Re: Unfortunate Licence Mix

[Mahesh T. Pai]

Nathanael Nerode said on Mon, Jun 14, 2004 at 01:20:11PM -0400,:

 >  unfortunately  it's not clear  yet whether  that's GPL-compatible;
 > eventually some version of the Apache license should be though.

Apache says ASL 2.0 is GPL compatible, FSF says it is not.
 
-- 
 Mahesh T. Pai<<>>   http://paivakil.port5.com

Re: Unfortunate Licence Mix

[Russ Allbery]

Joachim Breitner <[EMAIL PROTECTED]> writes:

> I was just about to package "psybnc"[1], a popular irc bouncer.

> A closer look into the src/ dir revealed that the author seems to have
> followed the Free Software spirit by not re-inventing a lot of wheels,
> but didn't pay close attention to legal stuff...

> His own works are GPLed, and have correct copyright notes. But there are
> two files that worry me:

One thing that you could offer the original author is better replacements
for these two files.  INN contains an snprintf.c based on an
implementation placed under a very permissive license, the one that's also
used by mutt and wget but with some additional improvements.  It also
contains a setenv.c that I wrote myself from scratch (a simple wrapper
around putenv) and which is in the public domain or the functional
equivalent thereof in your jurisdiction if it doesn't allow one to put
something into the public domain.

You'd have to switch the setenv implementation back to strcpy and strcat
from strlcpy and strlcat, but the latter were used only out of paranoia.

I realize neither function particularly matter on Debian where both
functions are available in glibc, but he may prefer to switch over to
cleaner-licensed copies anyway.

(This issue is precisely why I didn't use the Apache snprintf in INN.)

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Re: Unfortunate Licence Mix

[Josh Triplett]

Joachim Breitner wrote:
> I was just about to package "psybnc"[1], a popular irc bouncer. 
> 
> A closer look into the src/ dir revealed that the author seems to have
> followed the Free Software spirit by not re-inventing a lot of wheels,
> but didn't pay close attention to legal stuff...

Never a good combination. :)

> His own works are GPLed, and have correct copyright notes. But there are
> two files that worry me:
> 
> snprintf.c:
> 
>>/*
>> * changed slightly for the use in psyBNC 2.2.1 by psychoid
>> * changed a little bit more for 2.2.2. We always use this
>> * in psybnc now, but without any support of %n or %p. Hope
>> * you love the fact no format bugs can be exploited, even if you
>> * are able to bypass the formatstring-filter which is
>> * built into psybnc since version 1.1 :)
>> */
>>/* 
>> * Copyright (c) 1995-1999 The Apache Group.  All rights reserved.
>> *
[snip Apache License, version 1.0]
>> *
>> * This code is based on, and used with the permission of, the
>> * SIO stdio-replacement strx_* functions by Panos Tsirigotis
>> * <[EMAIL PROTECTED]> for xinetd.
>> */

This is definitely incompatible with the GPL, which makes the work not
distributable.  However, depending on how much SIO differs from stdio,
it might be possible to replace this with code from glibc or from some
other stdio implementation.

Side note: while researching this further, I discovered that the xinetd
license requires keeping the original version number and only appending
new numbers:

> 1. The version number will be modified as follows:
>   a. The first 3 components of the version number
>  (i.e ..) will remain unchanged.
>   b. A new component will be appended to the version number to
>  indicate the modification level. The form of this component
>  is up to the author of the modifications.

  While DFSG4 does allow licenses that "require derived works to carry a
different name or version number from the original software", this seems
to go much further than that, since it requires keeping the original
version number.  There is a note in the license file giving the current
upstream maintainer an exception, but that does not change the
requirement for other distributors.

> (sorry for posting the whole thing, but with legal stuff, I better not
> cut away stuff that might be important).

Thank you.  It is always preferred to include the full text of licenses
in the body of mails to debian-legal, for quoting and commentary.

