[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: License issues with md5deep

On Sun, Aug 19, 2007 at 07:06:13PM +0200, Giovanni Mascellani wrote:
> Hi all!
> These days I am trying to package md5deep for Debian[1]. Although it is
> my first compiled package (the other was in Python), I'm not having any
> technical problem. I have just a bunch of question for you about the
> license. I don't know if you should write to debian-legal, or you can
> help me directly.
> In most (all those I won't discuss in this email) of the sources file
> there is a notice like this:
> /* MD5DEEP - algorithms.h
>  *
>  * By Jesse Kornblum
>  *
>  * This is a work of the US Government. In accordance with 17 USC 105,
>  * copyright protection is not available for any work of the US
> Government.

> As far as I know, this means that I can safely Debianize this program,
> simply writing in debian/copyright that it is dropped to the public
> domain.

> Anyway, some files are different headings. md5.c reports:
> /*
>  * This code implements the MD5 message-digest algorithm.
>  * The algorithm was written by Ron Rivest.  This code was
>  * written by Colin Plumb in 1993, our understanding is 
>  * that no copyright is claimed and that 
>  * this code is in the public domain.

> This writing talks about "our understanding". Can I trust this
> understanding and mark also this file as left in the public domain in
> debian/copyright?
I think there are probably many copies of this md5.c floating around.
In fact Debian probably already has them.  In fact I suspect that you
can find one in in dpkg..  But try to retain the "Upstream author" for
each file as well as "copyright holder" (if applicable) and "license".

> sha256.c has:
> /*
>  *  FIPS-180-2 compliant SHA-256 implementation
>  *  written by Christophe Devine
>  *
>  *  This code has been distributed as PUBLIC DOMAIN.
>  *
>  *  Although normally licensed under the GPL on the author's web site,
>  *  he has given me permission to distribute it as public domain as 
>  *  part of md5deep. THANK YOU! Software authors are encouraged to
>  *  use the GPL'ed version of this code available at:
>  *  http://www.cr0.net:8040/code/crypto/sha256/ whenever possible.
>  */
> Is it correct to write in debian/copyright that also this file is in
> the public domain?
Yes.  For this file also keep the "GPL Preferred" note.

> tiger.c looks like a bit more difficult:
> /* MD5DEEP - tiger.c
>  *
>  * By Jesse Kornblum
>  *
>  *                         (and this file only)
>  *
>  * This code was adapted from GnuPG and is licensed under the
>  * GNU General Public License as published by the Free Software
> Foundation;
>  * either version 2 of the license, or (at your option) any later
> version.
>  *
>  * Some functions have been changed or removed from the GnuPG version.
>  * See comments for details.
>  *
>  * This program is distributed in the hope that it will be useful, but
>  * WITHOUT ANY WARRANTY; without even the implied warranty of
>  *
>  */
> This file is surely GPL and not in the public domain. Isn't illegal to
> link GPL object code with other non-GPL object code and don't
> distribute it as GPL? In other words, because of only this GPL file,
> all the package should be GPL licensed, isn't it?
To repeat what Russ said: the majority of your souce package is PD.
The resulting binary package (if it links with this file) must be GPL.
You should say this in /copyright.

> In Debianizinig this program, I own a piece of copyright on the final
> work. Isn't this in contrast with the "Lawyer to English" clause?
I think that the GPL doesn't put restrictions on makesystems.  Or are
you also modifying some code (nontrivially)?  Even so obvious licenses
choices for the Debian packaging are GPL and PD which allow you to
distribute the binary package as gpl.


Reply to: