Ubuntu
apache2 package

Bug #26130
Comment #2

Comment 2 for bug 26130

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-11-24:

Message-Id: <E1Ef4WI-0000Lv-WC@neverland>
Date: Thu, 24 Nov 2005 00:59:22 +0100
From: Francesco Poli <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apache2: includes non-free and possibly undistributable files

Package: apache2
Version: 2.0.54-5
Severity: serious
Justification: Policy 2.2.1

Hi!

By reviewing the copyright file, I found out that apache2 includes
code that does not seem to comply with the DFSG.
What is worse, I even found some code that does not seem to be
distributable at all...

Quoting from the copyright file itself:

For the test\zb.c component:

| /* ZeusBench V1.01
| ===============
|
| This program is Copyright (C) Zeus Technology Limited 1996.
|
| This program may be used and copied freely providing this copyright notice
| is not removed.
|
| This software is provided "as is" and any express or implied waranties,
| including but not limited to, the implied warranties of merchantability and
| fitness for a particular purpose are disclaimed. In no event shall
| Zeus Technology Ltd. be liable for any direct, indirect, incidental, special,
| exemplary, or consequential damaged (including, but not limited to,
| procurement of substitute good or services; loss of use, data, or profits;
| or business interruption) however caused and on theory of liability. Whether
| in contract, strict liability or tort (including negligence or otherwise)
| arising in any way out of the use of this software, even if advised of the
| possibility of such damage.
|
| Written by Adam Twiss (<email address hidden>). March 1996
|
| Thanks to the following people for their input:
| Mike Belshe (<email address hidden>)
| Michael Campanella (<email address hidden>)
|
| */

This license does not grant any permission to modify and to distribute
modifications and derivative works (fails DFSG#3).
Upstream copyright holders should be contacted and asked to relicense
the file: I would suggest the Expat license
(http://www.jclark.com/xml/copying.txt).

This does not even grant *any* permissions.
It seems to be undistributable (fails DFSG#1 and DFSG#3).
If this is the case, distributing it is also a copyright violation
and should stop ASAP.
Again upstream copyright holders should be contacted and asked to relicense
the file: a good choice could be the Expat license.

| For the srclib\apr\include\apr_md5.h component:
| /*
| * This is work is derived from material Copyright RSA Data Security, Inc.
| *
| * The RSA copyright statement and Licence for that original material is
| * included below. This is followed by the Apache copyright statement and
| * licence for the modifications made to that material.
| */
|
| /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
| rights reserved.
|
| License to copy and use this software is granted provided that it
| is identified as the "RSA Data Security, Inc. MD5 Message-Digest
| Algorithm" in all material mentioning or referencing this software
| or this function.
|
| License is also granted to make and use derivative works provided
| that such works are identified as "derived from the RSA Data
| Security, Inc. MD5 Message-Digest Algorithm" in all material
| mentioning or referencing the derived work.
|
| RSA Data Security, Inc. makes no representations concerning either
| the merchantability of this software or the suitability of this
| software for any particular purpose. It is provided "as is"
| without express or implied warranty of any kind.
|
| These notices must be retained in any copies of any part of this
| documentation and/or software.
| */

An identical license holds for the following files:

- srclib\apr\passwd\apr_md5.c
- srclib\apr-util\crypto\apr_md4.c
- srclib\apr-util\include\apr_md4.h

This license grants permission to to "copy and use" and to "make and
use derivative works", but no explicit permission to distribute the
derivative works (fails DFSG#3).
Upstream copyright holders should be got in touch with and asked
for a license change: I would again suggest to recommend the Expat
license.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.32
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2 depends on:
ii apache2-mpm-worker 2.0.54-5 high speed threaded model for Apac

-- no debconf information

Message-Id: <E1Ef4WI-0000Lv-WC@neverland>
Date: Thu, 24 Nov 2005 00:59:22 +0100
From: Francesco Poli <frx@firenze.linux.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apache2: includes non-free and possibly undistributable files

Package: apache2
Version: 2.0.54-5
Severity: serious
Justification: Policy 2.2.1

Hi!

Quoting from the copyright file itself:

For the test\zb.c component:

| /*                          ZeusBench V1.01
|                             ===============
| 
| This program is Copyright (C) Zeus Technology Limited 1996.
| 
| This program may be used and copied freely providing this copyright notice
| is not removed.
| 
| This software is provided "as is" and any express or implied waranties, 
| including but not limited to, the implied warranties of merchantability and
| fitness for a particular purpose are disclaimed.  In no event shall 
| Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, 
| exemplary, or consequential damaged (including, but not limited to, 
| procurement of substitute good or services; loss of use, data, or profits;
| or business interruption) however caused and on theory of liability.  Whether
| in contract, strict liability or tort (including negligence or otherwise) 
| arising in any way out of the use of this software, even if advised of the
| possibility of such damage.
| 
|      Written by Adam Twiss (adam@zeus.co.uk).  March 1996
| 
| Thanks to the following people for their input:
|   Mike Belshe (mbelshe@netscape.com) 
|   Michael Campanella (campanella@stevms.enet.dec.com)
| 
| */

| For the  srclib\apr\include\apr_md5.h component: 
| /*
|  * This is work is derived from material Copyright RSA Data Security, Inc.
|  *
|  * The RSA copyright statement and Licence for that original material is
|  * included below. This is followed by the Apache copyright statement and
|  * licence for the modifications made to that material.
|  */
| 
| /* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
|    rights reserved.
| 
|    License to copy and use this software is granted provided that it
|    is identified as the "RSA Data Security, Inc. MD5 Message-Digest
|    Algorithm" in all material mentioning or referencing this software
|    or this function.
| 
|    License is also granted to make and use derivative works provided
|    that such works are identified as "derived from the RSA Data
|    Security, Inc. MD5 Message-Digest Algorithm" in all material
|    mentioning or referencing the derived work.
| 
|    RSA Data Security, Inc. makes no representations concerning either
|    the merchantability of this software or the suitability of this
|    software for any particular purpose. It is provided "as is"
|    without express or implied warranty of any kind.
| 
|    These notices must be retained in any copies of any part of this
|    documentation and/or software.
|  */

An identical license holds for the following files:

- srclib\apr\passwd\apr_md5.c
 - srclib\apr-util\crypto\apr_md4.c
 - srclib\apr-util\include\apr_md4.h

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.32
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages apache2 depends on:
ii  apache2-mpm-worker            2.0.54-5   high speed threaded model for Apac

-- no debconf information

Ubuntuapache2 package

Comment 2 for bug 26130

Ubuntu
apache2 package