Bug#340538: marked as done (apache2: includes non-free and possibly undistributable files)
Your message dated Wed, 16 Aug 2006 14:02:31 +0200
with message-id <[🔎] 20060816120230.GA18989@wolffelaar.nl>
and subject line Fixed in NMU of apache2 2.2.3-1~exp.r170
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apache2: includes non-free and possibly undistributable files
- From: Francesco Poli <frx@firenze.linux.it>
- Date: Thu, 24 Nov 2005 00:59:22 +0100
- Message-id: <E1Ef4WI-0000Lv-WC@neverland>
Package: apache2
Version: 2.0.54-5
Severity: serious
Justification: Policy 2.2.1
Hi!
By reviewing the copyright file, I found out that apache2 includes
code that does not seem to comply with the DFSG.
What is worse, I even found some code that does not seem to be
distributable at all...
Quoting from the copyright file itself:
For the test\zb.c component:
| /* ZeusBench V1.01
| ===============
|
| This program is Copyright (C) Zeus Technology Limited 1996.
|
| This program may be used and copied freely providing this copyright notice
| is not removed.
|
| This software is provided "as is" and any express or implied waranties,
| including but not limited to, the implied warranties of merchantability and
| fitness for a particular purpose are disclaimed. In no event shall
| Zeus Technology Ltd. be liable for any direct, indirect, incidental, special,
| exemplary, or consequential damaged (including, but not limited to,
| procurement of substitute good or services; loss of use, data, or profits;
| or business interruption) however caused and on theory of liability. Whether
| in contract, strict liability or tort (including negligence or otherwise)
| arising in any way out of the use of this software, even if advised of the
| possibility of such damage.
|
| Written by Adam Twiss (adam@zeus.co.uk). March 1996
|
| Thanks to the following people for their input:
| Mike Belshe (mbelshe@netscape.com)
| Michael Campanella (campanella@stevms.enet.dec.com)
|
| */
This license does not grant any permission to modify and to distribute
modifications and derivative works (fails DFSG#3).
Upstream copyright holders should be contacted and asked to relicense
the file: I would suggest the Expat license
(http://www.jclark.com/xml/copying.txt).
| For the srclib\apr-util\test\testmd4.c component:
|
| *
| * This is derived from material copyright RSA Data Security, Inc.
| * Their notice is reproduced below in its entirety.
| *
| * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
| * rights reserved.
| *
| * RSA Data Security, Inc. makes no representations concerning either
| * the merchantability of this software or the suitability of this
| * software for any particular purpose. It is provided "as is"
| * without express or implied warranty of any kind.
| *
| * These notices must be retained in any copies of any part of this
| * documentation and/or software.
| */
This does not even grant *any* permissions.
It seems to be undistributable (fails DFSG#1 and DFSG#3).
If this is the case, distributing it is also a copyright violation
and should stop ASAP.
Again upstream copyright holders should be contacted and asked to relicense
the file: a good choice could be the Expat license.
| For the srclib\apr\include\apr_md5.h component:
| /*
| * This is work is derived from material Copyright RSA Data Security, Inc.
| *
| * The RSA copyright statement and Licence for that original material is
| * included below. This is followed by the Apache copyright statement and
| * licence for the modifications made to that material.
| */
|
| /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
| rights reserved.
|
| License to copy and use this software is granted provided that it
| is identified as the "RSA Data Security, Inc. MD5 Message-Digest
| Algorithm" in all material mentioning or referencing this software
| or this function.
|
| License is also granted to make and use derivative works provided
| that such works are identified as "derived from the RSA Data
| Security, Inc. MD5 Message-Digest Algorithm" in all material
| mentioning or referencing the derived work.
|
| RSA Data Security, Inc. makes no representations concerning either
| the merchantability of this software or the suitability of this
| software for any particular purpose. It is provided "as is"
| without express or implied warranty of any kind.
|
| These notices must be retained in any copies of any part of this
| documentation and/or software.
| */
An identical license holds for the following files:
- srclib\apr\passwd\apr_md5.c
- srclib\apr-util\crypto\apr_md4.c
- srclib\apr-util\include\apr_md4.h
This license grants permission to to "copy and use" and to "make and
use derivative works", but no explicit permission to distribute the
derivative works (fails DFSG#3).
