Re: OpenSAML

[Russ Allbery]

(Please cc me on replies, as I'm not subscribed to debian-legal.  Let me
know if I need to subscribe for this discussion.)

Brian M Carlson <[EMAIL PROTECTED]> writes:

> You are correct.  I didn't even give more than a cursory glance to the
> license, because whether or not it's free is moot.  I will quote from
> Policy 2.3:

>  We reserve the right to restrict files from being included anywhere in
>  our archives if
> * their use or distribution would break a law,
> * there is an ethical conflict in their distribution or use,
> * we would have to sign a license for them, or
> * their distribution would conflict with other project policies.

> I'm not going to start on the ethics of patents because this license
> violates point 3.  In other words, even if the license is DFSG-free, if
> it requires a signature, it's unacceptable for the archive as a whole.

Good point.  That's even more obvious than the line of reasoning I was
using.

However, I also just got good news.  Apparently at the same time that I
was investigating this, extended efforts towards getting RSA to relicense
their patents paid off.  RSA has now licensed the patents under the
following statement:

In the interest of encouraging deployment of SAML-based technologies,
RSA hereby covenants, free of any royalty, that it will not assert any
claims in the RSA Patents which may be essential to the SAML standard
v1.0, 1.1 and 2.0 (hereinafter "NECESSARY CLAIMS") against any other
entity with respect to any implementation conforming to the SAML
standard v1.0, 1.1 and/or 2.0.  This covenant shall become null and
void with respect to any entity that asserts, either directly or
indirectly (e.g. through an affiliate), any patent claims or threatens
or initiates any patent infringement suit against RSA and/or its
subsidiaries or affiliates.  The revocation of the covenant shall
extend to all prior use by the entity asserting the claim.

I'd appreciate a second set of eyes from the debian-legal perspective, but
I believe this is sufficient for Debian's purposes, is similar to the
patent clauses on other software in the archive, and will remove the last
obstacle preventing OpenSAML from being considered DFSG-free.  Please note
that this is not the *license* (the license for the package is the same
Apache 2.0 license used for Apache itself), and hence the comment about
patent claims against RSA doesn't invalidate the software *license*, only
the guarantee by RSA that it won't enforce its patents.

The full statement of patent grants related to SAML is posted at:

<http://www.oasis-open.org/committees/security/ipr.php>

Note that this page is somewhat confusing in that the grants at the top of
the page supersede grants farther down on the page from the same entities.

-- 
Russ Allbery ([EMAIL PROTECTED])   <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: OpenSAML

[Marco d'Itri]

[EMAIL PROTECTED] wrote:

>sufficient legal existence to sign such an agreement.  My intuition is
>that, unless we have fairly firm knowledge that this patent is invalid
>(and I haven't seen any sign of that), this means that OpenSAML is not
>distributable by Debian (even in non-free).
No. The policy of Debian is to ignore patents unless we know that they
are being actively enforced.

-- 
ciao,
Marco


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

OpenSAML

[Russ Allbery]

(Please cc me on replies, as I'm not subscribed to debian-legal.  I think
this discussion is likely to be sadly short, but let me know if I really
need to subscribe for it.)

Several of us at Stanford have been looking at what would be involved to
package Shibboleth (an interinstitutional web authentication system) for
Debian.  Shibboleth is being used more and more among higher ed
institutions and is starting to get buy-in from vendors of for-pay
academic journals and similar web services.  It has a number of library
dependencies that are not currently in Debian, one of which being
OpenSAML.

OpenSAML is covered by the Apache 2.0 license, but also has the following
statement:

  Finally, be aware that RSA Security Inc. has asserted a patent claim
  against all implementations of SAML. Their terms for licensing can be
  found at http://www.rsasecurity.com/solutions/standards/saml/

  As a SAML toolkit, OpenSAML may be subject to this claim and developers
  may obtain a royalty-free license from RSA directly. Internet2 and
  OpenSAML's developers are not responsible for anyone's failure to do so,
  and take no position on the validity of this claim.

I looked briefly at the RSA license agreement, and it *appears* to be
DFSG-free in terms of its provisions, but it requires a signature and
mutual patent grant in the covered area with an institution with
sufficient legal existence to sign such an agreement.  My intuition is
that, unless we have fairly firm knowledge that this patent is invalid
(and I haven't seen any sign of that), this means that OpenSAML is not
distributable by Debian (even in non-free).

If other people would look this over and double-check my reasoning, I'd
really appreciate it.  I'd love to be shown to be wrong, since we're going
to have to package Shibboleth anyway and I'd rather share that work with
the broader Debian community, but I'm not interested in maintaining
Shibboleth packages in contrib dependending on a library that isn't in
Debian at all.

I did a Google search and didn't uncover any previous discussion of this
package, but let me know if I missed a previous archived discussion.

-- 
Russ Allbery ([EMAIL PROTECTED])   <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]