(I'm not subscribed to debian-legal, please cc me on replies.) Hi Alexander,
On Tue, May 31, 2016 at 3:26 AM, Alexander Gerasiov <g...@debian.org> wrote: > Hello Vincent, > > On Fri, 20 May 2016 02:01:11 -0700 > Vincent Cheng <vch...@debian.org> wrote: > >> Hi Alexander, >> >> Sorry about the late reply..."next week" turned into "a few months >> later", but better late than never, right? > Yeah! Good work. I was interrupted with other tasks and had no time to > finish this since that. > > [...] > >> I've gone ahead and merged your WIP branch as well as finish dealing >> with everything left in copyright.TODO, dealing with BTS patches, >> lintian issues, etc., and I think everything is ready for upload now >> except for that DFSG violation you pointed out: >> >> WARNING: DFSG violation in >> src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfencrypt.cpp >> src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfxml.cpp >> >> License: RDS-Data-Security >> License to copy and use this software is granted provided that >> it is identified as the "RSA Data Security, Inc. MD5 Message >> Digest Algorithm" in all material mentioning or referencing this >> software or this function. >> . >> License is also granted to make and use derivative works >> provided that such works are identified as "derived from the RSA >> Data Security, Inc. MD5 Message Digest Algorithm" in all >> material mentioning or referencing the derived work. > > 1. I believe this clause forces Debian to mention RSA Data Security on > every html page and in every place where CodeBlock is mentioned. Isn't > it? > > 2. Your main code is GPL v3 (note, 3d version, not 3+, because there > are several files which don't allow "any later version"). But GPL is > not compatible with such advertising clauses, see famous BSD-4 vs GPL > example: http://www.gnu.org/licenses/license-list.html#OriginalBSD > > I cc debian-legal, these guys will correct me, if I'm wrong. Ah, you're right that the RSA license contains wording that is quite similar to 4-clause BSD's advertising clause. I've filed #826379 to keep track of this issue, and will report a bug upstream as well. I do want to point out that 4-clause BSD is actually DFSG-compatible and suitable for Debian main [1], so there's still no reason to believe that the RSA md5 license violates the DFSG as you originally claim, even though it contains an advertising clause. Codeblocks is non-distributable merely due to GPL's incompatibility with the RSA md5 license (not because it's non-free). >> . >> RSA Data Security, Inc. makes no representations concerning >> either the merchantability of this software or the suitability >> of this software for any particular purpose. It is provided "as >> is" without express or implied warranty of any kind. >> . >> These notices must be retained in any copies of any part of this >> documentation and/or software. >> >> However, I don't think that's actually a DFSG violation. The >> RDS-Data-Security license allows for free use, copying, redistribution >> and derivative works; I don't think any of its clauses are violating >> DFSG. Also, several other packages in Debian main seem to include >> source files that use this license, e.g. erlang [1] or ftpmirror [2]. >> Can you explain why you think it's a DFSG violation? >> >> Regards, >> Vincent >> >> [1] >> http://metadata.ftp-master.debian.org/changelogs/main/e/erlang/unstable_copyright >> [2] >> http://metadata.ftp-master.debian.org/changelogs/main/f/ftpmirror/unstable_copyright > > > I think we should replace this MD5 implementation with any other free > one. (And send patch to upstream, because they are also affected.) s/free/GPL compatible/...it *is* a free license. Just annoyingly non GPL compatible... Regards, Vincent [1] https://www.debian.org/legal/licenses/