ssh: multiple license problems

Automatically imported from Debian bug report #211644
http://bugs.debian.org/211644

Message-ID: <20030919071314.GA9553@stonewall>
Date: Fri, 19 Sep 2003 07:13:14 +0000
From: "Brian M. Carlson" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: ssh: multiple license problems

--tThc/1wpZn/ma/RB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: ssh
Version: 1:3.6.1p2-8
Severity: serious

In the copyright file, it is claimed that:

  The Debian patch is distributed under the terms of the GPL, which you
  can find in /usr/share/common-licenses/GPL.

If this is true, then there is a license conflict. ssh is linked with
libssl0.9.7, which is the openssl library. The terms of the GPL and
those of OpenSSL's license conflict and Debian does not consider OpenSSL
to fall under the "integral part of the system" exception. See -legal
for more information, or better yet, search the archives.

One of the copyright notices in the copyright file claims:

    The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
    Comments in the file indicate it may be used for any purpose without
    restrictions:

     * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or
     * code or tables extracted from it, as desired without restriction.

which does *absolutely nothing* for Debian. Use (at least in the US) is
already explicitly permitted by copyright law. This grants us no rights
to distribute, modify, or copy, and so *fails* virtually every provision
of the DFSG. This code may have already been replaced, and if so, you
can ignore this portion of the bug. I remember seeing something about
this on -legal. You may want to investigate whether this is the case.

-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux stonewall.crustytoothpaste.ath.cx 2.6.0-test4-1-386 #5 Thu Se=
p 4 21:30:10 EST 2003 i686
Locale: LANG=3DC, LC_CTYPE=3DC (ignored: LC_ALL set to C)

Versions of packages ssh depends on:
ii adduser 3.51 Add and remove users and groups
ii debconf 1.3.14 Debian configuration managemen=
t sy
ii libc6 2.3.2-7 GNU C Library: Shared librarie=
s an
ii libpam-modules 0.76-14 Pluggable Authentication Modul=
es f
ii libpam0g 0.76-14 Pluggable Authentication Modul=
es l
ii libssl0.9.7 0.9.7b-2 SSL shared libraries
ii libwrap0 7.6-ipv6.1-3 Wietse Venema's TCP wrappers l=
ibra
ii zlib1g 1:1.1.4-15 compression library - runtime

-- debconf information excluded

--=20
Brian M. Carlson <email address hidden> 0x560553e7
"Let us think the unthinkable, let us do the undoable. Let us prepare
 to grapple with the ineffable itself, and see if we may not eff it
 after all." --Douglas Adams

--tThc/1wpZn/ma/RB
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Ubi libertas, ibi patria.

iQEVAwUBP2qsiuWR/8lWBVPnAQNPBgf9HJJNPa7ezfEPfu+q1UE...

Message-ID: <email address hidden>
Date: Fri, 19 Sep 2003 11:03:53 +0100
From: Colin Watson <email address hidden>
To: "Brian M. Carlson" <email address hidden>,
 <email address hidden>
Cc: Matthew Vernon <email address hidden>
Subject: Re: Bug#211644: ssh: multiple license problems

On Fri, Sep 19, 2003 at 07:13:14AM +0000, Brian M. Carlson wrote:
> Package: ssh
> Version: 1:3.6.1p2-8
> Severity: serious
>
> In the copyright file, it is claimed that:
>
> The Debian patch is distributed under the terms of the GPL, which you
> can find in /usr/share/common-licenses/GPL.
>
> If this is true, then there is a license conflict. ssh is linked with
> libssl0.9.7, which is the openssl library. The terms of the GPL and
> those of OpenSSL's license conflict and Debian does not consider OpenSSL
> to fall under the "integral part of the system" exception. See -legal
> for more information, or better yet, search the archives.

Yeah, I'm aware of the problem. Matthew, are you happy for me to
substitute a simple 2-clause BSD licence instead? I think you're
responsible for most of the bits of the patch that actually affect code
linked into ssh.

