Ubuntu

isdnutils: various licensing issues

Reported by Bernd Zeimetz on 2010-01-24
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
isdnutils (Debian)
Fix Released
Unknown
isdnutils (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned

Bug Description

Binary package hint: isdnutils

Several files in isdnutils have licensing issues, also the version from 2007 contains binary firmware blobs without source, probably also without a proper license. Some more informations can be found in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559425

Changed in isdnutils (Debian):
status: Unknown → New
Rolf Leggewie (r0lf) wrote :

reading the discussion in Debian it's not at all clear whether there really are "several files" with license issues. My impression is that it's only the originally mentioned ./eurofile/src/wuauth/sigfix.c

Rolf Leggewie (r0lf) wrote :

I'm not arguing this should be taken lightly, please don't misunderstand me here.

Rolf Leggewie (r0lf) wrote :

I believe the relevant files that need looking into are (please add others if you think this list is incomplete)

./eurofile/src/wuauth/sigfix.c
./areacode/areacode.dat
./eicon/firmware/eicon_firm.tgz
./icn/firmware/pc_eu_ca.bin
./icn/firmware/loadpg.bin
./icn/firmware/pc_1t_ca.bin
./hisax/ISAR.BIN
./vbox/examples/beep.msg.example
./vbox/examples/standard.msg.example
./vbox/examples/timeout.msg.example
./act2000/firmware/bip1120.btl
./isdnlog/tools/zone/at/1024/zred.bz2
./isdnlog/tools/zone/at/pta/zoneall.pta.bz2
./isdnlog/tools/zone/at/pta/zred.pta.bz2
./isdnlog/tools/zone/at/1001/zred.bz2
./isdnlog/tools/zone/at/1004/zred.bz2
./isdnlog/tools/zone/at/1007/zred.bz2
./isdnlog/tools/zone/at/1066/zred.bz2
./isdnlog/tools/zone/at/uta/zred.uta.bz2
./isdnlog/tools/zone/nl/kpn/zred.bz2
./isdnlog/tools/zone/nl/kpn/zoneall.bz2
./isdnlog/tools/zone/de/01033/zred.dtag.bz2
./isdnlog/tools/zone/de/01033/zneu.de9.bz2
./isdnlog/tools/zone/de/01033/Verzonung.dat.bz2
./isdnlog/tools/telrate/*.{jpg,gif}

The rest are text files (or gnu message catalogs) and should generally be grep'able and traceable in text form. Some of the compressed archives may also be obviously harmless, but I haven't tested, yet.

I also wonder how many of them don't actually end up in the binary package and could be dropped from a dfsg-tarball. Is there an easy way to find out?

Changed in isdnutils (Ubuntu):
importance: Undecided → Critical
status: New → Triaged
Rolf Leggewie (r0lf) wrote :

Buzz and I have had a look around and it may be that this turns out to be invalid. In a nutshell, most of above files are licensed under GPL (but may lack easily accessible source code, we're looking for it). The file ./eurofile/src/wuauth/sigfix.c that got all of this started is only midly problematic. It looks like Stan only made some minor additions to the file, claimed copyright and added the "no-profit" clause about ten years ago. If push comes to shove, sigfix.c is available in a number of versions on the net without the cluase.

http://viewcvs.globus.org/viewcvs.cgi/gridftp/gsi-wuftpd/source/src/sigfix.c?view=markup
http://stuff.mit.edu/afs/net/project/ftpd/wu-ftpd-2.6.1/src/sigfix.c
http://www.filewatcher.com/p/BeroFTPD-1.3.4.tar.gz.306718/BeroFTPD-1.3.4/src/sigfix.c.html

If necessary, the stuff that falls under the no-profit clause can probably be patched out easily to revert back to what the original (and main) authors wrote. Buzz will contact Stan (and other authors) to make sure that all the code is OSI-conform.

Rolf Leggewie wrote:
> Buzz and I have had a look around and it may be that this turns out to
> be invalid. In a nutshell, most of above files are licensed under GPL
> (but may lack easily accessible source code, we're looking for it).

Remember that easily accessible is not enough, it needs to be shipped in the
source package.

