[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


(Please cc me on replies, as I'm not subscribed to debian-legal.  I think
this discussion is likely to be sadly short, but let me know if I really
need to subscribe for it.)

Several of us at Stanford have been looking at what would be involved to
package Shibboleth (an interinstitutional web authentication system) for
Debian.  Shibboleth is being used more and more among higher ed
institutions and is starting to get buy-in from vendors of for-pay
academic journals and similar web services.  It has a number of library
dependencies that are not currently in Debian, one of which being

OpenSAML is covered by the Apache 2.0 license, but also has the following

  Finally, be aware that RSA Security Inc. has asserted a patent claim
  against all implementations of SAML. Their terms for licensing can be
  found at http://www.rsasecurity.com/solutions/standards/saml/

  As a SAML toolkit, OpenSAML may be subject to this claim and developers
  may obtain a royalty-free license from RSA directly. Internet2 and
  OpenSAML's developers are not responsible for anyone's failure to do so,
  and take no position on the validity of this claim.

I looked briefly at the RSA license agreement, and it *appears* to be
DFSG-free in terms of its provisions, but it requires a signature and
mutual patent grant in the covered area with an institution with
sufficient legal existence to sign such an agreement.  My intuition is
that, unless we have fairly firm knowledge that this patent is invalid
(and I haven't seen any sign of that), this means that OpenSAML is not
distributable by Debian (even in non-free).

If other people would look this over and double-check my reasoning, I'd
really appreciate it.  I'd love to be shown to be wrong, since we're going
to have to package Shibboleth anyway and I'd rather share that work with
the broader Debian community, but I'm not interested in maintaining
Shibboleth packages in contrib dependending on a library that isn't in
Debian at all.

I did a Google search and didn't uncover any previous discussion of this
package, but let me know if I missed a previous archived discussion.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: