Re: License issues with md5deep
Giovanni Mascellani <g.mascellani@gmail.com> writes:
> In most (all those I won't discuss in this email) of the sources file
> there is a notice like this:
> /* MD5DEEP - algorithms.h
> *
> * By Jesse Kornblum
> *
> * This is a work of the US Government. In accordance with 17 USC 105,
> * copyright protection is not available for any work of the US
> Government.
> *
> * This program is distributed in the hope that it will be useful, but
> * WITHOUT ANY WARRANTY; without even the implied warranty of
> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> *
> */
>
> As far as I know, this means that I can safely Debianize this
> program,
Yes, I agree.
> simply writing in debian/copyright that it is dropped to
> the public domain.
You should reproduce the entire notice (starting with the "This is a
work" line and ending with the warranty disclaimer) in the
debian/copyright file.
> Anyway, some files are different headings. md5.c reports:
> /*
> * This code implements the MD5 message-digest algorithm.
> * The algorithm was written by Ron Rivest. This code was
> * written by Colin Plumb in 1993, our understanding is
> * that no copyright is claimed and that
> * this code is in the public domain.
> *
> * Equivalent code is available from RSA Data Security, Inc.
> * This code has been tested against that, and is
> * functionally equivalent,
This paragraph ends on a comma. Was there more text in that paragraph
that has been omitted in this message?
> This writing talks about "our understanding".
Unclear. Any idea who "we" is?
> Can I trust this understanding and mark also this file as left in
> the public domain in debian/copyright?
"No copyright is claimed" isn't enough to place something in the
public domain (and many jurisdictions have no such thing).
Under the Berne convention, copyright, affects *every* creative work
of authorship (with specific exceptions) with no action on the part of
the author. That is, even if the author *doesn't* claim it, most
copyright jurisdictions hold that copyright applies anyway.
> sha256.c has:
> /*
> * FIPS-180-2 compliant SHA-256 implementation
> * written by Christophe Devine
> *
> * This code has been distributed as PUBLIC DOMAIN.
> *
> * Although normally licensed under the GPL on the author's web site,
> * he has given me permission to distribute it as public domain as
> * part of md5deep. THANK YOU! Software authors are encouraged to
> * use the GPL'ed version of this code available at:
> * http://www.cr0.net:8040/code/crypto/sha256/ whenever possible.
> */
>
> Is it correct to write in debian/copyright that also this file is in
> the public domain?
This seems clear enough, but we should seek the copyright holder's own
words on this.
> tiger.c looks like a bit more difficult:
> /* MD5DEEP - tiger.c
> *
> * By Jesse Kornblum
> *
> * SPECIAL COPYRIGHT NOTICE FOR THIS FILE
> * (and this file only)
> *
> * This code was adapted from GnuPG and is licensed under the
> * GNU General Public License as published by the Free Software
> Foundation;
> * either version 2 of the license, or (at your option) any later
> version.
> *
> * Some functions have been changed or removed from the GnuPG version.
> * See comments for details.
> *
> * This program is distributed in the hope that it will be useful, but
> * WITHOUT ANY WARRANTY; without even the implied warranty of
> * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
> *
> */
>
> This file is surely GPL and not in the public domain.
Agreed.
> Isn't illegal to link GPL object code with other non-GPL object code
> and don't distribute it as GPL?
It would violate the terms of the GPL, yes. In the absence of any
other license from the copyright holder, that violation voids any
permission to redistribute the work at all.
> In other words, because of only this GPL file, all the package
> should be GPL licensed, isn't it?
I think that's the case, yes.
> Last, but not least, whirpool.c and whirpool.h don't have any
> copyright notice at all.
That's problematic. You might encourage the upstream to identify the
copyright holder for those works.
> The README says:
> This program is a work of the US Government. In accordance with 17 USC
> 105, copyright protection is not available for any work of the US
> Government.
This is one of the exceptions in copyright law to the "everything is
copyrighted by default" rule.
> Lawyer to English translation: This program is PUBLIC DOMAIN.
In jurisdictions that support that, yes.
> Not only is this program not copyrighted, but IT CANNOT BE
> COPYRIGHTED BY ANYBODY AT ANY TIME UNDER ANY CIRCUMSTANCES.
Wrong. Anything in the public domain can, merely by redistributing
with some trivial amount of creative work, gain a new copyright
holder.
> In Debianizinig this program, I own a piece of copyright on the
> final work. Isn't this in contrast with the "Lawyer to English"
> clause?
Yes. Anyone may take from the public domain and use in their own work,
holding copyright in the result.
> Sorry for writing this long and meticulous email, but this is my
> second package and I'm not expert yet. I wouldn't want to do
> anything illegal!
You're right to be careful, this is a tricky and often
counterintuitive area.
> PS: please, replay me in CC, because I'm not subscribed to debian-legal.
Done.
--
\ "Experience is that marvelous thing that enables you to |
`\ recognize a mistake when you make it again." -- Franklin P. |
_o__) Jones |
Ben Finney
Reply to: