Debian Bug report logs - #460407
libofx: non-free files included

version graph

Package: libofx; Maintainer for libofx is Bryan Donlan <bdonlan@gmail.com>;

Reported by: Joerg Jaspert <joerg@debian.org>

Date: Sat, 12 Jan 2008 13:51:01 UTC

Severity: serious

Fixed in version libofx/1:0.9.0-1

Done: tb@debian.org (Thomas Bushnell, BSG)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joerg Jaspert <joerg@debian.org>, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Joerg Jaspert <joerg@debian.org>:
New Bug report received and forwarded. Copy sent to Joerg Jaspert <joerg@debian.org>, tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joerg Jaspert <joerg@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libofx: non-free files included
Date: Sat, 12 Jan 2008 14:45:41 +0100
[Message part 1 (text/plain, inline)]
Package: libofx
Severity: serious

Hi

(a bug to not forget this issue, together with the reject of the newer
version from NEW).

this package contains non-free files, the DTDs, at least those from the
OFX standard, have a non-free license and can't be in main.

---+++
A royalty-free, worldwide, and perpetual license is hereby granted to
any party to use the Open Financial Exchange Specification to make,
use, and sell products and services that conform to this Specification.
+++---

Doesnt fit DFSG 1 and 3 *at least*, you aren't allowed to modify and to
redistribute. There is more, but this is enough already.

-- 
bye Joerg
<Ganneff> kde und tastatur? passt doch nicht mit dem nutzerprofil
	"windepp" zusammen :)
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Bushnell BSG <tb@becket.net>:
Extra info received and forwarded to list. Copy sent to tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Thomas Bushnell BSG <tb@becket.net>
To: Joerg Jaspert <joerg@debian.org>, 460407@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#460407: libofx: non-free files included
Date: Sat, 12 Jan 2008 13:06:07 -0500
On Sat, 2008-01-12 at 14:45 +0100, Joerg Jaspert wrote:
> Package: libofx
> Severity: serious

> (a bug to not forget this issue, together with the reject of the newer
> version from NEW).
> 
> this package contains non-free files, the DTDs, at least those from the
> OFX standard, have a non-free license and can't be in main.
> 
> ---+++
> A royalty-free, worldwide, and perpetual license is hereby granted to
> any party to use the Open Financial Exchange Specification to make,
> use, and sell products and services that conform to this Specification.
> +++---
> 
> Doesnt fit DFSG 1 and 3 *at least*, you aren't allowed to modify and to
> redistribute. There is more, but this is enough already.


Thank you both for your diligent checking procedures and for the bug
report.  I am investigating with both ofx and gnucash upstream about
what the best way is to approach this problem.

Thomas






Information forwarded to debian-bugs-dist@lists.debian.org, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Bushnell BSG <tb@becket.net>:
Extra info received and forwarded to list. Copy sent to tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Bushnell BSG <tb@becket.net>:
Extra info received and forwarded to list. Copy sent to tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Message #20 received at 460407@bugs.debian.org (full text, mbox):

From: Thomas Bushnell BSG <tb@becket.net>
To: benj@debian.org, francesco@namuri.it, pkg-kde-extras@lists.alioth.debian.org, msp@debian.org, fboudra@free.fr, micha@lenk.info, repo@geole.info
Cc: 460407@bugs.debian.org
Subject: libofx contains non-free software
Date: Sat, 12 Jan 2008 13:31:05 -0500
Hi: I'm the Debian maintainer for libofx and for gnucash.  I'm writing
to you because you are responsible (in some fashion) for the maintenance
of packages which depend on libofx.

Unfortunately, it has come to light that libofx contains non-free
software.  Importantly, the DTD files which describe the format of OFX
data files are apparently non-free.  I am in communication with libofx
upstream about the issue.

It is possible that this will be resolved without too much pain, but I
think it is unlikely.  I recall having been told that the newer
aqbanking stuff does not depend on libofx--but I'm not sure how accurate
this is, because there is still libaqofxconnect4 which does depend on
it.

There are two possible short term resolutions: one is to remove libofx
from Debian entirely.  The other is to remove only the offending DTD
files, which will cripple its operation.

I am writing to give you a "heads up" about this.  If you have a
particular preference for one way or other to deal with the situation,
please reply (to all of us, not just to me) with your suggestions.
However, we cannot permit libofx to remain with non-free files unless we
have a speedy and quick fix.

If no such fix appears, and if the correct approach is to remove libofx
completely from Debian, the result will be that your packages in
unstable will become uninstallable and likely FTBFS.  I will make sure
to file bug reports with severity "important" if I have made a decision
to take that step, and then once the removal happens, the bugs will need
to get upgraded to "serious".

