Debian Bug report logs - #293932
profile.py has non-free license

version graph

Package: python; Maintainer for python is Matthias Klose <doko@debian.org>; Source for python is src:python-defaults.

Reported by: Joe Wreschnig <piman@debian.org>

Date: Sun, 6 Feb 2005 22:03:10 UTC

Severity: serious

Fixed in version python2.3/2.3.5-1

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Joe Wreschnig <piman@debian.org>:
New Bug report received and forwarded. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joe Wreschnig <piman@debian.org>
To: submit@bugs.debian.org
Cc: debian-legal@lists.debian.org
Subject: profile.py has non-free license
Date: Sun, 06 Feb 2005 21:49:08 +0000
[Message part 1 (text/plain, inline)]
Package: python
Severity: serious

The license for the Python profiler[0] does not allow it to be copied or
modified independently of other Python programs. This is a violation of
DFSG #3 (and also is just stupid). This bug affects likely every version
of Python in Debian (and that ever was in Debian) (and so IMO should not
hold up the sarge release).

Howeer, /usr/share/doc/python2.4/copyright does not include this
license. In fact, almost none of the licenses at
http://www.python.org/doc/current/lib/node822.html are included. At
least http://www.python.org/doc/current/lib/node826.html also looks
non-free.

[0]
http://www.python.org/doc/current/lib/node829.html
/usr/lib/python2.4/profile.py (or 2.3, or 2.2)

 Copyright 1994, by InfoSeek Corporation, all rights reserved.
 Written by James Roskind

 Permission to use, copy, modify, and distribute this Python software
 and its associated documentation for any purpose (subject to the
 restriction in the following sentence) without fee is hereby granted,
 provided that the above copyright notice appears in all copies, and
 that both that copyright notice and this permission notice appear in
 supporting documentation, and that the name of InfoSeek not be used in
 advertising or publicity pertaining to distribution of the software
 without specific, written prior permission.  This permission is
 explicitly restricted to the copying and modification of the software
 to remain in Python, compiled Python, or other languages (such as C)
 wherein the modified or derived code is exclusively imported into a
 Python module.

 INFOSEEK CORPORATION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
 SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
 FITNESS. IN NO EVENT SHALL INFOSEEK CORPORATION BE LIABLE FOR ANY
 SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
 RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
 CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
 CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-- 
Joe Wreschnig <piman@debian.org>
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@cs.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #10 received at 293932@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: Joe Wreschnig <piman@debian.org>, 293932@bugs.debian.org
Cc: debian-legal@lists.debian.org
Subject: Re: Bug#293932: profile.py has non-free license
Date: Mon, 7 Feb 2005 13:27:55 +0100
[debian-legal, how do other packages handle the md5 stuff?]

Joe Wreschnig writes:
> Package: python
> Severity: serious
> 
> The license for the Python profiler[0] does not allow it to be copied or
> modified independently of other Python programs. This is a violation of
> DFSG #3 (and also is just stupid). This bug affects likely every version
> of Python in Debian (and that ever was in Debian) (and so IMO should not
> hold up the sarge release).

ok, I'll address this upstream.

> Howeer, /usr/share/doc/python2.4/copyright does not include this
> license. In fact, almost none of the licenses at
> http://www.python.org/doc/current/lib/node822.html are included. At
> least http://www.python.org/doc/current/lib/node826.html also looks
> non-free.

will add the licenses to the 2.3 and 2.4 pacakges.


debian-legal, how do other packages handle the md5 stuff?

Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
rights reserved.

License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD5 Message-Digest
Algorithm" in all material mentioning or referencing this software
or this function.

License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this
documentation and/or software.



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Andrew Suffield <asuffield@debian.org>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #15 received at 293932@bugs.debian.org (full text, mbox):

From: Andrew Suffield <asuffield@debian.org>
To: 293932@bugs.debian.org, debian-legal@lists.debian.org
Subject: Re: Bug#293932: profile.py has non-free license
Date: Mon, 7 Feb 2005 13:11:14 +0000
[Message part 1 (text/plain, inline)]
On Mon, Feb 07, 2005 at 01:27:55PM +0100, Matthias Klose wrote:
> debian-legal, how do other packages handle the md5 stuff?
> 
> Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
> rights reserved.
> 
> License to copy and use this software is granted provided that it
> is identified as the "RSA Data Security, Inc. MD5 Message-Digest
> Algorithm" in all material mentioning or referencing this software
> or this function.
> 
> License is also granted to make and use derivative works provided
> that such works are identified as "derived from the RSA Data
> Security, Inc. MD5 Message-Digest Algorithm" in all material
> mentioning or referencing the derived work.
> 
> RSA Data Security, Inc. makes no representations concerning either
> the merchantability of this software or the suitability of this
> software for any particular purpose. It is provided "as is"
> without express or implied warranty of any kind.
> 
> These notices must be retained in any copies of any part of this
> documentation and/or software.

This is the copy of md5.c fished out of the specification. We've seen
it before.

There are other variations of md5.c, at least one of which has either
a BSD or an MIT license, I forget which. Look around, you should find
one easily enough. They're more or less equivalent, you may have to
fiddle the function names.

-- 
  .''`.  ** Debian GNU/Linux ** | Andrew Suffield
 : :' :  http://www.debian.org/ |
 `. `'                          |
   `-             -><-          |
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@cs.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #20 received at 293932@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: python-dev@python.org
Cc: 293932@bugs.debian.org
Subject: license issues with profiler.py and md5.h/md5c.c
Date: Mon, 7 Feb 2005 14:36:32 +0100
A Debian user pointed out (http://bugs.debian.org/293932), that the
current license for the Python profiler is not conforming to the DFSG
(Debian free software guidelines).

http://www.python.org/doc/current/lib/node829.html states

  "This permission is explicitly restricted to the copying and
  modification of the software to remain in Python, compiled Python,
  or other languages (such as C) wherein the modified or derived code
  is exclusively imported into a Python module."

The DFSG, http://www.debian.org/doc/debian-policy/ch-archive.html#s-dfsg,
third paragraph state:

  "Derived Works
    The license must allow modifications and derived works, and must
    allow them to be distributed under the same terms as the license
    of the original software."

- Does somebody knows about the history of this license, why it is
  more restricted than the Python license?
- Is there a chance to change the license for these two modules
  (profile.py, pstats.py)?


The md5.h/md5c.c files allow "copy and use", but no modification of
the files. There are some alternative implementations, i.e. in glibc,
openssl, so a replacement should be sage. Any other requirements when
considering a replacement?