Upstream copyright holders should be got in touch with and asked
for a license change: I would again suggest to recommend the Expat
license.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.32
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages apache2 depends on:
ii apache2-mpm-worker 2.0.54-5 high speed threaded model for Apac
-- no debconf information
--- End Message ---
--- Begin Message ---
- To: control@bugs.debian.org, 344072@bugs.debian.org
- Cc: 236193-done@bugs.debian.org, 238586-done@bugs.debian.org, 241223-done@bugs.debian.org, 273929-done@bugs.debian.org, 285337-done@bugs.debian.org, 337817-done@bugs.debian.org, 340538-done@bugs.debian.org, 340955-done@bugs.debian.org, 341460-done@bugs.debian.org, 343467-done@bugs.debian.org, 344072-done@bugs.debian.org, 348189-done@bugs.debian.org, 353443-done@bugs.debian.org, 368497-done@bugs.debian.org, 379015-done@bugs.debian.org
- Subject: Re: Fixed in NMU of apache2 2.2.3-1~exp.r170
- From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
- Date: Wed, 16 Aug 2006 14:02:31 +0200
- Message-id: <[🔎] 20060816120230.GA18989@wolffelaar.nl>
- In-reply-to: <[🔎] E1GD3HW-0003CZ-IG@spohr.debian.org>
- References: <[🔎] E1GD3HW-0003CZ-IG@spohr.debian.org>
Version: 2.2.3-1~exp.r170
tag 236193 - fixed
tag 238586 - fixed
tag 241223 - fixed
tag 273929 - fixed
tag 285337 - fixed
tag 337817 - fixed
tag 340538 - fixed
tag 340955 - fixed
tag 341460 - fixed
tag 343467 - fixed
tag 344072 - fixed
tag 348189 - fixed
tag 353443 - fixed
tag 368497 - fixed
tag 379015 - fixed
thanks
On Tue, Aug 15, 2006 at 11:04:50AM -0700, Jeroen van Wolffelaar wrote:
> This message was generated automatically in response to a
> non-maintainer upload. The .changes file follows.
Actually, fixed in experimental, so the 'fixed' tag is inappropriate
here. Now closing bugs properly.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Format: 1.7
> Date: Tue, 15 Aug 2006 16:17:33 +0200
> Source: apache2
> Binary: apache2-utils apache2-prefork-dev apache2 apache2-mpm-prefork apache2-doc apache2-mpm-event apache2-mpm-worker apache2-threaded-dev apache2-common apache2-mpm-perchild
> Architecture: source all i386
> Version: 2.2.3-1~exp.r170
> Distribution: experimental
> Urgency: low
> Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org>
> Changed-By: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
> Description:
> apache2 - Next generation, scalable, extendable web server
> apache2-common - Next generation, scalable, extendable web server
> apache2-doc - documentation for apache2
> apache2-mpm-event - Event driven model for Apache HTTPD 2.1
> apache2-mpm-perchild - Transitional package - please remove
> apache2-mpm-prefork - Traditional model for Apache HTTPD 2.1
> apache2-mpm-worker - High speed threaded model for Apache HTTPD 2.1
> apache2-prefork-dev - development headers for apache2
> apache2-threaded-dev - development headers for apache2
> apache2-utils - utility programs for webservers
> Closes: 236193 238586 241223 273929 285337 337817 340538 340955 341460 343467 344072 348189 353443 368497 379015
> Changes:
> apache2 (2.2.3-1~exp.r170) experimental; urgency=low
> .
> [ Jeroen van Wolffelaar ]
> * Staging upload to experimental of subversion revision r170
> .
> [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ]
> * New Upstream Release. Closes: #344072
> http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of
> new features and changes.
