Debian Bug report logs - #223961
libdvdread3: makes download of possibly illegal libdvdcss too easy

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@fs.tum.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Sun, 14 Dec 2003 15:24:04 +0100

Package: libdvdread3
Version: 0.9.4-3
Severity: critical

The debconf note says:

<--  snip  -->

 Many DVDs use css.  To play these, a special library is needed to
 read them, libdvdcss.  Debian cannot distribute this library
 according to some laws, but it is available on other places on the
 internet for download.  Run
 `/usr/share/doc/libdvdread3/examples/install-css.sh' to download and
 install it.

<--  snip  -->



These "some laws" not only prevent distribution of libdvdcss, they
also disallow the use of libdvdcss in some countries (e.g. in Germany).

Severity critical, since usage of libdvdcss is illegal in some
countries and promotion of libdvdcss is therefore if not explicitely
forbidden at least questionable, this note and the script cause legal
risks for both users and mirrors and distributors of Debian.

I suggest to remove both the debconf note and install-css.sh from
libdvdread3.

Message #10 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Nathanael Nerode <neroden@twcny.rr.com>

To: 223961@bugs.debian.org

Subject: Noooo, keep it.

Date: Sun, 14 Dec 2003 14:34:22 -0500

I suggest not doing that.  Those "some laws" are likely to be unconstitutional 
or otherwise invalid in many of the countries where they exist.  Promotion of 
something which *may* be illegal in *some* places is not generally illegal 
when the item is legal in some countries where the promotion is intended to 
be seen.  Debian cannot follow the "lowest common denominator" of all laws in 
all countries, or it wouldn't be able to distribute anything.

I have not heard that use of libdvdcss was declared illegal in Germany. Please 
provide a reference, noting under what sort of law it was supposedly illegal 
(patent? trade secret? something else?)

This most likely calls for a policy decision by Debian, not a critical 
severity bug.

However, I *would* change the debconf note to say "If it is legal to download 
and use it in your jurisdiction, you can run...."  rather than just "Run...." 
in order to point out that Debian is not encouraging illegal activity.

Message #15 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@downhill.at.eu.org>

To: Adrian Bunk <bunk@fs.tum.de>, 223961@bugs.debian.org

Subject: Re: Bug#223961: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Sun, 14 Dec 2003 23:16:11 +0100

Adrian Bunk wrote:
> Package: libdvdread3
> Version: 0.9.4-3
> Severity: critical

> The debconf note says:

> <--  snip  -->

> Many DVDs use css.  To play these, a special library is needed to
> read them, libdvdcss.  Debian cannot distribute this library
> according to some laws, but it is available on other places on the
> internet for download.  Run
> `/usr/share/doc/libdvdread3/examples/install-css.sh' to download and
> install it.

> <--  snip  -->

> These "some laws" not only prevent distribution of libdvdcss, they
> also disallow the use of libdvdcss in some countries (e.g. in Germany).
[...]

It is rather dubious and not proven in court that using libdvdcss
for *playing* DVDs (not copying them) is indeed illegal in Germany. I
suggest further discussion on -legal.
             cu andreas

Message #20 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@fs.tum.de>

To: Andreas Metzler <ametzler@downhill.at.eu.org>

Cc: 223961@bugs.debian.org, debian-legal@lists.debian.org, Nathanael Nerode <neroden@twcny.rr.com>

Subject: Re: Bug#223961: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Mon, 15 Dec 2003 18:50:10 +0100

On Sun, Dec 14, 2003 at 11:16:11PM +0100, Andreas Metzler wrote:
> Adrian Bunk wrote:
> > Package: libdvdread3
> > Version: 0.9.4-3
> > Severity: critical
> 
> > The debconf note says:
> 
> > <--  snip  -->
> 
> > Many DVDs use css.  To play these, a special library is needed to
> > read them, libdvdcss.  Debian cannot distribute this library
> > according to some laws, but it is available on other places on the
> > internet for download.  Run
> > `/usr/share/doc/libdvdread3/examples/install-css.sh' to download and
> > install it.
> 
> > <--  snip  -->
> 
> > These "some laws" not only prevent distribution of libdvdcss, they
> > also disallow the use of libdvdcss in some countries (e.g. in Germany).
> [...]
> 
> It is rather dubious and not proven in court that using libdvdcss
> for *playing* DVDs (not copying them) is indeed illegal in Germany. I
> suggest further discussion on -legal.