	Matthias



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Steve McIntyre <steve@einval.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #25 received at 293932@bugs.debian.org (full text, mbox):

From: Steve McIntyre <steve@einval.com>
To: 293932@bugs.debian.org
Subject: Re: Bug#293932: profile.py has non-free license
Date: Mon, 07 Feb 2005 14:39:47 +0000
[ Gah, forgot to CC: the bug ]

doko wrote:
>[debian-legal, how do other packages handle the md5 stuff?]
>
>Joe Wreschnig writes:
>
>> Howeer, /usr/share/doc/python2.4/copyright does not include this
>> license. In fact, almost none of the licenses at
>> http://www.python.org/doc/current/lib/node822.html are included. At
>> least http://www.python.org/doc/current/lib/node826.html also looks
>> non-free.
>
>will add the licenses to the 2.3 and 2.4 pacakges.
>
>debian-legal, how do other packages handle the md5 stuff?

I've used the public domain implementation written by Colin Plumb, as
also used in dpkg. It's nigh-on a drop-in replacement.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"It's actually quite entertaining to watch ag129 prop his foot up on
 the desk so he can get a better aim."          [ seen in ucam.chat ]



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Gregory P. Smith" <greg@electricrain.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #30 received at 293932@bugs.debian.org (full text, mbox):

From: "Gregory P. Smith" <greg@electricrain.com>
To: Matthias Klose <doko@cs.tu-berlin.de>
Cc: python-dev@python.org, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Tue, 8 Feb 2005 11:52:43 -0800
> The md5.h/md5c.c files allow "copy and use", but no modification of
> the files. There are some alternative implementations, i.e. in glibc,
> openssl, so a replacement should be sage. Any other requirements when
> considering a replacement?
> 
> 	Matthias

I believe the "plan" for md5 and sha1 and such is to use the much
faster openssl versions "in the future" (based on a long thread
debating future interfaces to such things on python-dev last summer).
That'll sidestep any tedious license issue and give a better
implementation at the same time.  i don't believe anyone has taken the
time to make such a patch yet.

-g




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Tim Peters <tim.peters@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #35 received at 293932@bugs.debian.org (full text, mbox):

From: Tim Peters <tim.peters@gmail.com>
To: Matthias Klose <doko@cs.tu-berlin.de>
Cc: python-dev@python.org, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Tue, 8 Feb 2005 15:37:50 -0500
[Matthias Klose]
> A Debian user pointed out (http://bugs.debian.org/293932), that the
> current license for the Python profiler is not conforming to the DFSG
> (Debian free software guidelines).
>
> http://www.python.org/doc/current/lib/node829.html states
>
>  "This permission is explicitly restricted to the copying and
>  modification of the software to remain in Python, compiled Python,
>  or other languages (such as C) wherein the modified or derived code
>  is exclusively imported into a Python module."
...
> - Does somebody knows about the history of this license, why it is
>  more restricted than the Python license?

Simply because that's the license Jim Roskind slapped on it when he
contributed this code 10 years ago.  I imagine (but don't know) that
Guido looked at it, thought "hmm -- shouldn't be a problem for
Python's users", and so accepted it.

> - Is there a chance to change the license for these two modules
>  (profile.py, pstats.py)?

Not unless some remnant of InfoSeek Corp can be found, since they're
the copyright holder (their work, their license).  Alas, Jim Roskind
hasn't been seen in the Python world this century.

OTOH, if InfoSeek has vanished, it's unlikely they'll be suing anyone.
 Given how Python-specific profile.py and pstats.py are, it's hard for
me to imagine anyone wanting to make a derivative that isn't imported
into a Python module.  In that respect it seems like a license clause
that forbids you to run the software while the tip of your tongue is
licking the back of your own neck.

Still, if that matters, perhaps Debian will need to leave these
modules out.  Bold <ahem> users will still be able to grab them from
any number of other places.



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to jeremy@alum.mit.edu:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #40 received at 293932@bugs.debian.org (full text, mbox):

From: Jeremy Hylton <jhylton@gmail.com>
To: Tim Peters <tim.peters@gmail.com>
Cc: Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org, python-dev@python.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Tue, 8 Feb 2005 15:52:29 -0500
Maybe some ambitious PSF activitst could contact Roskind and Steve
Kirsch and see if they know who at Disney to talk to...  Or maybe the
Disney guys who were at PyCon last year could help.

Jeremy


On Tue, 8 Feb 2005 15:37:50 -0500, Tim Peters <tim.peters@gmail.com> wrote:
> [Matthias Klose]
> > A Debian user pointed out (http://bugs.debian.org/293932), that the
> > current license for the Python profiler is not conforming to the DFSG
> > (Debian free software guidelines).
> >
> > http://www.python.org/doc/current/lib/node829.html states
> >
> >  "This permission is explicitly restricted to the copying and
> >  modification of the software to remain in Python, compiled Python,
> >  or other languages (such as C) wherein the modified or derived code
> >  is exclusively imported into a Python module."
> ...
> > - Does somebody knows about the history of this license, why it is
> >  more restricted than the Python license?
> 
> Simply because that's the license Jim Roskind slapped on it when he
> contributed this code 10 years ago.  I imagine (but don't know) that
> Guido looked at it, thought "hmm -- shouldn't be a problem for
> Python's users", and so accepted it.
> 
> > - Is there a chance to change the license for these two modules
> >  (profile.py, pstats.py)?
> 
> Not unless some remnant of InfoSeek Corp can be found, since they're
> the copyright holder (their work, their license).  Alas, Jim Roskind
> hasn't been seen in the Python world this century.
> 
> OTOH, if InfoSeek has vanished, it's unlikely they'll be suing anyone.
>  Given how Python-specific profile.py and pstats.py are, it's hard for
> me to imagine anyone wanting to make a derivative that isn't imported
> into a Python module.  In that respect it seems like a license clause
> that forbids you to run the software while the tip of your tongue is
> licking the back of your own neck.
> 
> Still, if that matters, perhaps Debian will need to leave these
> modules out.  Bold <ahem> users will still be able to grab them from
> any number of other places.
> _______________________________________________
> Python-Dev mailing list
> Python-Dev@python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: http://mail.python.org/mailman/options/python-dev/jeremy%40alum.mit.edu
>



Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joe Wreschnig <piman@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 293932-close@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@debian.org>
To: 293932-close@bugs.debian.org
Subject: Bug#293932: fixed in python2.3 2.3.5-1
Date: Wed, 09 Feb 2005 06:17:31 -0500
Source: python2.3
Source-Version: 2.3.5-1