--
 Bernd Zeimetz Debian GNU/Linux Developer
 http://bzed.de http://www.debian.org
 GPG Fingerprints: 06C8 C9A2 EAAD E37E 5B2C BE93 067A AD04 C93B FF79
                   ECA1 E3F2 8E11 2432 D485 DD95 EB36 171A 6FF9 435F

Rolf Leggewie (r0lf) wrote :

work on this has started, but patches and helping hands are always welcome

http://git.debian.org/?p=collab-maint/isdnutils.git;a=shortlog;h=refs/heads/dfsg

MsG (mathijs-groothuis) on 2010-03-31
description: updated
tags: added: license
tags: added: blob
Changed in isdnutils (Debian):
status: New → Fix Released
Thomas Hotz (thotz) wrote :

It is fixed in Debian, is this still an issue in Ubuntu?

Rolf Leggewie (r0lf) wrote :

Yes, it is

Launchpad Janitor (janitor) wrote :
Download full text (7.4 KiB)

This bug was fixed in the package isdnutils - 1:3.25+dfsg1-3.3ubuntu1

---------------
isdnutils (1:3.25+dfsg1-3.3ubuntu1) trusty; urgency=low

  * Merge from Debian unstable:
    - resolves licensing issues with package contents. LP: #511988.
    - includes proper upstream fix for ipppd on ARM. LP: #453159.
    - resolves isdnutils-base removal failures. LP: #813771.
    - fixes capiutils init script to not try to mount obsolete capifs.
      LP: #1064347.
  * Remaining changes:
    - Switch libreadline5-dev to libreadline-gplv2-dev since this package
      appears to be GPLv2
    - debian/patches/no-imake.patch: Don't build xisdnload/xmonisdn using
      xmkmf/imake. This patch was dropped in Debian without explanation;
      it still applies and seems to still be a good idea for eventual
      upstreaming, since imake is quite obsolete.
    - capi.conf: Fix typo for fcdsl2 firmware. LP: #189132.
    - Remove dependencies on /etc/inittab.
      - Disable the installation code to modify /etc/inittab.
      - isdnutils-base: Add ttyI0 example script, which needs to be installed
        in /etc/event.d/ttyI0.
      - isdnvboxserver: Add ttyI1 example script, which needs to be installed
        in /etc/event.d/ttyI1.
      - The two upstart scripts need to be edited.
      - Further improvements and documentation welcome.
  * Changes included in Debian:
    - replace calls to ./MAKEDEV with /sbin/MAKEDEV
    - Build-depend on ppp-dev.
    - Switch to newer tcl -dev.
    - update to newer automake
    - debian/rules: use autoreconf to update the autotools in the capi20
      directory
    - debian/{compat,rules,*.files,.dirs}: Convert to Multi-arch.
    - debian/libcapi20-dev.install: Remove .la files (no builds use them).
  * Changes included upstream:
    - fix for ARM FTBFS.
    - fix bashisms in vboxplay.
    - debian/patches/{config_libdir,toplevel-make}.patch: add CONFIG_LIBDIR
      override to upstream build system to support Multi-arch.
  * Dropped changes:
    - kick dpatch to the curb.
  * Handle migrating the blacklist file from
    /etc/modprobe.d/blacklist-capiutils.conf to the path used in Debian,
    /etc/modprobe.d/capiutils.conf.
  * Handle rename of /etc/ppp/ip-down.d/99-ipppd and /etc/ppp/ip-up.d/00-ipppd
    to /etc/ppp/ip-down.d/ipppd and /etc/ppp/ip-up.d/ipppd
  * Handle rename of /etc/init.d/isdnutils to /etc/init.d/isdnutils-base
  * Restore standard.tcl to /usr/share/isdnvboxserver/default; maintainer
    scripts must not depend on contents of /usr/share/doc.
  * Apply patches that were preserved in the 3.0 (quilt) migration, but
    were inadvertently not applied:
    - debian/patches/capifax.additional_error_codes.patch
    - debian/patches/capifax.3_1kHz_audio.patch
  * Drop debian/isdnutils-base.cron.d, which isn't a cronjob example at all
    but an inittab example gone astray.
  * debian/dotconfig*: don't use embedded quotes for paths; this confuses
    vbox's Makefiles something fierce, and causes files to be missed from
    debian/tmp'/usr/share/man/' at install time.
  * Fix isdnlog and ipppd to not ship files used in the postinst under
    /usr/share/doc.
  * Modernize the upstart examples.

isdnutils (1:3...

Read more...

Changed in isdnutils (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.