It's at least a grey area, and most likely in more countries than just 
Germany.

If you as a private person say "I think it is legal to use libdvdcss for 
playing DVDs", it's your choice.

But for a user, it should be very clear that there are legal risks when 
using libdvdcss.

Besides this, is it 100% clear that the debconf note and install-css.sh
couldn't fall under some forbidden promotion or distribution clause in 
Germany or other countries which would also bring legal risks for all 
mirrors and distributors of Debian [1]?

Note that I'm not happy with the legal situation of libdvdcss, but even 
if it would succeed in the end, a lawsuit with it's costs against users, 
mirrors and/or distributors of Debian would cause serious harm for 
Debian.

@Nathanael:
The German copyright law was changed, and it does now prohit the 
circumvention of copyright protection.
You might be sued by the copyright holder (with at least the costs of 
the lawsuit), and if you do it not only for your private use, the 
penalty is up to one year in prison.
I'm referring to the German "Gesetz ueber Urheberrecht und verwandte 
Schutzrechte", especially the paragraphs 95a, 97 and 108b.

>              cu andreas

cu
Adrian

[1] in Germany, it's not clear to me how much a judge _might_ interpret 
    into paragraph 95a (3) of the German copyright law

BTW: Please Cc me on replies, I'm not subscribed to debian-legal.

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #25 received at 223961@bugs.debian.org (full text, mbox, reply):

From: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>

To: Adrian Bunk <bunk@fs.tum.de>, Andreas Metzler <ametzler@downhill.at.eu.org>, 223961@bugs.debian.org, debian-legal@lists.debian.org, Nathanael Nerode <neroden@twcny.rr.com>

Subject: Re: Bug#223961: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Mon, 15 Dec 2003 23:37:38 +0000

[Message part 1 (text/plain, inline)]

On Mon, Dec 15, 2003 at 06:50:10PM +0100, Adrian Bunk wrote:
> On Sun, Dec 14, 2003 at 11:16:11PM +0100, Andreas Metzler wrote:
> > Adrian Bunk wrote:
> > > Package: libdvdread3
> > > Version: 0.9.4-3
> > > Severity: critical

This is not a critical bug. This is a serious bug. The definition of a
critical bug is:

  critical
    makes unrelated software on the system (or the whole system) break,
	or causes serious data loss, or introduces a security hole on
	systems where you install the package.

The definition of a serious bug is:
								 
  serious
    is a severe violation of Debian policy (that is, it violates a
	"must" or "required" directive), or, in the package maintainer's
	opinion, makes the package unsuitable for release.

I assume, therefore, that your objection is based on policy 2.3, which
reads in part as follows:

  We reserve the right to restrict files from being included anywhere in
  our archives if
    * their use or distribution would break a law,
	* there is an ethical conflict in their distribution or use,
	* we would have to sign a license for them, or
    * their distribution would conflict with other project policies.

because you did not include a Justification: header. Please state if
this is not so.

> > 
> > > The debconf note says:
> > 
> > > <--  snip  -->
> > 
> > > Many DVDs use css.  To play these, a special library is needed to
> > > read them, libdvdcss.  Debian cannot distribute this library
> > > according to some laws, but it is available on other places on the
> > > internet for download.  Run
> > > `/usr/share/doc/libdvdread3/examples/install-css.sh' to download and
> > > install it.
> > 
> > > <--  snip  -->
> > 
> > > These "some laws" not only prevent distribution of libdvdcss, they
> > > also disallow the use of libdvdcss in some countries (e.g. in Germany).
> > [...]
> > 
> > It is rather dubious and not proven in court that using libdvdcss
> > for *playing* DVDs (not copying them) is indeed illegal in Germany. I
> > suggest further discussion on -legal.
> 
> It's at least a grey area, and most likely in more countries than just 
> Germany.
> 
> If you as a private person say "I think it is legal to use libdvdcss for 
> playing DVDs", it's your choice.
> 
> But for a user, it should be very clear that there are legal risks when 
> using libdvdcss.

Ignorance of the law is no excuse. If I choose to use an MP3 encoder in
this country without paying Frauenhofer and Thomson exorbitant fees, I'm
taking that risk. Any reasonable user should already know that libdvdcss
is dangerous, and if one doesn't want one's door battered in by the
cops, one shouldn't use it. That said, it doesn't meet the standard set
out above: the use of the install-css.sh file itself does not break a
law, even though the use of the resulting download might. While this is
nitpicking, this is the standard set out in policy, and is the criteria
for serious bugs.


If you can state reasons that there is an ethical conflict or that the
distribution would conflict with other project policies, or, find
another section in policy that backs up your argument, fine; otherwise I
think this is NOTABUG (tm).

-- 
Brian M. Carlson <sandals@crustytoothpaste.ath.cx> 0x560553e7

[signature.asc (application/pgp-signature, inline)]

Message #30 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@fs.tum.de>

To: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>, Andreas Metzler <ametzler@downhill.at.eu.org>, 223961@bugs.debian.org, debian-legal@lists.debian.org, Nathanael Nerode <neroden@twcny.rr.com>

Subject: Re: Bug#223961: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Tue, 16 Dec 2003 01:15:26 +0100

On Mon, Dec 15, 2003 at 11:37:38PM +0000, Brian M. Carlson wrote:
> On Mon, Dec 15, 2003 at 06:50:10PM +0100, Adrian Bunk wrote:
> > On Sun, Dec 14, 2003 at 11:16:11PM +0100, Andreas Metzler wrote:
> > > Adrian Bunk wrote:
> > > > Package: libdvdread3
> > > > Version: 0.9.4-3
> > > > Severity: critical
> 
> This is not a critical bug. This is a serious bug. The definition of a
> critical bug is:
> 
>   critical
>     makes unrelated software on the system (or the whole system) break,
> 	or causes serious data loss, or introduces a security hole on
> 	systems where you install the package.
> 
> The definition of a serious bug is:
> 								 
>   serious
>     is a severe violation of Debian policy (that is, it violates a
> 	"must" or "required" directive), or, in the package maintainer's
> 	opinion, makes the package unsuitable for release.
> 
> I assume, therefore, that your objection is based on policy 2.3, which
> reads in part as follows:
> 
>   We reserve the right to restrict files from being included anywhere in
>   our archives if
>     * their use or distribution would break a law,
> 	* there is an ethical conflict in their distribution or use,
> 	* we would have to sign a license for them, or
>     * their distribution would conflict with other project policies.
> 
> because you did not include a Justification: header. Please state if
> this is not so.


My objection is based on the first half of your
  Our Priorities are Our Users and Free Software

If you want to nitpick, you could try to discuss whether it's critical 
or grave or serious, but it's definitely RC.


> > > > The debconf note says:
> > > 
> > > > <--  snip  -->
> > > 
> > > > Many DVDs use css.  To play these, a special library is needed to
> > > > read them, libdvdcss.  Debian cannot distribute this library
> > > > according to some laws, but it is available on other places on the
> > > > internet for download.  Run
> > > > `/usr/share/doc/libdvdread3/examples/install-css.sh' to download and
> > > > install it.
> > > 
> > > > <--  snip  -->
> > > 
> > > > These "some laws" not only prevent distribution of libdvdcss, they
> > > > also disallow the use of libdvdcss in some countries (e.g. in Germany).
> > > [...]
> > > 
> > > It is rather dubious and not proven in court that using libdvdcss
> > > for *playing* DVDs (not copying them) is indeed illegal in Germany. I
> > > suggest further discussion on -legal.
> > 
> > It's at least a grey area, and most likely in more countries than just 
> > Germany.
> > 
> > If you as a private person say "I think it is legal to use libdvdcss for 
> > playing DVDs", it's your choice.
> > 
> > But for a user, it should be very clear that there are legal risks when 
> > using libdvdcss.
> 
> Ignorance of the law is no excuse. If I choose to use an MP3 encoder in
> this country without paying Frauenhofer and Thomson exorbitant fees, I'm
> taking that risk. Any reasonable user should already know that libdvdcss
> is dangerous, and if one doesn't want one's door battered in by the

I know _many_ Debian users that would after reading the libdvdread3 
debconf note immediately install libdvdcss.

Don't assume every user of Debian knows about the history and legal 
problems of libdvdcss.

> cops, one shouldn't use it. That said, it doesn't meet the standard set
> out above: the use of the install-css.sh file itself does not break a
> law, even though the use of the resulting download might. While this is

If production, import and distribution of some software is illegal [1],
the legal status of a script that downloads such software is at least
questionable.

> nitpicking, this is the standard set out in policy, and is the criteria
> for serious bugs.
>...

Thankfully, I filed it as a critical bug.  :-)

cu
Adrian

[1] That's the case with software that circumvents copyright protection
    in Germany.

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #35 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <ametzler@downhill.at.eu.org>

To: "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>, Adrian Bunk <bunk@fs.tum.de>, 223961@bugs.debian.org, debian-legal@lists.debian.org, Nathanael Nerode <neroden@twcny.rr.com>

Subject: Re: Bug#223961: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Tue, 16 Dec 2003 09:42:43 +0100

On Mon, Dec 15, 2003 at 11:37:38PM +0000, Brian M. Carlson wrote:
> On Mon, Dec 15, 2003 at 06:50:10PM +0100, Adrian Bunk wrote:
> > On Sun, Dec 14, 2003 at 11:16:11PM +0100, Andreas Metzler wrote:
> > > Adrian Bunk wrote:
> > > > Package: libdvdread3
> > > > Version: 0.9.4-3
> > > > Severity: critical
[...]
> > > It is rather dubious and not proven in court that using libdvdcss
> > > for *playing* DVDs (not copying them) is indeed illegal in Germany. I
> > > suggest further discussion on -legal.

> > It's at least a grey area, and most likely in more countries than just 
> > Germany.

> > If you as a private person say "I think it is legal to use libdvdcss for 
> > playing DVDs", it's your choice.

> > But for a user, it should be very clear that there are legal risks when 
> > using libdvdcss.

> Ignorance of the law is no excuse. If I choose to use an MP3 encoder in
> this country without paying Frauenhofer and Thomson exorbitant fees, I'm
> taking that risk. Any reasonable user should already know that libdvdcss
> is dangerous, and if one doesn't want one's door battered in by the
> cops, one shouldn't use it.
[...]

Afaik the German Law is stricter than that. It is verboten to describe
ways to circumvent an "wirksamer Kopierschutz". (a copy protection
method that is working.), e.g. you might get in trouble with respect
to criminal law if you post an article to German usenet, describing
how to copy copy-protected CD foo with program bar.

If this issue applied to libdvdcss2 Debian would be in trouble.

However if you copy copy-protected CD foo with program bar at home you
won't be persecuted by criminal law, but the manufacturar might start
private action against you, claiming compensation.

Now try to apply the latter on "playing a DVD with xine using
libdvdcss2" instead of "copying a CD", I really cannot see which
damage the DVD manufacturarer could claim compensation for.
                   cu andreas
-- 
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"

Message #40 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Nathanael Nerode <neroden@twcny.rr.com>

To: 223961@bugs.debian.org

Cc: debian-legal@lists.debian.org

Subject: Just change the note.

Date: Wed, 17 Dec 2003 16:04:47 -0500

Adrian wrote:
>But for a user, it should be very clear that there are legal risks when 
>using libdvdcss.
Yes: accordingly, I believe the note should be changed as noted below.

>Besides this, is it 100% clear that the debconf note and install-css.sh
>couldn't fall under some forbidden promotion or distribution clause in 
>Germany or other countries which would also bring legal risks for all 
>mirrors and distributors of Debian [1]?
For this reason, I believe the note should be changed as noted below.  The 
revised version cannot *possibly* be interpreted as promoting illegal 
activity.  It does not in fact consist of distribution of libdvdcss, and 
states that you should only download it if it is legal to do so.  Provided it 
is legal to do so in one of the countries which Debian's mirrors serves (and 
it is), this is reasonable and cautious behavior.

Providing -- with warnings! -- instructions for downloading something which 
*might* be -- but probably isn't -- illegal to use in *some* countries, is 
appropriate.  If it ever becomes illegal or a serious legal risk for you, you 
are living in a police state, and 'anarchism' is probably a dangerous package 
to have on the servers as well.

I am not a lawyer (and neither are you), but I believe that this change really 
does make Debian's legal position as safe as is reasonable to even try.