We believe that the bug you reported is fixed in the latest version of
python2.3, which is due to be installed in the Debian FTP archive:

idle-python2.3_2.3.5-1_all.deb
  to pool/main/p/python2.3/idle-python2.3_2.3.5-1_all.deb
python2.3-dev_2.3.5-1_i386.deb
  to pool/main/p/python2.3/python2.3-dev_2.3.5-1_i386.deb
python2.3-doc_2.3.5-1_all.deb
  to pool/main/p/python2.3/python2.3-doc_2.3.5-1_all.deb
python2.3-examples_2.3.5-1_all.deb
  to pool/main/p/python2.3/python2.3-examples_2.3.5-1_all.deb
python2.3-gdbm_2.3.5-1_i386.deb
  to pool/main/p/python2.3/python2.3-gdbm_2.3.5-1_i386.deb
python2.3-mpz_2.3.5-1_i386.deb
  to pool/main/p/python2.3/python2.3-mpz_2.3.5-1_i386.deb
python2.3-tk_2.3.5-1_i386.deb
  to pool/main/p/python2.3/python2.3-tk_2.3.5-1_i386.deb
python2.3_2.3.5-1.diff.gz
  to pool/main/p/python2.3/python2.3_2.3.5-1.diff.gz
python2.3_2.3.5-1.dsc
  to pool/main/p/python2.3/python2.3_2.3.5-1.dsc
python2.3_2.3.5-1_i386.deb
  to pool/main/p/python2.3/python2.3_2.3.5-1_i386.deb
python2.3_2.3.5.orig.tar.gz
  to pool/main/p/python2.3/python2.3_2.3.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 293932@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated python2.3 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  8 Feb 2005 16:30:54 +0100
Source: python2.3
Binary: python2.3-doc idle-python2.3 python2.3-dev python2.3-examples python2.3-mpz python2.3 python2.3-gdbm python2.3-tk
Architecture: source all i386
Version: 2.3.5-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 idle-python2.3 - An IDE for Python (v2.3) using Tkinter
 python2.3  - An interactive high-level object-oriented language (version 2.3)
 python2.3-dev - Header files and a static library for Python (v2.3)
 python2.3-doc - Documentation for the high-level object-oriented language Python 
 python2.3-examples - Examples for the Python language (v2.3)
 python2.3-gdbm - GNU dbm database support for Python (v2.3)
 python2.3-mpz - Multiple-precision arithmetic support for Python (v2.3)
 python2.3-tk - Tkinter - Writing Tk applications with Python (v2.3)
Closes: 293338 293932
Changes: 
 python2.3 (2.3.5-1) unstable; urgency=medium
 .
   * Final 2.3.5 release.
   * Replace md5 implementation with one having a DFSG conforming license.
   * Remove the profile.py and pstats.py modules from the source package,
     not having a DFSG conforming license. The modules can be found in
     the python2.x-profile package in the non-free section. Closes: #293932.
   * Fix bug in copy.deep_copy (closes: #293338).
Files: 
 80248fbcddbe7ee9ecc0313c47e2b528 1134 python optional python2.3_2.3.5-1.dsc
 9c35e5ca3c487e1c1f70f2fb1ccbfffe 8512566 python optional python2.3_2.3.5.orig.tar.gz
 ca365ab215db066e37278807954acd46 2350492 python optional python2.3_2.3.5-1.diff.gz
 e0637cfe3e37036951794875fd0369ee 512390 python optional python2.3-examples_2.3.5-1_all.deb
 5b4653579fa658d617ab01c5d958b61f 233568 python optional idle-python2.3_2.3.5-1_all.deb
 8617ef8b8dbbd53c629f9b73d8051441 2859330 doc optional python2.3-doc_2.3.5-1_all.deb
 00b5ae0d3a7c697bfa208c377d2c5d5f 2903254 python standard python2.3_2.3.5-1_i386.deb
 2dedeb6efd34149140365b4f8d20f952 107300 python optional python2.3-tk_2.3.5-1_i386.deb
 22ee68c424d6318fe92e270af95b4e96 26326 python optional python2.3-gdbm_2.3.5-1_i386.deb
 7d70c6d0c331fc1b072c2ac946009b1b 30342 python optional python2.3-mpz_2.3.5-1_i386.deb
 b6cb0c101eeb3365db97ff19b1913996 1480828 libdevel optional python2.3-dev_2.3.5-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCVKbStlRaw+TLJwRAvliAJ4rvZNbTmJC5HaDb5R4wINvrpDo4ACZAXhz
r21Y6tQVkRcdkLDLftz3irQ=
=eb3n
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Donovan Baarda <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #50 received at 293932@bugs.debian.org (full text, mbox):

From: Donovan Baarda <abo@minkirri.apana.org.au>
To: "Gregory P. Smith" <greg@electricrain.com>
Cc: Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org, Python Developers List <python-dev@python.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 13:15:47 +1100
On Tue, 2005-02-08 at 11:52 -0800, Gregory P. Smith wrote:
> > The md5.h/md5c.c files allow "copy and use", but no modification of
> > the files. There are some alternative implementations, i.e. in glibc,
> > openssl, so a replacement should be sage. Any other requirements when
> > considering a replacement?

One thing to consider is "degree of difficulty" :-)

> > 	Matthias
> 
> I believe the "plan" for md5 and sha1 and such is to use the much
> faster openssl versions "in the future" (based on a long thread
> debating future interfaces to such things on python-dev last summer).
> That'll sidestep any tedious license issue and give a better
> implementation at the same time.  i don't believe anyone has taken the
> time to make such a patch yet.

I wasn't around for that discussion. There are two viable replacements
for the RSA implementation currently used; 

libmd <http://www.penguin.cz/~mhi/libmd/>
openssl <http://www.openssl.org/>.

The libmd implementation is by Colin Plumb and has the licence; "This
code is in the public domain; do with it what you wish." The API is
identical to the RSA implementation and BSD world's libmd and hence is a
drop in replacement. This implementation is faster than the RSA
implementation.

The openssl implementation has an apache style license. The API is
almost the same but slightly different to the RSA API, so it would
require a little bit of work to make it fit. This implementation is the
fastest currently available, as it includes many platform specific
optimisations for a large range of platforms.

Currently md5c.c is included in the python sources. The libmd
implementation has a drop in replacement for md5c.c. The openssl
implementation is a complicated tangle of Makefile expanded template
code that would be harder to include in the Python sources.

In the Linux world, openssl is starting to become ubiquitous, so not
including it and statically or even dynamically linking against it is
feasible. However, using Python in other lands will probably require
something to be included.

Long term, I think openssl is the way to go. Short term, libmd is a
painless replacement that gets around the licencing issues.

I have been using the libmd API stuff for md4 in librsync, and am
looking at migrating to the openssl API. If people hassle me, I could
probably do the openssl API migration for Python, but I'm not sure what
the best approach would be to including the source in Python sources.

FWIW, I also have an md4sum module and md4c.c implementation that I'm
happy to contribute to Python (done for pysysnc).