> And the second file, bsd-setenv.c:
> 
>>/*
>> * Copyright (c) 1987 Regents of the University of California.
>> * All rights reserved.
>> *
[snip 4-clause BSD license]
>> */
> 
> If I payed attention, both of these contain the "bad" advertising clause
> that make them incompatible with the GPL, and thus the psybnc
> distribution impossible. Is that right?

Yes.  Also, the Apache license is incompatible with the GPL even in the
newer versions without the advertising clause, because it has a
requirement not to use the name "Apache" in derived works.

> Is it also right that finding re-licenced versions of bsd-setenv.c
> (without the Advertising Clause) would solve the problem for this file?
> Or can I just re-licence the file myself, since BSD officially changed
> the licence for all their works (or something)?

Since the copyright holder is the "Regents of the University of
California", the advertising clause is superseded by
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change , so you
could just include a note in debian/copyright to that effect.

- Josh Triplett

Re: Unfortunate Licence Mix

[Nathanael Nerode]

Joachim Breitner wrote:

> Hi,
> 
> I was just about to package "psybnc"[1], a popular irc bouncer.
> 
> A closer look into the src/ dir revealed that the author seems to have
> followed the Free Software spirit by not re-inventing a lot of wheels,
> but didn't pay close attention to legal stuff...
> 
> His own works are GPLed, and have correct copyright notes. But there are
> two files that worry me:
> 
> snprintf.c:


> And the second file, bsd-setenv.c:


> If I payed attention, both of these contain the "bad" advertising clause
> that make them incompatible with the GPL, and thus the psybnc
> distribution impossible. Is that right?
Yes.

> Is it also right that finding re-licenced versions of bsd-setenv.c
> (without the Advertising Clause) would solve the problem for this file?
Yes.

> Or can I just re-licence the file myself, since BSD officially changed
> the licence for all their works (or something)?
Well, Berkeley's relicensing statement is here:
ftp://ftp.cs.berkeley.edu/ucb/4bsd/README.Impt.License.Change

As long as the file is a "BSD Unix" file or part of the "Berkeley Software
Distribution", it seems to be relicensed.  You can determine whether it is
by looking at *BSD for the file; I'd guess, offhand, that it is.

--
The Apache team has been trying to switch to a GPL compatible license.  It's
likely that you can find a relicensed version of the original Apache
snprintf.c file under the Apache License 2.0, but unfortunately it's not
clear yet whether that's GPL-compatible; eventually some version of the
Apache license should be though.

Given what this Apache-licensed file actually is, I'd suggest finding a
GPL-compatibly-licensed snprintf implementation and tweaking it to behave
like the one in psybnc (which appears to simply *remove* functionality).

-- 
There are none so blind as those who will not see.

Re: Unfortunate Licence Mix

[Steve Langasek]

On Mon, Jun 14, 2004 at 05:04:48PM +0200, Joachim Breitner wrote:
> I was just about to package "psybnc"[1], a popular irc bouncer. 

> A closer look into the src/ dir revealed that the author seems to have
> followed the Free Software spirit by not re-inventing a lot of wheels,
> but didn't pay close attention to legal stuff...

> His own works are GPLed, and have correct copyright notes. But there are
> two files that worry me:

> snprintf.c:

This code should never be used on Debian systems for technical
reasons (glibc has a perfectly good snprintf() implementation, compiling
this other one in would be unnecessary bloat).

> (sorry for posting the whole thing, but with legal stuff, I better not
> cut away stuff that might be important).

> And the second file, bsd-setenv.c:

Depending on what "BSD" in bsd-setenv.c means, you may not need this
either when using glibc.  I presume that the code is conditionally
enabled, according to whether or not the system setenv is considered
usable?

If neither of these are actually used in the binary, no problem -- if
both licenses otherwise meet the DFSG, you can ship the sources as-is
without concerns over GPL-compatibility, because you just have an
aggregation of source code.