If you wish to further warn distributors that draconian laws in some 
countries, or abusive corporations filing ungrounded lawsuits, may make 
certain parts of the archive unsafe to distribute, feel free, but that's 
unfortunately true of many packages.  :-/

I wrote:
>However, I *would* change the debconf note to say "If it is legal to download 
>and use it in your jurisdiction, you can run...."  rather than just "Run...." 
>in order to point out that Debian is not encouraging illegal activity.
To be on the safe side, I strongly recommend this change be made immediately, 
so that it is indicated clearly to the user that there may be legal issues.

Message #45 received at 223961@bugs.debian.org (full text, mbox, reply):

From: Adrian Bunk <bunk@fs.tum.de>

To: Andreas Metzler <ametzler@downhill.at.eu.org>, "Brian M. Carlson" <sandals@crustytoothpaste.ath.cx>, 223961@bugs.debian.org, debian-legal@lists.debian.org, Nathanael Nerode <neroden@twcny.rr.com>

Subject: Re: Bug#223961: libdvdread3: makes download of possibly illegal libdvdcss too easy

Date: Sat, 20 Dec 2003 18:23:30 +0100

On Tue, Dec 16, 2003 at 09:42:43AM +0100, Andreas Metzler wrote:
>...
> However if you copy copy-protected CD foo with program bar at home you
> won't be persecuted by criminal law, but the manufacturar might start
> private action against you, claiming compensation.
> 
> Now try to apply the latter on "playing a DVD with xine using
> libdvdcss2" instead of "copying a CD", I really cannot see which
> damage the DVD manufacturarer could claim compensation for.

It enough if they sue you for "Unterlassung" (you have to sign that 
you'll never do it again) - the costs for the lawyer that sued you will 
be significant.

>                    cu andreas

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Message #50 received at 223961-close@bugs.debian.org (full text, mbox, reply):

From: Mikael Hedin <micce@debian.org>

To: 223961-close@bugs.debian.org

Subject: Bug#223961: fixed in libdvdread 0.9.4-4

Date: Fri, 16 Jan 2004 10:32:40 -0500

Source: libdvdread
Source-Version: 0.9.4-4

We believe that the bug you reported is fixed in the latest version of
libdvdread, which is due to be installed in the Debian FTP archive:

libdvdread3-dev_0.9.4-4_i386.deb
  to pool/main/libd/libdvdread/libdvdread3-dev_0.9.4-4_i386.deb
libdvdread3_0.9.4-4_i386.deb
  to pool/main/libd/libdvdread/libdvdread3_0.9.4-4_i386.deb
libdvdread_0.9.4-4.diff.gz
  to pool/main/libd/libdvdread/libdvdread_0.9.4-4.diff.gz
libdvdread_0.9.4-4.dsc
  to pool/main/libd/libdvdread/libdvdread_0.9.4-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 223961@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mikael Hedin <micce@debian.org> (supplier of updated libdvdread package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Jan 2004 16:00:55 +0100
Source: libdvdread
Binary: libdvdread3-dev libdvdread3
Architecture: source i386
Version: 0.9.4-4
Distribution: unstable
Urgency: low
Maintainer: Mikael Hedin <micce@debian.org>
Changed-By: Mikael Hedin <micce@debian.org>
Description: 
 libdvdread3 - Simple foundation for reading DVDs
 libdvdread3-dev - Simple foundation for reading DVDs
Closes: 221591 223961
Changes: 
 libdvdread (0.9.4-4) unstable; urgency=low
 .
   * Adjust section to libdevel.
   * Remove libdvdread3.template, info is in README.Debian (Closes: #221591).
   * Add text in README.Debian about possible use of css (Closes: #223961).
Files: 
 f8894237e655f834c6ebdad01d8dbd8d 590 graphics optional libdvdread_0.9.4-4.dsc
 8fee05c849ab02e86534e8e7190f1b74 47582 graphics optional libdvdread_0.9.4-4.diff.gz
 aab2e38c7eb58b4ee942cf4d6566ddb8 53680 libs optional libdvdread3_0.9.4-4_i386.deb
 04aa7c31753556760d100a248f9e1d67 70140 libdevel optional libdvdread3-dev_0.9.4-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAB/a5V5Mp08AbKiIRApeZAJ93JBmgZqxao0qWPBzmiJtdJMFZsgCgieRg
Xa/c419Sq5YszvrbKO+4zlI=
=pnQd
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.