-- 
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Bob Ippolito <bob@redivi.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #55 received at 293932@bugs.debian.org (full text, mbox):

From: Bob Ippolito <bob@redivi.com>
To: Donovan Baarda <abo@minkirri.apana.org.au>
Cc: "Gregory P. Smith" <greg@electricrain.com>, Python Developers List <python-dev@python.org>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Thu, 10 Feb 2005 21:30:59 -0500
On Feb 10, 2005, at 9:15 PM, Donovan Baarda wrote:

> On Tue, 2005-02-08 at 11:52 -0800, Gregory P. Smith wrote:
>>> The md5.h/md5c.c files allow "copy and use", but no modification of
>>> the files. There are some alternative implementations, i.e. in glibc,
>>> openssl, so a replacement should be sage. Any other requirements when
>>> considering a replacement?
>
> One thing to consider is "degree of difficulty" :-)
>
>>> 	Matthias
>>
>> I believe the "plan" for md5 and sha1 and such is to use the much
>> faster openssl versions "in the future" (based on a long thread
>> debating future interfaces to such things on python-dev last summer).
>> That'll sidestep any tedious license issue and give a better
>> implementation at the same time.  i don't believe anyone has taken the
>> time to make such a patch yet.
>
> I wasn't around for that discussion. There are two viable replacements
> for the RSA implementation currently used;
>
> libmd <http://www.penguin.cz/~mhi/libmd/>
> openssl <http://www.openssl.org/>.
--
> In the Linux world, openssl is starting to become ubiquitous, so not
> including it and statically or even dynamically linking against it is
> feasible. However, using Python in other lands will probably require
> something to be included.
>
> Long term, I think openssl is the way to go. Short term, libmd is a
> painless replacement that gets around the licencing issues.

OpenSSL is also ubiquitous on Mac OS X (as a shared lib):

Mac OS X 10.2.8 has OpenSSL 0.9.6i Feb 19 2003
Mac OS X 10.3.8 has OpenSSL 0.9.7b 10 Apr 2003

One possible alternative would be to bring in something like PyOpenSSL 
<http://pyopenssl.sourceforge.net/> and just rewrite the md5 (and sha?) 
extensions as Python modules that use that API.

-bob




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Donovan Baarda <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #60 received at 293932@bugs.debian.org (full text, mbox):

From: Donovan Baarda <abo@minkirri.apana.org.au>
To: Bob Ippolito <bob@redivi.com>
Cc: "Gregory P. Smith" <greg@electricrain.com>, Python Developers List <python-dev@python.org>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 13:50:48 +1100
On Thu, 2005-02-10 at 21:30 -0500, Bob Ippolito wrote:
> On Feb 10, 2005, at 9:15 PM, Donovan Baarda wrote:
> 
> > On Tue, 2005-02-08 at 11:52 -0800, Gregory P. Smith wrote:
[...]
> One possible alternative would be to bring in something like PyOpenSSL 
> <http://pyopenssl.sourceforge.net/> and just rewrite the md5 (and sha?) 
> extensions as Python modules that use that API.

Only problem with this, is pyopenssl doesn't yet include any mdX or sha
modules.

-- 
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Bob Ippolito <bob@redivi.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #65 received at 293932@bugs.debian.org (full text, mbox):

From: Bob Ippolito <bob@redivi.com>
To: Donovan Baarda <abo@minkirri.apana.org.au>
Cc: "Gregory P. Smith" <greg@electricrain.com>, Python Developers List <python-dev@python.org>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Thu, 10 Feb 2005 23:13:55 -0500
On Feb 10, 2005, at 9:50 PM, Donovan Baarda wrote:

> On Thu, 2005-02-10 at 21:30 -0500, Bob Ippolito wrote:
>> On Feb 10, 2005, at 9:15 PM, Donovan Baarda wrote:
>>
>>> On Tue, 2005-02-08 at 11:52 -0800, Gregory P. Smith wrote:
> [...]
>> One possible alternative would be to bring in something like PyOpenSSL
>> <http://pyopenssl.sourceforge.net/> and just rewrite the md5 (and 
>> sha?)
>> extensions as Python modules that use that API.
>
> Only problem with this, is pyopenssl doesn't yet include any mdX or sha
> modules.

My bad, how about M2Crypto <http://sandbox.rulemaker.net/ngps/m2/> 
then?  This one supports message digests and is more license compatible 
with Python to boot.

-bob




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Donovan Baarda <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #70 received at 293932@bugs.debian.org (full text, mbox):

From: Donovan Baarda <abo@minkirri.apana.org.au>
To: Bob Ippolito <bob@redivi.com>
Cc: "Gregory P. Smith" <greg@electricrain.com>, Python Developers List <python-dev@python.org>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 17:15:39 +1100
On Thu, 2005-02-10 at 23:13 -0500, Bob Ippolito wrote:
> On Feb 10, 2005, at 9:50 PM, Donovan Baarda wrote:
> 
> > On Thu, 2005-02-10 at 21:30 -0500, Bob Ippolito wrote:
[...]
> > Only problem with this, is pyopenssl doesn't yet include any mdX or sha
> > modules.
> 
> My bad, how about M2Crypto <http://sandbox.rulemaker.net/ngps/m2/> 
> then?  This one supports message digests and is more license compatible 
> with Python to boot.
[...]

This one does have md5 support, but the Python API is rather different
from the current python md5sum API. It hooks into the slightly higher
level MVP openssl layer, rather than the lower level md5 layer. Hooking
into the MVP layer pretty much requires including all the openssl
message digest implementations (which may or may not be a good idea).

It also uses SWIG to generate the extension module. I don't think
anything else in Python itself uses SWIG, so starting to use it would
introduce a "Build Dependency".

I think it would be cleaner and simpler to modify the existing
md5module.c to use the openssl md5 layer API (this is just a
search/replace to change the function names). The bigger problem is
deciding what/how/whether to include the openssl md5 implementation
sources so that win32 can use them.

-- 
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Donovan Baarda <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #75 received at 293932@bugs.debian.org (full text, mbox):

From: Donovan Baarda <abo@minkirri.apana.org.au>
To: Bob Ippolito <bob@redivi.com>
Cc: 293932@bugs.debian.org, Matthias Klose <doko@cs.tu-berlin.de>, Python Developers List <python-dev@python.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 17:52:20 +1100
On Fri, 2005-02-11 at 17:15 +1100, Donovan Baarda wrote:
[...]
> I think it would be cleaner and simpler to modify the existing
> md5module.c to use the openssl md5 layer API (this is just a
> search/replace to change the function names). The bigger problem is
> deciding what/how/whether to include the openssl md5 implementation
> sources so that win32 can use them.

Thinking about it, probably the best way is to include the libmd md5c.c
modified to use the openssl API, and then use configure to check for and
use openssl if it is available. That way win32 could use the provided
md5c.c, and other platforms could use the faster openssl.

