Hi Francesco, Quoting Francesco Poli (wintermute) (2016-04-30 21:32:26) > I noticed that two files included in the ghostscript source package > are documented in the debian/copyright file as distributed under the > terms of a non-free Unicode license. > > The two files are: > > Files: base/ConvertUTF.c > base/ConvertUTF.h > Copyright: 2001-2004, Unicode, Inc > License: Unicode [...] > At the very least, this license does not grant any permission to > modify the files (thus failing DFSG#3). Moreover, the license grant > seems to attempt to restrict use to "products supporting the Unicode > Standard" (thus failing DFSG#6). > See also https://lists.debian.org/debian-legal/2015/12/msg00000.html > where an FTP Assitant confirmed that files which restrict "use to only > that of implementing a standard" are not fit for Debian main. > > Therefore, the two files under discussion appear to be non-free.
Seems you are right. > However, this issue could possibly be easy to solve. > If Unicode Inc has published new versions of the two files in > more recent times, the updated versions should be under the > current unicode.org public license, as explained in > http://www.unicode.org/copyright.html#Exhibit1 > > Please check whether newer versions of those files are released > in one of the Unicode web site areas mentioned in the cited Exhibit1. > The newer versions could perhaps be used as replacements for the > non-free ones. Unfortunately, upstream seems to have _dropped_ the code due to being buggy and unmaintained since 2004, according to http://unicode.org/forum/viewtopic.php?f=9&t=90 - summarized at http://stackoverflow.com/questions/2685004/why-does-unicode-org-no-longer-offer-a-reference-utf-8-16-32-converter Above forum discussion mentions only version numbers (up to 1.4 and a possible alpha of 1.5), the year I found by looking at latest available snapshot of the code at archive.org and the timestamps of that page: https://web.archive.org/web/20081228105917/http://www.unicode.org/Public/PROGRAMS/CVTUTF/ This gets worse: Seems many more packages embed this code: https://codesearch.debian.net/search?q=ConversionResult+ConvertUTF8toUTF16 I have reported this upstream. Will register at the secure-testing team as a case of Embedded Code Copy as well. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