> One of the copyright notices in the copyright file claims:
>
> The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
> Comments in the file indicate it may be used for any purpose without
> restrictions:
>
> * COPYRIGHT (C) 1986 Gary S. Brown. You may use this program, or
> * code or tables extracted from it, as desired without restriction.
>
> which does *absolutely nothing* for Debian. Use (at least in the US) is
> already explicitly permitted by copyright law. This grants us no rights
> to distribute, modify, or copy, and so *fails* virtually every provision
> of the DFSG. This code may have already been replaced, and if so, you
> can ignore this portion of the bug.

It has been replaced; the upstream copyright file is simply out of date.
They've done a licence audit in 3.7 which polishes this sort of thing
up.

Cheers,

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Tue, 23 Sep 2003 08:55:12 -0400
From: Jeff Bailey <email address hidden>
To: <email address hidden>
Subject: tagging 211644

tag 211644 + sid
tag 211644 + sarge

Message-ID: <email address hidden>
Date: Tue, 23 Sep 2003 18:27:26 -0400
From: <email address hidden>
To: <email address hidden>
Subject: If it helps, here's a copyright workaround

--X4H711A9W6-=-Q2YGBM5UCO-CUT-HERE-1BFYBU9ZGA-=-BYV97AUQBC
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

It's so trivial it's hard to write a *really* different version,
but here's a tested, public-domain, implementation.

Note the slight interface change: the length is now a size_t, not
a u_int32_t. This doesn't break anything, and is the "right" type
for the size of a memory buffer.

Frankly, the original statement sure looks DFSG-free to me.
"You may use this program, or code or tables extracted from it, as
desired without restriction."

The only ambiguity is the definition of "use". Did the author mean
the narrow sense of "compile and run", or the broad sense of
"any use at all, including copying and distribution"?

Since the author clearly envisaged and permits derivative works ("code
or tables extracted from it"), it appears that the intention is the
broad sense.

(Note that ambiguity in contracts is resolved against the author of
the contract. This isn't a contract, due to the lack of consideration
on both sides, but the same principle seems to apply.)

But if somebody's going to get their panties in a bunch, "copyright
abandoned" should be clear enough.

--X4H711A9W6-=-Q2YGBM5UCO-CUT-HERE-1BFYBU9ZGA-=-BYV97AUQBC
Content-Type: text/x-csrc
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="crc32.c"

/* This file is placed into the public domain. Copyright abandoned. */

#include "includes.h" /* For size_t, u_in32_t, u_char */
#include "crc32.h"

#define CRC32_DYNAMIC 0 /* Set to 0 or 1, as desired. */

#if CRC32_DYNAMIC /* Compute the table as needed */

static u_int32_t crc32table[256];

/* 1+x+x^2+x^4+x^5+x^7+x^8+x^10+x^11+x^12+x^16+x^22+x^23+x^26+x^32 */
#define CRC32_POLY 0xedb88320

/*
 * Fill in the crc32table with the correct values.
 * Since crc32table[x^y] = crc32table[x] ^ crc32table[y] for all x and y,
 * we can derive the entire table from 9 entries. We use 0, 1, 2, 4, ... 128
 * to make life simple. Because of the endianness used, it's easiest to
 * compute starting at 128.
 */
static void
ssh_crc32_maketable(void)
{
 unsigned i, j;
 u_int32_t crc = 1;

 crc32table[0] = 0;
 for (i = 128; i; i >>= 1) {
  /* Compute the correct value for crc32table[i] */
  crc = (crc >> 1) ^ (crc & 1 ? CRC32_POLY : 0);
  for (j = 0; j < 256; j += 2*i)
   crc32table[i+j] = crc32table[j] ^ crc;
 }
}