-- 
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Matthias Klose <doko@cs.tu-berlin.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #80 received at 293932@bugs.debian.org (full text, mbox):

From: Matthias Klose <doko@cs.tu-berlin.de>
To: Donovan Baarda <abo@minkirri.apana.org.au>
Cc: 293932@bugs.debian.org, Python Developers List <python-dev@python.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 12:55:02 +0100
Donovan Baarda writes:
> On Tue, 2005-02-08 at 11:52 -0800, Gregory P. Smith wrote:
> > > The md5.h/md5c.c files allow "copy and use", but no modification of
> > > the files. There are some alternative implementations, i.e. in glibc,
> > > openssl, so a replacement should be sage. Any other requirements when
> > > considering a replacement?
> 
> One thing to consider is "degree of difficulty" :-)
> 
> > > 	Matthias
> > 
> > I believe the "plan" for md5 and sha1 and such is to use the much
> > faster openssl versions "in the future" (based on a long thread
> > debating future interfaces to such things on python-dev last summer).
> > That'll sidestep any tedious license issue and give a better
> > implementation at the same time.  i don't believe anyone has taken the
> > time to make such a patch yet.
> 
> I wasn't around for that discussion. There are two viable replacements
> for the RSA implementation currently used; 
> 
> libmd <http://www.penguin.cz/~mhi/libmd/>
> openssl <http://www.openssl.org/>.
> 
> The libmd implementation is by Colin Plumb and has the licence; "This
> code is in the public domain; do with it what you wish." The API is
> identical to the RSA implementation and BSD world's libmd and hence is a
> drop in replacement. This implementation is faster than the RSA
> implementation.
> 
[...]
> 
> Currently md5c.c is included in the python sources. The libmd
> implementation has a drop in replacement for md5c.c. The openssl
> implementation is a complicated tangle of Makefile expanded template
> code that would be harder to include in the Python sources.

I would prefer that one as a short term solution. Patch at #1118602.



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to jeremy@alum.mit.edu:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #85 received at 293932@bugs.debian.org (full text, mbox):

From: Jeremy Hylton <jhylton@gmail.com>
To: Matthias Klose <doko@cs.tu-berlin.de>
Cc: Donovan Baarda <abo@minkirri.apana.org.au>, 293932@bugs.debian.org, Python Developers List <python-dev@python.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 07:35:18 -0500
On Fri, 11 Feb 2005 12:55:02 +0100, Matthias Klose <doko@cs.tu-berlin.de> wrote:
> > Currently md5c.c is included in the python sources. The libmd
> > implementation has a drop in replacement for md5c.c. The openssl
> > implementation is a complicated tangle of Makefile expanded template
> > code that would be harder to include in the Python sources.
> 
> I would prefer that one as a short term solution. Patch at #1118602.

Unfortunately a license that says it is in the public domain is
unacceptable (and should be for Debian, too).  That is to say, it's
not possible for someone to claim that something they produce is in
the public domain.  See http://www.linuxjournal.com/article/6225

Jeremy



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Gregory P. Smith" <greg@electricrain.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #90 received at 293932@bugs.debian.org (full text, mbox):

From: "Gregory P. Smith" <greg@electricrain.com>
To: Donovan Baarda <abo@minkirri.apana.org.au>
Cc: Bob Ippolito <bob@redivi.com>, "Gregory P. Smith" <greg@electricrain.com>, Python Developers List <python-dev@python.org>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 09:51:18 -0800
> I think it would be cleaner and simpler to modify the existing
> md5module.c to use the openssl md5 layer API (this is just a
> search/replace to change the function names). The bigger problem is
> deciding what/how/whether to include the openssl md5 implementation
> sources so that win32 can use them.

yes, that is all i was suggesting.

win32 python is already linked against openssl for the socket module
ssl support, having the md5 and sha1 modules depend on openssl should
not cause a problem.

-greg




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Michael Chermside <mcherm@mcherm.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #95 received at 293932@bugs.debian.org (full text, mbox):

From: Michael Chermside <mcherm@mcherm.com>
To: jeremy@alum.mit.edu, doko@cs.tu-berlin.de
Cc: python-dev@python.org, 293932@bugs.debian.org
Subject: RE: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 12:03:29 -0800
Jeremy writes:

> Unfortunately a license that says it is in the public domain is
> unacceptable (and should be for Debian, too).  That is to say, it's
> not possible for someone to claim that something they produce is in
> the public domain.  See http://www.linuxjournal.com/article/6225

Not quite true. It would be a bit off-topic to discuss on this list
so I will simply point you to:

    http://creativecommons.org/license/publicdomain-2

...which is specifically designed for the US legal system. It _IS_
possible for someone to produce something in the public domain, it
just isn't as easy as some people think (just saying it doesn't
necessarily make it so (at least under US law)) and it may not be
a good idea.

I would expect that if something truly WERE in the public domain,
then it would be acceptable for Python (and for Debian too, for
that matter). I can't comment on whether this applies to libmd.

-- Michael Chermside




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Tim Peters <tim.peters@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #100 received at 293932@bugs.debian.org (full text, mbox):

From: Tim Peters <tim.peters@gmail.com>
To: Michael Chermside <mcherm@mcherm.com>
Cc: jeremy@alum.mit.edu, doko@cs.tu-berlin.de, 293932@bugs.debian.org, python-dev@python.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 15:46:00 -0500
[Jeremy Hylton]
>> Unfortunately a license that says it is in the public domain is
>> unacceptable (and should be for Debian, too).  That is to say, it's
>> not possible for someone to claim that something they produce is in
>> the public domain.  See http://www.linuxjournal.com/article/6225

[Michael Chermside]
> Not quite true. It would be a bit off-topic to discuss on this list
> so I will simply point you to:
> 
>    http://creativecommons.org/license/publicdomain-2
> 
> ...which is specifically designed for the US legal system. It _IS_
> possible for someone to produce something in the public domain, it
> just isn't as easy as some people think (just saying it doesn't
> necessarily make it so (at least under US law)) and it may not be
> a good idea.

The article Jeremy pointed at was written by the Python Software
Foundation's occasional legal counsel, and he disagrees.  While I
would love to believe that copyright law isn't this bizarre, I can't
recommend going against the best legal advice the PSF was willing to
pay for <wink -- but Larry is widely recognized as a bona fide expert
in IP law, and has helped the PSF a lot>.

Note that Creative Commons doesn't recommend that you do either; from their FAQ:

   Can I use a Creative Commons license for software?

   In theory, yes, but it is not in your best interest. We strongly
encourage you to
   use one of the very good software licenses available today. (The
Free Software
   Foundation and the Open Source Initiative stand out as resources for such
   licenses.) 

> I would expect that if something truly WERE in the public domain,
> then it would be acceptable for Python (and for Debian too, for
> that matter).

So would I, but according to Larry there isn't such a thing (excepting
software written by the US Government; and for other software you
might be thinking about today, maybe in about a century if the author
lets their copyright lapse).

