[fab] Free software and Fedora: Dissected

Tom 'spot' Callaway tcallawa at redhat.com
Fri Aug 4 22:13:43 UTC 2006 

Here is the latest status update on the FSF Free Software audit of Fedora:

* Most of netpbm has been cleared up, except for two subprograms (
pbmtolps and spottopgm). I suggest that we ship a modified source 
version of netpbm with those two unlicensed subprograms removed, as 
I have been unable to locate the authors. To the best of my ability, 
nothing is using pbmtolps or spottopgm.
* symlinks is fine, the author describes it as "Totally free software, 
no restrictions or obligations whatsoever." to clarify the copyright
of "freely distributable".
* I created a version of aspell-nl that is GPL to replace the one with
the icky license. Needs to be tested.
* crypto-utils relies on code under the PGP license, which has 
commercial use restrictions and is almost certainly not FSF compatible.
Nothing requires crypto-utils, so it should be flushed.
* I've emailed Alexandre to have the FSF provide formal decisions on the 
6 licenses in the "KNOWN UNKNOWNS"

We should go ahead and start resolving the "KNOWNS", and yes, I do know
that FC6 is almost done, but with at least one package (aspell-nl) we are 
currently violating the license on, and macutils can't legally be "sold 
without permission" of Brown University.

Updated Document:

I am in the process of analyzing the packages currently in Fedora Core
Development to see whether it is possible/feasible to have Fedora Core
exist as a 100% free distribution (by the FSF guidelines). I've spent
the last several days classifying and auditing everything, which is a
very time consuming process. Thankfully, most things are checking out
OK, but there are some packages remaining. I swear, if I never see the
word "distributable" again....the vast majority of the "distributable"
packages are either BSD or MIT/X11 (libdhcp4client and lv are actually
GPL). This report serves two purposes:

1. To provide a status report on my progress (so no one assumes I am
sleeping on this task)
2. To highlight the items that need to be immediately addressed either
by the FSF or Fedora.

As it stands RIGHT NOW, this is where I am:

THE UNKNOWNS (0):
Packages of questionable licenses that I have yet to fully analyze:
#######################################################################
PACKAGE NAME       || RPM provided license || Notes
#######################################################################


THE KNOWN UNKNOWNS (6):
Packages of questionable licenses that need to be blessed or damned by
the FSF:
#######################################################################
PACKAGE NAME       || RPM provided license || Notes
#######################################################################
cleanfeed          || distributable        || Can't sell it? (8)
ImageMagick-*      || freeware             || Examine LICENSE
lha                || freeware             || Translated license (2)
libc-client-*      || U of W Free Fork     || Examine CPYRIGHT (3)
selinux-doc        || Public Use License   || Examine LICENSE (4)
xorg-x11-proto-devel || The Open Group     || Examine SGIGLX license (5)

THE KNOWNS (5):
Packages with non-free licenses that need to be taken out of Fedora Core
and moved to Fedora Extras (or trashed entirely)
#######################################################################
PACKAGE NAME       || RPM provided license || Notes
#######################################################################
aspell-nl          || distributable        || Can't make changes (6)
ckermit            || Special              || Nothing depends on it
crypto-utils       || Various              || Multiple licenses (9)
macutils           || distributable        || Complicated (10)
netpbm-*           || freeware             || Complicated (1)
openmotif-*        || Open Group Public    || NOT FSF Compatible (7)


Everything else in Fedora Core checks out with an FSF compatible
license. More to come, stay tuned. :)

Side notes:

(1): Netpbm and friends are a huge mess of mixed code, some without
attribution. Starting with the excellent copyright analysis done by
Debian, found here:
http://packages.debian.org/changelogs/pool/main/n/netpbm-free/netpbm-free_10.0-8sarge3/netpbm.copyright
In addition, the LZW patent has expired, so ppmtogif is ok. Fedora
Core's netpbm-progs package doesn't have jbigtopnm or pnmtojbig
(although, they are still in the SRPM). The badly licensed hpcdtoppm
isn't in the Fedora package in either source or binary format.
This only leaves the bits that are listed in the Debian copyright as
"Unknown, So Not Distributed". So, lets try to resolve those:
pamchannel: Public Domain (OK)
pamtopnm: Public Domain (OK)
pbmto4425: Author says GPL.
pbmtoln03: Author says Artistic.
pbmtolps: Cannot find current email for author.
pbmtopk/pktopbm/ppmtopjxl: Author says MIT/X11 license.
spottopgm: Cannot find current email for author

I suggest that we ship a modified source version of netpbm with those 
two unlicensed subprograms removed, as I have been unable to locate the 
authors. To the best of my ability, nothing is using pbmtolps or spottopgm.

(2): LHA's license needs to be audited by the FSF
Original Authors License Statement (from man/lha.man and translated by Osamu Aoki <debian at aokiconsulting.com>):
   Permission is given for redistribution, copy and modification provided following conditions are met.
   
