Bug#248782: abuse-sfx: violation of license terms

To: submit@bugs.debian.org
Subject: Bug#248782: abuse-sfx: violation of license terms
From: Andrew Saunders <syntaxis@gmx.co.uk>
Date: Thu, 13 May 2004 03:28:41 +0100
Message-id: <[🔎] 20040513032841.3c243da3.syntaxis@gmx.co.uk>
Reply-to: Andrew Saunders <syntaxis@gmx.co.uk>, 248782@bugs.debian.org

Package: abuse-sfx
Version: 2.00-8
Severity: serious
Justification: Policy 2.3

To view the license terms, see the copyright file:

http://packages.debian.org/changelogs/pool/non-free/a/abuse-sfx/abuse-sfx_2.00-8/copyright

First off, the license only grants the right to *use* the software:

> For purposes of this section, "use" means loading the Software into
> RAM, as well as installation on a hard disk or other storage 
> device.

After granting this right, it then proceeds to list many things that
one is *not* allowed to do:

> You may not:  modify, translate, disassemble, decompile, reverse
> engineer, or create derivative works based upon the Software.  You
> agree that the Software will not be shipped, transferred or exported
> into any country in violation of the U.S. Export Administration Act
> and that you will not utilize, in any other manner, the Software in
> violation of any applicable law.

Nowhere does it grant permission to distribute the software. I'd say
it's strongly implied by the second sentence (why would they bother
specifying that distributing to T7 countries is prohibited if
distribution isn't permitted at all in the first place) but, according
to Policy 2.3, "no distribution or modification of a work is allowed
without an explicit notice saying so".

An even greater worry is a clause that appears to make the Project
responsible for enforcing compliance with the license terms:

> You agree to use your best efforts to see that any user of the
> Software licensed hereunder complies with this Agreement.

First of all, does the Project really agree to that? If not:

> If you fail to comply with any terms of this Agreement, YOUR LICENSE
> IS AUTOMATICALLY TERMINATED.

And if OTOH we *do* agree to that ridiculous condition, we are already
in violation of this policeman clause due to our own policy regarding
the US Export Administration Act.

AIUI, the resolution of the crypto-in-main issue involved implementing
reverse IP lookups on the main archive[1] and having no official
mirrors in the T7 countries[2], thus showing a good-faith attempt to
prevent exporting software to these so-called terrorist states.
Re-exportation, e.g. via a mirror not implementing similar
restrictions, would pose no legal threat to Debian proper since we
would no longer be the ones doing the exporting.

Unfortunately, this license would have us go even further. The Project
would have to actively pressure all the mirror admins to implement
similar restrictions, since the current stance of leaving the decision
entirely up to them would IMO be highly unlikely to count as "best
efforts" on our part to bring them into compliance. Needless to say, I
think it'd be far easier (and more moral) just to drop this package,
together with anything else that has a similarly odious clause.

Thoughts, comments, critiques? I very much doubt that we can continue
to distribute this in light of the above, but I'd be interested to
hear what others think.

[1] http://lists.debian.org/debian-legal/2002/02/msg00181.html
[2] http://lists.debian.org/debian-legal/2002/02/msg00176.html

--
Andrew Saunders

Reply to:

Follow-Ups:
- Re: Bug#248782: abuse-sfx: violation of license terms
  - From: Benjamin Cutler <cutler@cs.colostate.edu>

Prev by Date: Re: IBM Public License (again)
Next by Date: Re: IBM Public License (again)
Previous by thread: Re: ASL2 and artistic compatibility
Next by thread: Re: Bug#248782: abuse-sfx: violation of license terms
Index(es):
- Date
- Thread