If Larry is correct, it isn't legally possible for an individual in
the US to disclaim copyright, regardless what they may say or sign. 
The danger then is that accepting software that purports to be free of
copyright can come back to bite you, if the author later changes their
mind (from your POV; the claim is that from US law's POV, nothing has
actually changed, since the author never actually gave up copyright to
begin with).

The very fact that this argument exists underscores the desirability
of only accepting software with an explicit license, spelling out the
copyright holder's intents wrt distribution, modification, etc.  Then
you're just in legal mud, instead of legal quicksand.



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Phillip J. Eby" <pje@telecommunity.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #105 received at 293932@bugs.debian.org (full text, mbox):

From: "Phillip J. Eby" <pje@telecommunity.com>
To: Tim Peters <tim.peters@gmail.com>, Michael Chermside <mcherm@mcherm.com>
Cc: 293932@bugs.debian.org, doko@cs.tu-berlin.de, python-dev@python.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 17:59:33 -0500
At 03:46 PM 2/11/05 -0500, Tim Peters wrote:
>If Larry is correct, it isn't legally possible for an individual in
>the US to disclaim copyright, regardless what they may say or sign.
>The danger then is that accepting software that purports to be free of
>copyright can come back to bite you, if the author later changes their
>mind (from your POV; the claim is that from US law's POV, nothing has
>actually changed, since the author never actually gave up copyright to
>begin with).
>
>The very fact that this argument exists underscores the desirability
>of only accepting software with an explicit license, spelling out the
>copyright holder's intents wrt distribution, modification, etc.  Then
>you're just in legal mud, instead of legal quicksand.

And as long as we're flailing about in a substance which may include, but 
is not limited to, mud and/or quicksand or other flailing-suitable legal 
substances, it should be pointed out that even though software presented by 
its owner to be in the public domain is technically still copyright by that 
individual, the odds of them successfully prosecuting a copyright 
enforcement action might be significantly narrowed, due to the doctrine of 
promissory estoppel.

Promissory estoppel is basically the idea that one-sided promises *are* 
enforceable when somebody reasonably relies on them and is injured by the 
withdrawal.  IBM, for example, has pled in its defense against SCO that 
SCO's distribution of its so-called proprietary code under the GPL 
constituted a reasonable promise that others were free to use the code 
under the terms of the GPL, and that IBM further relied on that 
promise.  Ergo, they are claiming, SCO's promise is enforceable by law.

Of course, SCO v. IBM hasn't had any judgments yet, certainly not on that 
subject, and maybe never will.  But it's important to know that the law 
*does* have some principles like this that allow overriding the more 
egregiously insane aspects of the law.  :)

Oh, also, if somebody decides to back out on their dedication to the public 
domain, and you can show that they did it on purpose, then that's "unclean 
hands" and possibly "copyright abuse" as well.

Just to muddy up the waters a little bit.  :)  Obviously, the PSF should 
follow its own lawyer's advice, but it seemed to me that the point of Mr. 
Rosen's article was more to advise people releasing software to use a 
license that allows them to disclaim warranties.

I personally can't see how taking the reasonable interpretation of a public 
domain declaration can lead to any difficulties, but then, IANAL.  I'm 
surprised, however, that he didn't even touch on promissory estoppel, if 
there is some reason he believes that the doctrine wouldn't apply to a 
software license.  Heck, I was under the impression that free copyright 
licenses in general got their effect by way of promissory estoppel, since 
such licenses are always one-sided promises.  The GPL in particular makes 
an explicit point of this, even though it doesn't use the words "promissory 
estoppel".  The point is that the law doesn't allow you to copy, so the 
license is your defense against a charge of copyright 
infringement.  Therefore, even Rosen's so-called "Give it away" license is 
enforceable, in the sense that the licensor should be barred from taking 
action against someone taking the license at face value.

Rosen also says, "Under basic contract law, a gift cannot be enforced. The 
donor can retract his gift at any time, for any reason".  If this were 
true, I could give you a watch for Christmas and then sue you to make you 
give it back, so I'm not sure what he's getting at here.

But again, IANAL, certainly not a famous one like Mr. Rosen.  I *am* most 
curious to know why his article seems to imply that a promise not to sue 
someone for copyright infringement isn't a valid defense against such a 
suit, because that would seem to imply that *no* free software license is 
valid, including the GPL or the PSF license!  (Surely those "gifts" can be 
retracted too, no?)




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Donovan Baarda" <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #110 received at 293932@bugs.debian.org (full text, mbox):

From: "Donovan Baarda" <abo@minkirri.apana.org.au>
To: "Gregory P. Smith" <greg@electricrain.com>
Cc: "Bob Ippolito" <bob@redivi.com>, "Gregory P. Smith" <greg@electricrain.com>, "Python Developers List" <python-dev@python.org>, "Matthias Klose" <doko@cs.tu-berlin.de>, <293932@bugs.debian.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Sat, 12 Feb 2005 10:11:01 +1100
G'day again,

From: "Gregory P. Smith" <greg@electricrain.com>
> > I think it would be cleaner and simpler to modify the existing
> > md5module.c to use the openssl md5 layer API (this is just a
> > search/replace to change the function names). The bigger problem is
> > deciding what/how/whether to include the openssl md5 implementation
> > sources so that win32 can use them.
>
> yes, that is all i was suggesting.
>
> win32 python is already linked against openssl for the socket module
> ssl support, having the md5 and sha1 modules depend on openssl should
> not cause a problem.

IANAL... I have too much common sense, so I won't argue licences :-)

So is openssl already included in the Python sources, or is it just a
dependency? I had a quick look and couldn't find it so it must be a
dependency.

Given that Python is already dependant on openssl, it makes sense to change
md5sum to use it. I have a feeling that openssl internally uses md5, so this
way we wont link against two different md5sum implementations.

----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Martin v. Löwis" <martin@v.loewis.de>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #115 received at 293932@bugs.debian.org (full text, mbox):

From: "Martin v. Löwis" <martin@v.loewis.de>
To: "Phillip J. Eby" <pje@telecommunity.com>
Cc: Tim Peters <tim.peters@gmail.com>, Michael Chermside <mcherm@mcherm.com>, doko@cs.tu-berlin.de, 293932@bugs.debian.org, python-dev@python.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Sat, 12 Feb 2005 00:57:40 +0100
Phillip J. Eby wrote:
> I personally can't see how taking the reasonable interpretation of a 
> public domain declaration can lead to any difficulties, but then, 
> IANAL.

The ultimate question is whether we could legally relicense such
code under the Python license, ie. remove the PD declaration, and
attach the Python license to it. I'm sure somebody would come along
and claim "you cannot do that, and because you did, I cannot use
your code, because it is not legally trustworthy"; people would
say the same if the PD declaration would stay around.