-- 
Steve Langasek
postmodern programmer


signature.asc
Description: Digital signature

Unfortunate Licence Mix

[Joachim Breitner]

Hi,

I was just about to package "psybnc"[1], a popular irc bouncer. 

A closer look into the src/ dir revealed that the author seems to have
followed the Free Software spirit by not re-inventing a lot of wheels,
but didn't pay close attention to legal stuff...

His own works are GPLed, and have correct copyright notes. But there are
two files that worry me:

snprintf.c:

> /*
>  * changed slightly for the use in psyBNC 2.2.1 by psychoid
>  * changed a little bit more for 2.2.2. We always use this
>  * in psybnc now, but without any support of %n or %p. Hope
>  * you love the fact no format bugs can be exploited, even if you
>  * are able to bypass the formatstring-filter which is
>  * built into psybnc since version 1.1 :)
>  */
> /* 
>  * Copyright (c) 1995-1999 The Apache Group.  All rights reserved.
>  *
>  * Redistribution and use in source and binary forms, with or without
>  * modification, are permitted provided that the following conditions
>  * are met:
>  *
>  * 1. Redistributions of source code must retain the above copyright
>  *notice, this list of conditions and the following disclaimer.
>  *
>  * 2. Redistributions in binary form must reproduce the above copyright
>  *notice, this list of conditions and the following disclaimer in
>  *the documentation and/or other materials provided with the
>  *distribution.
>  *
>  * 3. All advertising materials mentioning features or use of this
>  *software must display the following acknowledgment:
>  *"This product includes software developed by the Apache Group
>  *for use in the Apache HTTP server project (http://www.apache.org/)."

>  *
>  * 4. The names "Apache Server" and "Apache Group" must not be used to
>  *endorse or promote products derived from this software without
>  *prior written permission. For written permission, please contact
>  *[EMAIL PROTECTED]
>  *
>  * 5. Products derived from this software may not be called "Apache"
>  *nor may "Apache" appear in their names without prior written
>  *permission of the Apache Group.
>  *
>  * 6. Redistributions of any form whatsoever must retain the following
>  *acknowledgment:
>  *"This product includes software developed by the Apache Group
>  *for use in the Apache HTTP server project (http://www.apache.org/)."
>  *
>  * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
>  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
>  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
>  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE APACHE GROUP OR
>  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
>  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
>  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
>  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
>  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
>  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
>  * OF THE POSSIBILITY OF SUCH DAMAGE.
>  * 

>  *
>  * This software consists of voluntary contributions made by many
>  * individuals on behalf of the Apache Group and was originally based
>  * on public domain software written at the National Center for
>  * Supercomputing Applications, University of Illinois, Urbana-Champaign.
>  * For more information on the Apache Group and the Apache HTTP server
>  * project, please see .
>  *
>  * This code is based on, and used with the permission of, the
>  * SIO stdio-replacement strx_* functions by Panos Tsirigotis
>  * <[EMAIL PROTECTED]> for xinetd.
>  */

(sorry for posting the whole thing, but with legal stuff, I better not
cut away stuff that might be important).

And the second file, bsd-setenv.c:

> /*
>  * Copyright (c) 1987 Regents of the University of California.
>  * All rights reserved.
>  *
>  * Redistribution and use in source and binary forms, with or without
>  * modification, are permitted provided that the following conditions
>  * are met:
>  * 1. Redistributions of source code must retain the above copyright
>  *notice, this list of conditions and the following disclaimer.
>  * 2. Redistributions in binary form must reproduce the above copyright
>  *notice, this list of conditions and the following disclaimer in the
>  *documentation and/or other materials provided with the distribution.
>  * 3. All advertising materials mentioning features or use of this software
>  *must display the following acknowledgement:
>  *  This product includes software developed by the University of
>  *  California, Berkeley and its contributors.
>  * 4. Neither the name of the University nor the names of its contributors
>  *may be used to endo