   1. Do not remove copyright clause.
   2. Distribution shall conform:
    a. The content of redistribution (i.e., source code, documentation and reference guide for programmers) shall include original contents.
       If contents are modified and the document clearly indicating the fact of modification must be included.
    b. If LHa is redistributed with added values and you must put your best effort to include them (Translator comment: If read literally and original Japanese was unclear what “them” means here.  But undoubtedly this “them” means source code for the added value portion and this is a typical Japanese sloppy writing style to abbreviate as such) Also the document clearly indicating that added value was added must be included. 
    c. Binary only distribution is not allowed (including added value ones.) 
   3. You need to put effort to distribute the latest version (This is not your duty).
      NB: Distribution ON Internet is free.  Please notify me by e-mail or other means prior to the distribution if distribution is done through non-Internet media (Magazine and CDROM etc.) If not and make sure to Email me later.
   4. Any damage caused by the existence and use of this PROGRAM will not be compensated.
   5. Author will not be responsible to correct errors even if PROGRAM is defective.
   6. This PROGRAM, either as a part of this or as a whole of this and may be included into other programs.  In this case and that PROGRAM is not LHa and can not call itself LHa.
   7. For commercial use, in addition to above conditions and following condition needs to be met.
      a.  The PROGRAM whose content is mainly this PROGRAM can not be used commercially.
      b.  If the recipient of commercial use deems inappropriate as a PROGRAM user, you must not distribute.
      c.  If used as a method for the installation and you must not force others to use this PROGRAM.  In this case, commercial user will perform its work while taking FULL responsibility of its outcome.
      d.  If added value is done under the commercial use by using this PROGRAM, commercial user shall provide its support.

(Osamu Aoki also comments:
   Here “commercial” may be interpreted as “for-fee”.  “Added value” seems to mean “feature enhancement”.  )

Translated License Statement by Tsugio Okamoto (translated by GOTO Masanori <gotom at debian.org>):

   It's free to distribute ON the network and but if you distribute for the people who cannot access the network (by magazine or CD-ROM), please send E-Mail (Inter-Net address) to the author before the distribution. That's well where this software is appeard.
   If you cannot do and you must send me the E-Mail later. 

Nothing in Fedora Core requires lha, I'd say it should be moved to
Extras.

(3): The University of Washington Free-Fork License is VERY weird. It's
mostly OK, but then it goes off into left field. The FSF will need to
decide if its too much or not. If we need to move this to Fedora Extras,
then php-imap will have to be enabled in the php-extras Extras package,
but this should be a pretty easy switch (and php-imap is the only
dependent package). Also, CPYRIGHT is not a typo.

(4): There is a LICENSE file in the source tree. This needs to be
reviewed by the FSF to determine if it is kosher.

(5): xorg-x11-proto-devel claims it is under "The Open Group License",
which is just MIT/X11, however, it also includes GLX headers that are
under the SGI GLX license. The SGI GLX license can be found here:
http://www.sgi.com/software/opensource/glx/license.html

(6): The Copyright in the aspell-nl source tree says:

"All provided material can be used freely. Copying is only allowed if
the package is distributed complete and unchanged. We plan to update
the package on a regular basis. Bug reports and bugfixes are welcomed."

This license doesn't permit modified redistribution, so this is right
out. On top of that, Fedora _IS_ patching it, so we're in violation.
Debian is using an aspell-nl package under GPL with different source, 
I made a package for it here: 
http://www.auroralinux.org/people/spot/review/aspell-nl-0.1e-1.src.rpm
I suggest we replace this in Core ASAP.

(7): Yeah, its time to let Motif go. The license here is obviously not
FSF compatible. In Fedora Core development, this has four dependent
packages (a lot more in Extras, so we probably can't nuke it from
orbit):
- ddd (nothing depends on it, should go to FE)
- tetex-xdvi (if we pass --with-xdvi-x-toolkit=xaw to configure, we
eliminate the motif dependency)
- xpdf (nothing seems to explicitly depend on it, with evince around,
this can probably go to FE)
- mesa-libGLw (this guy is hard. we could disable motif support for this
library, but as Bugzilla 175251 points out, it is kindof worthless
without it. Also does not seem to be trivial to move into its own
subpackage, but nothing in Core requires it. X11 team needs to fix this one.)

(8): Cleanfeed's license reads:
LICENSE
       This software may be distributed freely, provided it is intact
(including all the files from the original archive).  You may modify it,
and you may distribute your modified version, provided the original work
is credited to the appropriate authors, and your work is credited to you
(don’t make changes and pass them off as my work), and that you aren’t
charging for it.

FSF needs to yay or nay that last part about "not charging for it".
Nothing depends on cleanfeed.

(9): Crypto-utils has:
- librand (AT&T BSD, OK)
- Makerand (Author confirms GPL or Artistic)
- keyrand (PGP license found here: ftp://ftp.pgpi.org/pub/pgp/2.x/doc/pgpdoc2.txt)

(10): macutils has:
no license, no copyright, but code it was based on was (c) 1984 Brown
University * may be used but not sold without permission
Nothing depends on this, it should be dropped.

~spot
-- 
Tom "spot" Callaway: Red Hat Technical Team Lead || GPG ID: 93054260
Fedora Extras Steering Committee Member (RPM Standards and Practices)
Aurora Linux Project Leader: http://auroralinux.org
Lemurs, llamas, and sparcs, oh my!

More information about the advisory-board mailing list