You may wish to subscribe to BTS #460407 as well.

Thomas






Information forwarded to debian-bugs-dist@lists.debian.org, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Micha Lenk <micha@lenk.info>:
Extra info received and forwarded to list. Copy sent to tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Message #25 received at 460407@bugs.debian.org (full text, mbox):

From: Micha Lenk <micha@lenk.info>
To: Thomas Bushnell BSG <tb@becket.net>
Cc: benj@debian.org, francesco@namuri.it, pkg-kde-extras@lists.alioth.debian.org, msp@debian.org, fboudra@free.fr, repo@geole.info, 460407@bugs.debian.org
Subject: Re: libofx contains non-free software
Date: Sat, 12 Jan 2008 19:53:30 +0100
Hi Thomas,

On Sat, 2008-01-12 at 13:31 -0500, Thomas Bushnell BSG wrote:
> Hi: I'm the Debian maintainer for libofx and for gnucash.  I'm writing
> to you because you are responsible (in some fashion) for the maintenance
> of packages which depend on libofx.

According to [1], future AqBanking releases (> 3.0.1) will use its own
implementation of OFX in order to reduce programming complexity.

1. http://www.mail-archive.com/aqbanking-devel@lists.sourceforge.net/msg02059.html

So, from AqBanking's point of view it will most probably be no problem
to drop libofx without loosing any features within AqBanking.

Regards
  Micha

-- 
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.




Information forwarded to debian-bugs-dist@lists.debian.org, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Bushnell BSG <tb@becket.net>:
Extra info received and forwarded to list. Copy sent to tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Message #30 received at 460407@bugs.debian.org (full text, mbox):

From: Thomas Bushnell BSG <tb@becket.net>
To: 460407 <460407@bugs.debian.org>
Subject: update
Date: Wed, 16 Jan 2008 15:21:03 -0500
Upstream libofx does not have any immediate ideas about what next steps
should be.

I am in contact with the OFX Consortium about granting a license which
we can work with.

Thomas






Information forwarded to debian-bugs-dist@lists.debian.org, tb@debian.org (Thomas Bushnell, BSG):
Bug#460407; Package libofx. Full text and rfc822 format available.

Acknowledgement sent to Thomas Bushnell BSG <tb@becket.net>:
Extra info received and forwarded to list. Copy sent to tb@debian.org (Thomas Bushnell, BSG). Full text and rfc822 format available.

Message #35 received at 460407@bugs.debian.org (full text, mbox):

From: Thomas Bushnell BSG <tb@becket.net>
To: Joerg Jaspert <joerg@debian.org>, 460407@bugs.debian.org
Subject: Re: Bug#460407: libofx: non-free files included
Date: Fri, 25 Jan 2008 12:52:43 -0500
On Sat, 2008-01-12 at 14:45 +0100, Joerg Jaspert wrote:
> Package: libofx
> Severity: serious
> 
> Hi
> 
> (a bug to not forget this issue, together with the reject of the newer
> version from NEW).
> 
> this package contains non-free files, the DTDs, at least those from the
> OFX standard, have a non-free license and can't be in main.
> 
> ---+++
> A royalty-free, worldwide, and perpetual license is hereby granted to
> any party to use the Open Financial Exchange Specification to make,
> use, and sell products and services that conform to this Specification.
> +++---
> 
> Doesnt fit DFSG 1 and 3 *at least*, you aren't allowed to modify and to
> redistribute. There is more, but this is enough already.

I have received the following from the OFX Consortium in clarification
of the license.  I believe that with this clarification, it does meet
the DFSG.  Can you advise whether it would be accepted on this basis or
whether particular further negotiation is necessary?

====
With regard to your statement that your software "does not necessarily
implement every detail of the OFX specification" (in other words, is a
subset of OFX), this is ok as it would still "conform" to the OFX spec
in every regard implemented.

However, it is not legal to create a different DTD based on OFX and put
that forth as OFX.  You would have to represent your derived DTD as your
own and not official OFX.   Alternatively, if you use the XML Schema
instead of the DTD you could create new types that inherit from OFX
types and again as long as these are not represented as actual OFX
that's ok.

The bottom line seems to be that it is fine if you use OFX technology as
long as you do not represent your own enhanced version (added to or
changed) as official "OFX".
====

I believe that this guidance satisfies the requirements of the DFSG,
imposing only the requirement that if a modified version does not
implement the OFX spec, it's fine, provided it isn't labelled as OFX.

With this understanding of what constitutes "use...that conform[s] to
this Specification" I think we are in clear ground.