#else /* Not dynamic; use a big precomputed table */

static u_int32_t const crc32table[256] = {
 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f,
 0xe963a535, 0x9e6495a3, 0x0edb8832, 0x79dcb8a4, 0xe0d5e91e, 0x97d2d988,
 0x09b64c2b, 0x7eb17cbd, 0xe7b82d07, 0x90bf1d91, 0x1db71064, 0x6ab020f2,
 0xf3b97148, 0x84be41de, 0x1adad47d, 0x6ddde4eb, 0xf4d4b551, 0x83d385c7,
 0x136c9856, 0x646ba8c0, 0xfd62f97a, 0x8a65c9ec, 0x14015c4f, 0x63066cd9,
 0xfa0f3d63, 0x8d080df5, 0x3b6e20c8, 0x4c69105e, 0xd56041e4, 0xa2677172,
 0x3c03e4d1, 0x4b04d447, 0xd20d85fd, 0xa50...

Message-ID: <email address hidden>
Date: Tue, 23 Sep 2003 23:57:00 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#211644: If it helps, here's a copyright workaround

On Tue, Sep 23, 2003 at 06:27:26PM -0400, <email address hidden> wrote:
> It's so trivial it's hard to write a *really* different version,
> but here's a tested, public-domain, implementation.

Did you see my followup to this bug?

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Wed, 24 Sep 2003 00:03:34 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Bug#211644: If it helps, here's a copyright workaround

On Tue, Sep 23, 2003 at 11:57:00PM +0100, Colin Watson wrote:
> On Tue, Sep 23, 2003 at 06:27:26PM -0400, <email address hidden> wrote:
> > It's so trivial it's hard to write a *really* different version,
> > but here's a tested, public-domain, implementation.
>
> Did you see my followup to this bug?

I'm sorry, that was a bit terse. Pretend that "Thanks for your efforts,
but" had been prepended to that. :)

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Sun, 28 Sep 2003 01:03:30 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Temporarily downgrading severity

# I'm TEMPORARILY downgrading the severity of this bug because it also
# exists in testing and it's more important to get a security fix into
# testing. (I should have done this a day or two ago.)
severity 211644 important
thanks

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Wed, 15 Oct 2003 16:17:06 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: back to serious

# I meant to set this back to serious after a security-fixed version got
# into testing, which was a while ago now.
severity 211644 serious
thanks

--
Colin Watson [<email address hidden>]

Message-ID: <email address hidden>
Date: Wed, 19 Nov 2003 00:35:34 -0500
From: Nathanael Nerode <email address hidden>
To: <email address hidden>
Subject: Isn't this bug fixed yet?

Um, status here? The CRC bit is apparently dealt with, so the only
question is: has the maintainer relicensed his Debian patches?

Message-ID: <email address hidden>
Date: Thu, 18 Dec 2003 11:14:31 -0500
From: Nathanael Nerode <email address hidden>
To: <email address hidden>
Subject: What's this bug waiting for?

Ping again. Has the maintainer relicensed his Debian patches under an
OpenSSL compatible license? If so this bug can be closed.

Message-ID: <email address hidden>
Date: Thu, 25 Dec 2003 11:41:27 +0000
From: Colin Watson <email address hidden>
To: Nathanael Nerode <email address hidden>, <email address hidden>
Subject: Re: Bug#211644: What's this bug waiting for?

On Thu, Dec 18, 2003 at 11:14:31AM -0500, Nathanael Nerode wrote:
> Ping again. Has the maintainer relicensed his Debian patches under an
> OpenSSL compatible license? If so this bug can be closed.

I believe Matthew was going to contact debian-legal about it to try to
find a compromise between two options neither of which I fully
understand. :) I think he's away for Christmas now, though ...

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Mon, 8 Mar 2004 22:06:39 -0500
From: Nathanael Nerode <email address hidden>
To: <email address hidden>
Subject: Bug report status?

Maintainer! What is this waiting for?

I believe you already contacted debian-legal. Do you need any more information
before relicensing your patches?

Replies to bug trail please.

Remove myself from all these CCs now that we have the warty-bugs mailing list

Increase severity of RC bugs to major, now that we have other, non-RC bugs in
the list

The likelihood of this becoming a problem for us is nearly zero. Consensus
among James, Colin, Mark and myself is that we ignore it.

Matthew's added a GPL exception to the patch (I still think he's mad for using
the GPL, but anyway); if we want to sync 1:3.8.1p1-8 or backport the copyright
diff, we can.

Message-ID: <email address hidden>
Date: Thu, 29 Jul 2004 13:55:40 +0100
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: remove entirely pointless tag combination

tags 211644 - sarge sid
thanks

--
Colin Watson [<email address hidden>]

Message-Id: <email address hidden>
Date: Thu, 29 Jul 2004 09:02:04 -0400
From: Colin Watson <email address hidden>
To: <email address hidden>
Subject: Bug#211644: fixed in openssh 1:3.8.1p1-8

Source: openssh
Source-Version: 1:3.8.1p1-8

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:

openssh-client-udeb_3.8.1p1-8_powerpc.udeb
  to pool/main/o/openssh/openssh-client-udeb_3.8.1p1-8_powerpc.udeb
openssh-server-udeb_3.8.1p1-8_powerpc.udeb
  to pool/main/o/openssh/openssh-server-udeb_3.8.1p1-8_powerpc.udeb
openssh_3.8.1p1-8.diff.gz
  to pool/main/o/openssh/openssh_3.8.1p1-8.diff.gz
openssh_3.8.1p1-8.dsc
  to pool/main/o/openssh/openssh_3.8.1p1-8.dsc
ssh-askpass-gnome_3.8.1p1-8_powerpc.deb
  to pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-8_powerpc.deb
ssh_3.8.1p1-8_powerpc.deb
  to pool/main/o/openssh/ssh_3.8.1p1-8_powerpc.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <email address hidden> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 29 Jul 2004 13:28:47 +0100
Source: openssh
Binary: ssh-askpass-gnome openssh-client-udeb ssh openssh-server-udeb
Architecture: source powerpc
Version: 1:3.8.1p1-8
Distribution: unstable
Urgency: high
Maintainer: Matthew Vernon <email address hidden>
Changed-By: Colin Watson <email address hidden>
Description:
 openssh-client-udeb - Secure shell client for the Debian installer (udeb)
 openssh-server-udeb - Secure shell server for the Debian installer (udeb)
 ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
 ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 211644
Changes:
 openssh (1:3.8.1p1-8) unstable; urgency=high
 .
   * Matthew Vernon:
     - Add a GPL exception to the licensing terms of the Debian patch
       (closes: #211644).
Files:
 162f151f8eb551149c7c1df420a8492f 890 net standard openssh_3.8.1p1-8.dsc
 8e3fcc08d957c5a514eb4552238a5f12 147029 net standard openssh_3.8.1p1-8.diff.gz
 7733d6b8b49b6ff15509e9c3175cd19e 732940 net standard ssh_3.8.1p1-8_powerpc.deb
 997a1eeb4608e07a6467e9e1d4a0e2cf 52110 gnome optional ssh-askpass-gnome_3.8.1p1-8_powerpc.deb
 abcb55c6c5d412201438f16c3aaa3ec6 151126 debian-installer optional openssh-client-udeb_3.8.1p1-8_powerpc.udeb
 9351138305583be4f53efe8b888285be 160120 debian-installer optional openssh-server-udeb_3.8.1p1-8_powerpc.udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Colin Watson <email address hidden> -- Debian developer

iD8DBQFBCPDz9t0zAhD6TNERAjPaAJ9SGo+difQkBKwXx4wmFTYnh0OmagCdHufE
oQeB0xAGGB+q/UJKds8GpA0=
=D0G1
-----END PGP SIGNATURE-----

Was fixed in Debian in 2004.