Re: [debian-ntp] Bug#328200: Problems with ntp

To: 328200@bugs.debian.org, Steve Langasek <vorlon@debian.org>
Cc: debian-release@lists.debian.org, debian-legal@lists.debian.org
Subject: Re: [debian-ntp] Bug#328200: Problems with ntp
From: Bdale Garbee <bdale@gag.com>
Date: Wed, 14 Sep 2005 11:49:54 -0600
Message-id: <[🔎] 1126720194.7436.88.camel@rover.gag.com>
In-reply-to: <[🔎] 20050914070336.GI24900@tennyson.dodds.net>
References: <[🔎] 20050914050730.GA5127@twcny.rr.com> <[🔎] 20050914070336.GI24900@tennyson.dodds.net>

On Wed, 2005-09-14 at 00:03 -0700, Steve Langasek wrote:

> The maintainers should have a chance to clear up this question first.

Ok, I've just been through the ntp source tree looking at all the
copyright and license assertions.  Executive summary is that there are
indeed some problems, but it's not bad, and I believe it can be fixed
with an upload that elides certain bits from the upstream sources and
makes one small change in the source code.

Here's what I found...

The contents of the ElectricFence subdirectory are GPL, redundant with
the Debian packages, and comletely unused.  Since we have to elide the
upstream source anyway, we could clip this tree, or we could leave it
and add a suitable content to debian/copyright.

The file util/ansi2knr.c is also GPL.  I'm pretty sure it's unused, but
an easy reference in debian/copyright would cover it.

The contents of the adjtimed subdirectory and a few files scattered
around the rest of the tree are copyright by Tai Jin, with a unique
license that is clearly DFSG-ok.  I suggest we add suitable content to
debian/copyright taken from adjtimed/adjtimed.c.

The arlib subdirectory contents are non-free, but only relevant if
configure is called with the --with-arlib option that we don't use.  I
suggest this be elided from the upstream source for the Debian source
package.

The file html/build/hints/solaris-dosynctodr.html appears to have been
taken from a sun.com web page complete with links to a license assertion
on Sun web content that I don't even want to read.  We should remove
this file from our source package.

The files in html/pic include a couple of small images of products that
I presume came from manufacturer web sites, which are used to illustrate
the documentation.  No explicit assertions of copyright or license.  I
believe this is fair use, but if not they could be replaced with an icon
or something and nothing important would be lost.

The file include/global.h has an RSA copyright assertion with "all
rights reserved" and no other grant.  However, the files that include it
clearly came from the rsaref2.0 package, which has a BSD-like license
with advertising clause.  I believe this header file also was part of
that package and therefore covered by the same RSA license terms.
Therefore, I suggest the copyright and license terms from libntp/md5c.c
should be added to debian/copyright to cover all inclusions from
rsaref2.0.

There are several files that are BSD with advertising clause, including
libntp/memmove.c, libntp/mktime.c, libntp/random.c, libntp/strerror.c,
libntp/strstr.c, ntpd/refclock_jupiter.c, and ntpd/refclock_mx4200.c.
These should be referenced in debian/copyright.

There are several files that are BSD-like with advertising clause
(several different copyright holders), including libntp/md5c.c
(mentioned above), libntp/ntp_rfc2553.c, ntpd/refclock_jjy.c,
ntpd/refclock/palisade.c, ntpd/refclock_ripencc.c,
ntpd/refclock_ulink.c, scripts/ntpsweep.in, and all of the sntp subdir
(which I believe is unused).  These should also be referenced in
debian/copyright.

The file libntp/ranny.c is non-free, with a unique copyright and license
assertion:

  /*
   * Random number generator is:
   *
   *      Copyright 1988 by Rayan S. Zachariassen, all rights reserved.
   *      This will be free software, but only when it is finished.
   *
   * Used in ntp by permission of the author.  If copyright is
   * annoying to you, read no further.  Instead, look up the reference,
   * write me an equivalent to this and send it back to me.
   */

  /*
   * Random number generator; see Knuth Vol 2. 2nd ed. p.27 
   * (section 3.2.2)
   */

There is exactly one use of the ranp2() function defined in this file,
which appears in ntpd/ntp_peer.c.  I don't have Knuth nearby, but
staring at the source, this looks like a pseudo-randum generator that as
called is returning an unsigned long containing a random number in the
bottom 16 bits.  Since all it is being used for is to initialize an
association ID, I don't see why we couldn't replace the call to
init_random() in ntp/ntpd.c with a call to srand(time()), and then
replace ranp2(16) in ntpd/ntp_peer.c with rand() & 0xffff?  That would
allow us to elide libntp/ranny.c and the references to it in
libntp/Makefile* from our source package, which is probably easier than
finding the author and asking him to relicense this bit.

That's it.  The rest looks fine to me.

Bdale

Reply to:

Follow-Ups:
- Re: [debian-ntp] Bug#328200: Problems with ntp
  - From: Matthew Garrett <mgarrett@chiark.greenend.org.uk>

References:
- Problems with ntp
  - From: Nathanael Nerode <neroden@twcny.rr.com>
- Re: Problems with ntp
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Re: Problems with ntp
Next by Date: Re: CDDL, OpenSolaris, Choice-of-venue and the star package ...
Previous by thread: Re: [debian-ntp] Bug#328200: Problems with ntp
Next by thread: Re: [debian-ntp] Bug#328200: Problems with ntp
Index(es):
- Date
- Thread