It is important for us that our users (including our commercial
users) trust that Python has a clear legal track record. For such
users, it is irrelevant whether you think that a litigation of
the actual copyright holder would have any chance to stand in court,
or whether such action is even likely.

So for some users, replacing RSA-copyrighted-and-licensed code
with PD-declared-and-unlicensed code makes Python less trustworthy.
Clearly, for Debian, it is exactly the other way 'round. So I
have rejected the patch, preserving the status quo, until a properly
licensed open source implementation of md5 arrives. Until then,
Debian will have to patch Python.

> But again, IANAL, certainly not a famous one like Mr. Rosen.  I *am* 
> most curious to know why his article seems to imply that a promise not 
> to sue someone for copyright infringement isn't a valid defense against 
> such a suit

It might be, but that is irrelevant for open source projects that
include contributions. Either they don't care too much about such
things, in which case anything remotely "free" would be acceptable,
or they are very nit-picking, in which case you need a good record
for any contribution you ever received.

Regards,
Martin



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Bob Ippolito <bob@redivi.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #120 received at 293932@bugs.debian.org (full text, mbox):

From: Bob Ippolito <bob@redivi.com>
To: "Donovan Baarda" <abo@minkirri.apana.org.au>
Cc: "Matthias Klose" <doko@cs.tu-berlin.de>, "Gregory P. Smith" <greg@electricrain.com>, <293932@bugs.debian.org>, "Python Developers List" <python-dev@python.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Fri, 11 Feb 2005 20:38:18 -0500
On Feb 11, 2005, at 6:11 PM, Donovan Baarda wrote:

> G'day again,
>
> From: "Gregory P. Smith" <greg@electricrain.com>
>>> I think it would be cleaner and simpler to modify the existing
>>> md5module.c to use the openssl md5 layer API (this is just a
>>> search/replace to change the function names). The bigger problem is
>>> deciding what/how/whether to include the openssl md5 implementation
>>> sources so that win32 can use them.
>>
>> yes, that is all i was suggesting.
>>
>> win32 python is already linked against openssl for the socket module
>> ssl support, having the md5 and sha1 modules depend on openssl should
>> not cause a problem.
>
> IANAL... I have too much common sense, so I won't argue licences :-)
>
> So is openssl already included in the Python sources, or is it just a
> dependency? I had a quick look and couldn't find it so it must be a
> dependency.
>
> Given that Python is already dependant on openssl, it makes sense to 
> change
> md5sum to use it. I have a feeling that openssl internally uses md5, 
> so this
> way we wont link against two different md5sum implementations.

It is an optional dependency that is used when present (read: not just 
win32).  The sources are not included with Python.

OpenSSL does internally have an implementation of md5 (and sha1, among 
other things).

-bob




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Donovan Baarda" <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #125 received at 293932@bugs.debian.org (full text, mbox):

From: "Donovan Baarda" <abo@minkirri.apana.org.au>
To: "Bob Ippolito" <bob@redivi.com>
Cc: "Matthias Klose" <doko@cs.tu-berlin.de>, "Gregory P. Smith" <greg@electricrain.com>, <293932@bugs.debian.org>, "Python Developers List" <python-dev@python.org>
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Sat, 12 Feb 2005 13:54:27 +1100
G'day,

From: "Bob Ippolito" <bob@redivi.com>
> On Feb 11, 2005, at 6:11 PM, Donovan Baarda wrote:
[...]
> > Given that Python is already dependant on openssl, it makes sense to
> > change
> > md5sum to use it. I have a feeling that openssl internally uses md5,
> > so this
> > way we wont link against two different md5sum implementations.
>
> It is an optional dependency that is used when present (read: not just
> win32).  The sources are not included with Python.

Are there any potential problems with making the md5sum module availability
"optional" in the same way as this?

> OpenSSL does internally have an implementation of md5 (and sha1, among
> other things).

Yeah, I know, that's why it could be used for the md5sum module :-)

What I meant was a Python application using ssl sockets and the md5sum
module will effectively have two different md5sum implementations in memory.
Using the openssl md5sum for the md5sum module will make it "leaner", as
well as faster.

----------------------------------------------------------------
Donovan Baarda                http://minkirri.apana.org.au/~abo/
----------------------------------------------------------------




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to David Ascher <david.ascher@gmail.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #130 received at 293932@bugs.debian.org (full text, mbox):

From: David Ascher <david.ascher@gmail.com>
To: jeremy@alum.mit.edu
Cc: Tim Peters <tim.peters@gmail.com>, 293932@bugs.debian.org, Matthias Klose <doko@cs.tu-berlin.de>, python-dev@python.org
Subject: Re: [Python-Dev] license issues with profiler.py and md5.h/md5c.c
Date: Sat, 12 Feb 2005 13:45:54 -0800
On Tue, 8 Feb 2005 15:52:29 -0500, Jeremy Hylton <jhylton@gmail.com> wrote:
> Maybe some ambitious PSF activitst could contact Roskind and Steve
> Kirsch and see if they know who at Disney to talk to...  Or maybe the
> Disney guys who were at PyCon last year could help.

I contacted Jim.  His response follows:

---
I'm a strong supporter of Opensource software, but I'm probably not
going to be able to help you very much.  I could be much more helpful
with understanding the code or its use ;-).

To summarize what I'll say: I don't own the rights to this stuff.  ...
but I don't believe there are any patents that I was ever involved
with that might encumber this work.

I would note that my profiler code is really very rarely used in
commercial products, and it is much more typically used by developers
(I guess a developer toolkit, if sold, would use it).  I'm pretty
delighted that the code has found so much use by developers over the
years.  As I noted in the intro to the documentation, I had only been
coding in Python for 3 weeks when I wrote it.  On the positive side,
it exposed many weaknesses in many developer's code (including our own
at InfoSeek), as well as in core Python code (subtle bugs in the
interpreter) that surely helped everyone.  Even though I was a newbie,
It was VERY carefully crafted,, and I'd expect that it would take a
fair amount of effort to reproduce it (and that is is probably why it
has not been changed much... or at least no one told me when they
changed/fixed it ;-) ).

With regard to why I probably can't help much.....

First off, InfoSeek (holder of the copyright) was bought by Disney,
and I don't know what if anything has eventually become of the
tradename.  There is a chance that Disney owns the rights... and I
have no idea who to ask there :-/.

Second, I took a look at the Copyright, and it sure seems pretty
permissive.  I'm amazed if folks want something more permissive.  
This is what I found on the web for it:

    Copyright © 1994, by InfoSeek Corporation, all rights reserved.

