Bug#823100: ghostscript: includes two files claimed to be under a non-free Unicode license
Hi Francesco, Quoting Francesco Poli (wintermute) (2016-04-30 21:32:26) > I noticed that two files included in the ghostscript source package > are documented in the debian/copyright file as distributed under the > terms of a non-free Unicode license. > > The two files are: > > Files: base/ConvertUTF.c >base/ConvertUTF.h > Copyright: 2001-2004, Unicode, Inc > License: Unicode [...] > At the very least, this license does not grant any permission to > modify the files (thus failing DFSG#3). Moreover, the license grant > seems to attempt to restrict use to "products supporting the Unicode > Standard" (thus failing DFSG#6). > See also https://lists.debian.org/debian-legal/2015/12/msg0.html > where an FTP Assitant confirmed that files which restrict "use to only > that of implementing a standard" are not fit for Debian main. > > Therefore, the two files under discussion appear to be non-free. Seems you are right. > However, this issue could possibly be easy to solve. > If Unicode Inc has published new versions of the two files in > more recent times, the updated versions should be under the > current unicode.org public license, as explained in > http://www.unicode.org/copyright.html#Exhibit1 > > Please check whether newer versions of those files are released > in one of the Unicode web site areas mentioned in the cited Exhibit1. > The newer versions could perhaps be used as replacements for the > non-free ones. Unfortunately, upstream seems to have _dropped_ the code due to being buggy and unmaintained since 2004, according to http://unicode.org/forum/viewtopic.php?f=9=90 - summarized at http://stackoverflow.com/questions/2685004/why-does-unicode-org-no-longer-offer-a-reference-utf-8-16-32-converter Above forum discussion mentions only version numbers (up to 1.4 and a possible alpha of 1.5), the year I found by looking at latest available snapshot of the code at archive.org and the timestamps of that page: https://web.archive.org/web/20081228105917/http://www.unicode.org/Public/PROGRAMS/CVTUTF/ This gets worse: Seems many more packages embed this code: https://codesearch.debian.net/search?q=ConversionResult+ConvertUTF8toUTF16 I have reported this upstream. Will register at the secure-testing team as a case of Embedded Code Copy as well. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#823100: ghostscript: includes two files claimed to be under a non-free Unicode license
Package: ghostscript Version: 9.19~dfsg-1+b1 Severity: serious Justification: Policy 2.2.1 Hello, I noticed that two files included in the ghostscript source package are documented in the debian/copyright file as distributed under the terms of a non-free Unicode license. The two files are: Files: base/ConvertUTF.c base/ConvertUTF.h Copyright: 2001-2004, Unicode, Inc License: Unicode and the license text is claimed to be: License: Unicode This source code is provided as is by Unicode, Inc. No claims are made as to fitness for any particular purpose. No warranties of any kind are expressed or implied. The recipient agrees to determine applicability of information provided. If this file has been purchased on magnetic or optical media from Unicode, Inc., the sole remedy for any claim will be exchange of defective media within 90 days of receipt. . Limitations on Rights to Redistribute This Code . Unicode, Inc. hereby grants the right to freely use the information supplied in this file in the creation of products supporting the Unicode Standard, and to make copies of this file in any form for internal or external distribution as long as this notice remains attached. At the very least, this license does not grant any permission to modify the files (thus failing DFSG#3). Moreover, the license grant seems to attempt to restrict use to "products supporting the Unicode Standard" (thus failing DFSG#6). See also https://lists.debian.org/debian-legal/2015/12/msg0.html where an FTP Assitant confirmed that files which restrict "use to only that of implementing a standard" are not fit for Debian main. Therefore, the two files under discussion appear to be non-free. However, this issue could possibly be easy to solve. If Unicode Inc has published new versions of the two files in more recent times, the updated versions should be under the current unicode.org public license, as explained in http://www.unicode.org/copyright.html#Exhibit1 Please check whether newer versions of those files are released in one of the Unicode web site areas mentioned in the cited Exhibit1. The newer versions could perhaps be used as replacements for the non-free ones. I hope this issue may be addressed soon. Thanks for your time! Bye.