> - Fixes LFS support. Closes: #341460, #285337, #241223
> - Fixes off-by-one error in mod_rewrite ldap schema handling
> (CVE-2006-3747)
> - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352).
> Closes: #343467.
> - mpm_perchild no longer exists, so closing bugs for perchild.
> Closes: #236193, #238586
> - Fixes PHP POST with SSLVerifyClient. Closes: 353443
> * Build-depend on lsb-release and pick up the branding from there.
> * Build-depend on apr-util 1.0 which is now in a separate source
> package.
> * Mangle the Debian layout to be more FHS compatible
> * No longer build-conflict with libgdbm-dev
> * Use external PCRE
> * Make apache2-utils stop providing apache2-utils. Also make it stop
> conflicting with itself.
> * Rename default site from default-site to just default.
> * Try to migrate modules which used to be built-in:, alias, mime,
> authz_host, autoindex, dir, env, negotiation, setenvif, status.
> * Mod imap has been renamed to imagemap, ditto for auth_ldap =>
> authnz_ldap. Cope with that in postinst.
> * Stop globbing in apache2.conf.
> Closes: #337817, #340955, #348189, #379015, #368497
> * Don't install CHANGES into the apache2 package. It's just a
> metapackage.
> * Add rudimentary rdeps handling to a2dismod. Closes: #273929
> * Stop providing apache-utils.
> * Cope with /var/run and /var/lock on tmpfs.
> * Remove all subdirs in srclib as we are using external libraries for
> those anyway. Also remove test/zb.c. Closes: 340538
> * Make ssl.conf not block on /dev/random, but rather use /dev/urandom.
> * Make apache2-common depend on lsb-base, thanks to Gleb Arshinov
> Files:
> 45b11ad4ca823b957b9d8bbb8df800a0 1097 web optional apache2_2.2.3-1~exp.r170.dsc
> f72ffb176e2dc7b322be16508c09f63c 6342475 web optional apache2_2.2.3.orig.tar.gz
> 1bf636424322000f72e03550a0bed367 66158 web optional apache2_2.2.3-1~exp.r170.diff.gz
> 8ccb6b58913b94f15bab59293d3a4c16 902646 web optional apache2-common_2.2.3-1~exp.r170_i386.deb
> b241f06fb9dfe091594bb4cf44270e55 418254 web optional apache2-mpm-worker_2.2.3-1~exp.r170_i386.deb
> ee68b4d592484cd5b51b27763a1d171d 414078 web optional apache2-mpm-prefork_2.2.3-1~exp.r170_i386.deb
> c47cdc5634e71e22fc3c95d007396f10 418592 web optional apache2-mpm-event_2.2.3-1~exp.r170_i386.deb
> d12b9c32988a5536a3b7bf2b0a0ae623 335904 web optional apache2-utils_2.2.3-1~exp.r170_i386.deb
> 56786918524ad1358d3385657e94bb6c 400930 devel optional apache2-prefork-dev_2.2.3-1~exp.r170_i386.deb
> 19c2112739452d5ec235253f95d68049 401552 devel optional apache2-threaded-dev_2.2.3-1~exp.r170_i386.deb
> 7653dad9593b624ee7f6f8c34ab6d1c9 269588 web optional apache2-mpm-perchild_2.2.3-1~exp.r170_all.deb
> f911370b4f059eb32b379c23aee283f8 36190 web optional apache2_2.2.3-1~exp.r170_all.deb
> 0c3513c1beb88ffe8e1befc8c993962f 2398138 doc optional apache2-doc_2.2.3-1~exp.r170_all.deb
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Signed by Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
>
> iD8DBQFE4edHl2uISwgTVp8RAp5CAJ41K4n3yAuZPetFc3sVWRXkriR2YQCfbz9T
> 5CF91F/2NC/dfamYc5g6kiY=
> =ODdi
> -----END PGP SIGNATURE-----
--
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl
--- End Message ---
Reply to: