Bug#340538: apache2: includes non-free and possibly undistributable files

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#340538: apache2: includes non-free and possibly undistributable files
From: Francesco Poli <frx@firenze.linux.it>
Date: Thu, 24 Nov 2005 00:59:22 +0100
Message-id: <[🔎] E1Ef4WI-0000Lv-WC@neverland>
Reply-to: Francesco Poli <frx@firenze.linux.it>, 340538@bugs.debian.org

Package: apache2
Version: 2.0.54-5
Severity: serious
Justification: Policy 2.2.1

Hi!

By reviewing the copyright file, I found out that apache2 includes
code that does not seem to comply with the DFSG.
What is worse, I even found some code that does not seem to be
distributable at all...


Quoting from the copyright file itself:

For the test\zb.c component:

| /*                          ZeusBench V1.01
|                             ===============
| 
| This program is Copyright (C) Zeus Technology Limited 1996.
| 
| This program may be used and copied freely providing this copyright notice
| is not removed.
| 
| This software is provided "as is" and any express or implied waranties, 
| including but not limited to, the implied warranties of merchantability and
| fitness for a particular purpose are disclaimed.  In no event shall 
| Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, 
| exemplary, or consequential damaged (including, but not limited to, 
| procurement of substitute good or services; loss of use, data, or profits;
| or business interruption) however caused and on theory of liability.  Whether
| in contract, strict liability or tort (including negligence or otherwise) 
| arising in any way out of the use of this software, even if advised of the
| possibility of such damage.
| 
|      Written by Adam Twiss (adam@zeus.co.uk).  March 1996
| 
| Thanks to the following people for their input:
|   Mike Belshe (mbelshe@netscape.com) 
|   Michael Campanella (campanella@stevms.enet.dec.com)
| 
| */

This license does not grant any permission to modify and to distribute
modifications and derivative works (fails DFSG#3).
Upstream copyright holders should be contacted and asked to relicense
the file: I would suggest the Expat license
(http://www.jclark.com/xml/copying.txt).


| For the srclib\apr-util\test\testmd4.c component:
| 
|  *
|  * This is derived from material copyright RSA Data Security, Inc.
|  * Their notice is reproduced below in its entirety.
|  *
|  * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
|  * rights reserved.
|  *
|  * RSA Data Security, Inc. makes no representations concerning either
|  * the merchantability of this software or the suitability of this
|  * software for any particular purpose. It is provided "as is"
|  * without express or implied warranty of any kind.
|  *
|  * These notices must be retained in any copies of any part of this
|  * documentation and/or software.
|  */

This does not even grant *any* permissions.
It seems to be undistributable (fails DFSG#1 and DFSG#3).
If this is the case, distributing it is also a copyright violation
and should stop ASAP.
Again upstream copyright holders should be contacted and asked to relicense
the file: a good choice could be the Expat license.


| For the  srclib\apr\include\apr_md5.h component: 
| /*
|  * This is work is derived from material Copyright RSA Data Security, Inc.
|  *
|  * The RSA copyright statement and Licence for that original material is
|  * included below. This is followed by the Apache copyright statement and
|  * licence for the modifications made to that material.
|  */
| 
| /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
|    rights reserved.
| 
|    License to copy and use this software is granted provided that it
|    is identified as the "RSA Data Security, Inc. MD5 Message-Digest
|    Algorithm" in all material mentioning or referencing this software
|    or this function.
| 
|    License is also granted to make and use derivative works provided
|    that such works are identified as "derived from the RSA Data
|    Security, Inc. MD5 Message-Digest Algorithm" in all material
|    mentioning or referencing the derived work.
| 
|    RSA Data Security, Inc. makes no representations concerning either
|    the merchantability of this software or the suitability of this
|    software for any particular purpose. It is provided "as is"
|    without express or implied warranty of any kind.
| 
|    These notices must be retained in any copies of any part of this
|    documentation and/or software.
|  */

An identical license holds for the following files:

 - srclib\apr\passwd\apr_md5.c
 - srclib\apr-util\crypto\apr_md4.c
 - srclib\apr-util\include\apr_md4.h

This license grants permission to to "copy and use" and to "make and
use derivative works", but no explicit permission to distribute the
derivative works (fails DFSG#3).
Upstream copyright holders should be got in touch with and asked
for a license change: I would again suggest to recommend the Expat
license.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.32
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.0.54-5   high speed threaded model for Apac

-- no debconf information

Reply to:

Prev by Date: Bug#328769: Is this the same as 173257?
Next by Date: Bug#289868: apache2: No keep-alive for MSIE
Previous by thread: Bug#328769: Is this the same as 173257?
Next by thread: Bug#289868: apache2: No keep-alive for MSIE
Index(es):
- Date
- Thread