    Written by James Roskind.10.1

    Permission to use, copy, modify, and distribute this Python
software and its associated documentation for any purpose (subject to
the restriction in the following sentence) without fee is hereby
granted, provided that the above copyright notice appears in all
copies, and that both that copyright notice and this permission notice
appear in supporting documentation, and that the name of InfoSeek not
be used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission. This permission
is explicitly restricted to the copying and modification of the
software to remain in Python, compiled Python, or other languages
(such as C) wherein the modified or derived code is exclusively
imported into a Python module.

    INFOSEEK CORPORATION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS. IN NO EVENT SHALL INFOSEEK CORPORATION BE LIABLE FOR ANY
SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER
RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

As I recall, I probably personally created the terms of the above
license.  I used a similar license on my C/C++ grammar, and Infoseek
just added a bunch of wording to be sure that they were not at risk,
and that their name would not be used in vain (or in advertising
material).  I think they were also interested in limiting its use to
Python.... but I don't think that is a concern that would bother you.

I read the link you directed me to, and its primary focus seemed ot be
on patents for related or included technology.

I don't believe that infoseek applied for or got any patents in this
area (and certainly if they did so without my name, it would probably
invalidate the patent), and I'm sure I didn't get any patents in this
area at Netscape/AOL.  In fact I don't think I got any patents back in
1994 or 1995.  My only prior patent dated back to about 1983 (a
hardware patent) that has since expired.

I have some patents since (roughly) 1995, and even though I don't
think any of them relate to profiling (though some did relate to
languages, or more specifically, security in languages), I wouldn't
want to mess with assigning rights to any of those patents, as they
belong to AOL/Netscape.  Here again, to my knowledge, none of my
patents relate in any way to this area (profiling).  Sadly, if they
did, I would not have the right to assign them.

I'm sure you're just doing your job, and following through by dotting
all the I's and crossing all T's.  My suggestion is to (as you said)
work around the issue.  You could always re-write the code from
scratch, as the approaches are not rocket science and are pretty
thoroughly explained.  I wouldn't suggest it unless you are desperate.
 If I were you, I'd wait for a license problem to emerge (which I
don't believe will ever happen).
---

FWIW, I agree.  Personnally, I think that if Debian has a problem with
the above, it's their problem to deal with, not Python's.

--david



Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Gregory P. Smith" <greg@electricrain.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #135 received at 293932@bugs.debian.org (full text, mbox):

From: "Gregory P. Smith" <greg@electricrain.com>
To: Donovan Baarda <abo@minkirri.apana.org.au>
Cc: Bob Ippolito <bob@redivi.com>, Matthias Klose <doko@cs.tu-berlin.de>, "Gregory P. Smith" <greg@electricrain.com>, 293932@bugs.debian.org, Python Developers List <python-dev@python.org>
Subject: Re: OpenSSL sha module / license issues with md5.h/md5c.c
Date: Sat, 12 Feb 2005 17:35:35 -0800
I've created an OpenSSL version of the sha module.  trivial to modify
to be a md5 module.  Its a first version with cleanup to be done and
such.  being managed in the SF patch manager:

 https://sourceforge.net/tracker/?func=detail&aid=1121611&group_id=5470&atid=305470

enjoy.  i'll do more cleanup and work on it soon.




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to Donovan Baarda <abo@minkirri.apana.org.au>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #140 received at 293932@bugs.debian.org (full text, mbox):

From: Donovan Baarda <abo@minkirri.apana.org.au>
To: "Gregory P. Smith" <greg@electricrain.com>
Cc: Bob Ippolito <bob@redivi.com>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org, Python Developers List <python-dev@python.org>
Subject: Re: OpenSSL sha module / license issues with md5.h/md5c.c
Date: Mon, 14 Feb 2005 11:02:23 +1100
On Sat, 2005-02-12 at 17:35 -0800, Gregory P. Smith wrote:
> I've created an OpenSSL version of the sha module.  trivial to modify
> to be a md5 module.  Its a first version with cleanup to be done and
> such.  being managed in the SF patch manager:
> 
>  https://sourceforge.net/tracker/?func=detail&aid=1121611&group_id=5470&atid=305470
> 
> enjoy.  i'll do more cleanup and work on it soon.

Hmmm. I see the patch entry, but it seems to be missing the actual
patch.

Did you code this from scratch, or did you base it on the current
md5module.c? Is it using the openssl sha interface, or the higher level
EVP interface? 

The reason I ask is it would be pretty trivial to modify md5module.c to
use the openssl API for any digest, and would be less risk than
fresh-coding one.

-- 
Donovan Baarda <abo@minkirri.apana.org.au>
http://minkirri.apana.org.au/~abo/




Information forwarded to debian-bugs-dist@lists.debian.org, Matthias Klose <doko@debian.org>:
Bug#293932; Package python. Full text and rfc822 format available.

Acknowledgement sent to "Gregory P. Smith" <greg@electricrain.com>:
Extra info received and forwarded to list. Copy sent to Matthias Klose <doko@debian.org>. Full text and rfc822 format available.

Message #145 received at 293932@bugs.debian.org (full text, mbox):

From: "Gregory P. Smith" <greg@electricrain.com>
To: Donovan Baarda <abo@minkirri.apana.org.au>
Cc: "Gregory P. Smith" <greg@electricrain.com>, Bob Ippolito <bob@redivi.com>, Matthias Klose <doko@cs.tu-berlin.de>, 293932@bugs.debian.org, Python Developers List <python-dev@python.org>
Subject: Re: OpenSSL sha module / license issues with md5.h/md5c.c
Date: Sun, 13 Feb 2005 16:21:54 -0800
On Mon, Feb 14, 2005 at 11:02:23AM +1100, Donovan Baarda wrote:
> On Sat, 2005-02-12 at 17:35 -0800, Gregory P. Smith wrote:
> > I've created an OpenSSL version of the sha module.  trivial to modify
> > to be a md5 module.  Its a first version with cleanup to be done and
> > such.  being managed in the SF patch manager:
> > 
> >  https://sourceforge.net/tracker/?func=detail&aid=1121611&group_id=5470&atid=305470
> > 
> > enjoy.  i'll do more cleanup and work on it soon.
> 
> Hmmm. I see the patch entry, but it seems to be missing the actual
> patch.
> 
> Did you code this from scratch, or did you base it on the current
> md5module.c? Is it using the openssl sha interface, or the higher level
> EVP interface? 
> 
> The reason I ask is it would be pretty trivial to modify md5module.c to
> use the openssl API for any digest, and would be less risk than
> fresh-coding one.

Ugh.  Sourceforge ignored it on the patch submission.  i've attached
it properly now.

This initial version is derived from shamodule.c which does not have
any license issues.  it is currently only meant as an example of how
easy it is to use the openssl hashing interface.

I'm taking it an turning it into a generic openssl hash wrapper
that'll do md5 sha1 and anything else.

-g



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:47:58 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.