a decision made on it.
