Package: apache2 Version: 2.0.54-5 Severity: serious Justification: Policy 2.2.1
Hi! By reviewing the copyright file, I found out that apache2 includes code that does not seem to comply with the DFSG. What is worse, I even found some code that does not seem to be distributable at all... Quoting from the copyright file itself: For the test\zb.c component: | /* ZeusBench V1.01 | =============== | | This program is Copyright (C) Zeus Technology Limited 1996. | | This program may be used and copied freely providing this copyright notice | is not removed. | | This software is provided "as is" and any express or implied waranties, | including but not limited to, the implied warranties of merchantability and | fitness for a particular purpose are disclaimed. In no event shall | Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, | exemplary, or consequential damaged (including, but not limited to, | procurement of substitute good or services; loss of use, data, or profits; | or business interruption) however caused and on theory of liability. Whether | in contract, strict liability or tort (including negligence or otherwise) | arising in any way out of the use of this software, even if advised of the | possibility of such damage. | | Written by Adam Twiss ([EMAIL PROTECTED]). March 1996 | | Thanks to the following people for their input: | Mike Belshe ([EMAIL PROTECTED]) | Michael Campanella ([EMAIL PROTECTED]) | | */ This license does not grant any permission to modify and to distribute modifications and derivative works (fails DFSG#3). Upstream copyright holders should be contacted and asked to relicense the file: I would suggest the Expat license (http://www.jclark.com/xml/copying.txt). | For the srclib\apr-util\test\testmd4.c component: | | * | * This is derived from material copyright RSA Data Security, Inc. | * Their notice is reproduced below in its entirety. | * | * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All | * rights reserved. | * | * RSA Data Security, Inc. makes no representations concerning either | * the merchantability of this software or the suitability of this | * software for any particular purpose. It is provided "as is" | * without express or implied warranty of any kind. | * | * These notices must be retained in any copies of any part of this | * documentation and/or software. | */ This does not even grant *any* permissions. It seems to be undistributable (fails DFSG#1 and DFSG#3). If this is the case, distributing it is also a copyright violation and should stop ASAP. Again upstream copyright holders should be contacted and asked to relicense the file: a good choice could be the Expat license. | For the srclib\apr\include\apr_md5.h component: | /* | * This is work is derived from material Copyright RSA Data Security, Inc. | * | * The RSA copyright statement and Licence for that original material is | * included below. This is followed by the Apache copyright statement and | * licence for the modifications made to that material. | */ | | /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All | rights reserved. | | License to copy and use this software is granted provided that it | is identified as the "RSA Data Security, Inc. MD5 Message-Digest | Algorithm" in all material mentioning or referencing this software | or this function. | | License is also granted to make and use derivative works provided | that such works are identified as "derived from the RSA Data | Security, Inc. MD5 Message-Digest Algorithm" in all material | mentioning or referencing the derived work. | | RSA Data Security, Inc. makes no representations concerning either | the merchantability of this software or the suitability of this | software for any particular purpose. It is provided "as is" | without express or implied warranty of any kind. | | These notices must be retained in any copies of any part of this | documentation and/or software. | */ An identical license holds for the following files: - srclib\apr\passwd\apr_md5.c - srclib\apr-util\crypto\apr_md4.c - srclib\apr-util\include\apr_md4.h This license grants permission to to "copy and use" and to "make and use derivative works", but no explicit permission to distribute the derivative works (fails DFSG#3). Upstream copyright holders should be got in touch with and asked for a license change: I would again suggest to recommend the Expat license. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.32 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages apache2 depends on: ii apache2-mpm-worker 2.0.54-5 high speed threaded model for Apac -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]