Source: codeblocks Version: 16.01+dfsg-1 Severity: serious X-Debbugs-CC: g...@debian.org
Codeblocks is licensed under GPL v3, but some files in the source tarball contain code that is licensed as per the terms of RSA Data Security, Inc.'s MD5 Message Digest Algorithm; this license is as follows: src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfencrypt.cpp src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfxml.cpp /* ********************************************************************** ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** ** ** ** License to copy and use this software is granted provided that ** ** it is identified as the "RSA Data Security, Inc. MD5 Message ** ** Digest Algorithm" in all material mentioning or referencing this ** ** software or this function. ** ** ** ** License is also granted to make and use derivative works ** ** provided that such works are identified as "derived from the RSA ** ** Data Security, Inc. MD5 Message Digest Algorithm" in all ** ** material mentioning or referencing the derived work. ** ** ** ** RSA Data Security, Inc. makes no representations concerning ** ** either the merchantability of this software or the suitability ** ** of this software for any particular purpose. It is provided "as ** ** is" without express or implied warranty of any kind. ** ** ** ** These notices must be retained in any copies of any part of this ** ** documentation and/or software. ** ********************************************************************** */ This license is problematic for codeblocks because while it is free / DFSG-compatible, it contains an advertising clause akin to the original / 4-clause BSD license that renders it incompatible with the GPL, which is what the majority of codeblocks' codebase is licensed under. The GNU project has documented this incompatibility at [1]. There's also some discussion of this issue on debian-legal [2]. The RSA md5 license only applies to code used by the exporter plugin in codeblocks, so we can avoid shipping a non-distributable codeblocks package merely by not including that plugin (no DFSG violation here, no need to repack source tarball). This is what I plan to do until upstream replaces the current md5 implementation with one that does not happen to be GPL-incompatible. Regards, Vincent [1] http://www.gnu.org/licenses/license-list.html#OriginalBSD [2] https://lists.debian.org/debian-legal/2016/05/msg00011.html