Re: OpenSAML

To: debian-legal@lists.debian.org
Subject: Re: OpenSAML
From: Russ Allbery <rra@debian.org>
Date: Thu, 18 May 2006 16:07:33 -0700
Message-id: <[🔎] 874pznrky2.fsf@windlord.stanford.edu>
In-reply-to: <20060518015523.GA21398@stonewall.crustytoothpaste.ath.cx> (Brian M. Carlson's message of "Thu, 18 May 2006 01:55:23 +0000")
References: <[🔎] 87r72sus0s.fsf@windlord.stanford.edu> <20060518015523.GA21398@stonewall.crustytoothpaste.ath.cx>

(Please cc me on replies, as I'm not subscribed to debian-legal.  Let me
know if I need to subscribe for this discussion.)

Brian M Carlson <sandals@crustytoothpaste.ath.cx> writes:

> You are correct.  I didn't even give more than a cursory glance to the
> license, because whether or not it's free is moot.  I will quote from
> Policy 2.3:

>      We reserve the right to restrict files from being included anywhere in
>      our archives if
>         * their use or distribution would break a law,
>         * there is an ethical conflict in their distribution or use,
>         * we would have to sign a license for them, or
>         * their distribution would conflict with other project policies.

> I'm not going to start on the ethics of patents because this license
> violates point 3.  In other words, even if the license is DFSG-free, if
> it requires a signature, it's unacceptable for the archive as a whole.

Good point.  That's even more obvious than the line of reasoning I was
using.

However, I also just got good news.  Apparently at the same time that I
was investigating this, extended efforts towards getting RSA to relicense
their patents paid off.  RSA has now licensed the patents under the
following statement:

    In the interest of encouraging deployment of SAML-based technologies,
    RSA hereby covenants, free of any royalty, that it will not assert any
    claims in the RSA Patents which may be essential to the SAML standard
    v1.0, 1.1 and 2.0 (hereinafter "NECESSARY CLAIMS") against any other
    entity with respect to any implementation conforming to the SAML
    standard v1.0, 1.1 and/or 2.0.  This covenant shall become null and
    void with respect to any entity that asserts, either directly or
    indirectly (e.g. through an affiliate), any patent claims or threatens
    or initiates any patent infringement suit against RSA and/or its
    subsidiaries or affiliates.  The revocation of the covenant shall
    extend to all prior use by the entity asserting the claim.

I'd appreciate a second set of eyes from the debian-legal perspective, but
I believe this is sufficient for Debian's purposes, is similar to the
patent clauses on other software in the archive, and will remove the last
obstacle preventing OpenSAML from being considered DFSG-free.  Please note
that this is not the *license* (the license for the package is the same
Apache 2.0 license used for Apache itself), and hence the comment about
patent claims against RSA doesn't invalidate the software *license*, only
the guarantee by RSA that it won't enforce its patents.

The full statement of patent grants related to SAML is posted at:

    <http://www.oasis-open.org/committees/security/ipr.php>

Note that this page is somewhat confusing in that the grants at the top of
the page supersede grants farther down on the page from the same entities.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- OpenSAML
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Sun Java available from non-free
Next by Date: Re: Sun Java available from non-free
Previous by thread: Re: OpenSAML
Next by thread: Re: [JPackage-discuss] Sun Java available from non-free
Index(es):
- Date
- Thread