You had expressed concerns about DFSG #1 and #3.  I'm not sure what the
#1 concern was because there was no prohibition on selling or giving
away the stuff even in the most restrictive reading of the OFX license.
It was #3 which clearly had a problem, namely, the apparent restriction
on derivative works.  The apparent restriction that it could only be
used in things which implement OFX would have violated #3, #6, and
perhaps #8.

But the guidance from OFX quoted above clarifies this in a way which
should avoid any problem.  They are interpreting conformity with the
spec as meaning "doesn't claim to implement OFX unless it really does".
For example, fileutils is in conformity with OFX, under the reading they
have given.  

Thomas






Tags added: pending Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Fri, 01 Feb 2008 11:15:04 GMT) Full text and rfc822 format available.

Reply sent to tb@debian.org (Thomas Bushnell, BSG):
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joerg Jaspert <joerg@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #42 received at 460407-close@bugs.debian.org (full text, mbox):

From: tb@debian.org (Thomas Bushnell, BSG)
To: 460407-close@bugs.debian.org
Subject: Bug#460407: fixed in libofx 1:0.9.0-1
Date: Sat, 02 Feb 2008 01:00:08 +0000
Source: libofx
Source-Version: 1:0.9.0-1

We believe that the bug you reported is fixed in the latest version of
libofx, which is due to be installed in the Debian FTP archive:

libofx-dev_0.9.0-1_i386.deb
  to pool/main/libo/libofx/libofx-dev_0.9.0-1_i386.deb
libofx4_0.9.0-1_i386.deb
  to pool/main/libo/libofx/libofx4_0.9.0-1_i386.deb
libofx_0.9.0-1.diff.gz
  to pool/main/libo/libofx/libofx_0.9.0-1.diff.gz
libofx_0.9.0-1.dsc
  to pool/main/libo/libofx/libofx_0.9.0-1.dsc
libofx_0.9.0.orig.tar.gz
  to pool/main/libo/libofx/libofx_0.9.0.orig.tar.gz
ofx_0.9.0-1_i386.deb
  to pool/main/libo/libofx/ofx_0.9.0-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 460407@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Bushnell, BSG <tb@debian.org> (supplier of updated libofx package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 30 Dec 2007 21:24:51 -0800
Source: libofx
Binary: libofx4 libofx-dev ofx
Architecture: source i386
Version: 1:0.9.0-1
Distribution: unstable
Urgency: low
Maintainer: Thomas Bushnell, BSG <tb@debian.org>
Changed-By: Thomas Bushnell, BSG <tb@debian.org>
Description: 
 libofx-dev - development package for libofx2c2a
 libofx4    - library to support Open Financial Exchange
 ofx        - Open Financial Exchange programs
Closes: 460407
Changes: 
 libofx (1:0.9.0-1) unstable; urgency=low
 .
   * New upstream release.
   * Regenerate autotools using Debian libtool by:
     libtoolize --copy --force; aclocal-1.9; autoconf.
   * debian/control (libofx4): Renamed package from libofx3.
     (libofx-dev): Depend on libofx4 instead of libofx3.
   * debian/rules (PACKNAME): Update to libofx4.
     (version): Update to 0.9.0.
   * libofx4.docs: Renamed from libofx3.docs.
 .
   * debian/rules (major): Delete unused variable, and commented idle
     code that mentioned it.
 .
   * debian/copyright: Add proper authorship and copyright information, and
     the license information for the OFX dtd's.  (Closes: #460407)
 .
   * debian/rules (binary-arch): Don't put /usr/include in the $(PACKNAME)
     package.
Files: 
 0007a947287c77b0a2af652bef8a472b 656 libs optional libofx_0.9.0-1.dsc
 6e2172f0117f90805590bf755190b79e 1260933 libs optional libofx_0.9.0.orig.tar.gz
 b9b3ee98c0faa386fa3a88fac70a5de7 6714 libs optional libofx_0.9.0-1.diff.gz
 c85f90a1ceedad579dbdee29592893cd 176638 libs optional libofx4_0.9.0-1_i386.deb
 6286ea674dfec05885ba0b33329ecd48 868728 libdevel optional libofx-dev_0.9.0-1_i386.deb
 de9a2c378779a29d06fcc4a7d1402874 63582 libs optional ofx_0.9.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHoqC+qMsB9b6fcOoRAtKtAJ4qaJn2dCT3wD+e5xiHjF1+ti/MLwCguQq/
nxtZqoL65Y/NM6QR6kW/TuA=
=37qA
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 07:41:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 11:02:18 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.