Debian Bug report logs - #659645
sharand: SHA-1 code is doesn't allow modification

version graph

Package: sharand; Maintainer for sharand is Jari Aalto <jari.aalto@cante.net>; Source for sharand is src:sharand.

Reported by: Sam Geeraerts <samgee@elmundolibre.be>

Date: Sun, 12 Feb 2012 19:45:02 UTC

Severity: serious

Tags: pending

Found in versions sharand/0.0.20040607-1, sharand/0.0.20120307-1

Fixed in version 0.0.20040607-1+rm

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jari Aalto <jari.aalto@cante.net>:
Bug#659645; Package sharand. (Sun, 12 Feb 2012 19:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Geeraerts <samgee@elmundolibre.be>:
New Bug report received and forwarded. Copy sent to Jari Aalto <jari.aalto@cante.net>. (Sun, 12 Feb 2012 19:45:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sam Geeraerts <samgee@elmundolibre.be>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sharand: SHA-1 code is doesn't allow modification
Date: Sun, 12 Feb 2012 20:42:21 +0100
Package: sharand
Version: 0.0.20040607-1
Severity: serious
Justification: Policy 2.1.3
User: gnewsense-dev@nongnu.org
Usertags: gnewsense libreplanet

File main/sha1.c has this license notice:

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

To my understanding that means you can extend, but not modify the text/
code in this file. This violates DFSG.

It looks like this code was copied straight from RFC 3174. I found a
discussion [2] on debian-legal from a few years back that says that
RFC texts are non-free (except for the first 1000 or so). A summary
about copyright on RFC Editor [3] says that derivative works are
allowed, but doesn't go into detail.

[1] http://www.rfc-editor.org/rfc/rfc3174.txt
[2] http://lists.debian.org/debian-legal/2006/04/msg00223.html
[3] http://www.rfc-editor.org/copyright.17Feb04.html

-- System Information:
Debian Release: 6.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=nl_BE.UTF-8, LC_CTYPE=nl_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Jari Aalto <jari.aalto@cante.net>:
Bug#659645; Package sharand. (Sat, 03 Mar 2012 16:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Jari Aalto <jari.aalto@cante.net>. (Sat, 03 Mar 2012 16:48:03 GMT) Full text and rfc822 format available.

Message #10 received at submit@bugs.debian.org (full text, mbox):

From: Simon McVittie <smcv@debian.org>
To: Sam Geeraerts <samgee@elmundolibre.be>, 659645@bugs.debian.org
Cc: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Re: Bug#659645: sharand: SHA-1 code is doesn't allow modification
Date: Sat, 3 Mar 2012 16:46:23 +0000
On Sun, 12 Feb 2012 at 20:42:21 +0100, Sam Geeraerts wrote:
> To my understanding that means you can extend, but not modify the text/
> code in this file. This violates DFSG.

In addition, because sharnd.c is licensed under the GPL without any
particular exception for linking to the non-free sha1.[ch], the
binaries are not distributable at all (even in non-free).

If this package is worth keeping in Debian, it shouldn't be rocket science
to use a GPL-compatible SHA-1 implementation, like the one in nettle;
but I'm not convinced it is, because /dev/urandom can already generate
random files.

    S




Information forwarded to debian-bugs-dist@lists.debian.org, Jari Aalto <jari.aalto@cante.net>:
Bug#659645; Package sharand. (Sat, 03 Mar 2012 16:48:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
Extra info received and forwarded to list. Copy sent to Jari Aalto <jari.aalto@cante.net>. (Sat, 03 Mar 2012 16:48:07 GMT) Full text and rfc822 format available.

Reply sent to Debian FTP Masters <ftpmaster@ftp-master.debian.org>:
You have taken responsibility. (Sun, 04 Mar 2012 11:19:32 GMT) Full text and rfc822 format available.

Notification sent to Sam Geeraerts <samgee@elmundolibre.be>:
Bug acknowledged by developer. (Sun, 04 Mar 2012 11:19:40 GMT) Full text and rfc822 format available.

Message #20 received at 659645-done@bugs.debian.org (full text, mbox):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 659645-done@bugs.debian.org,
Cc: sharand@packages.debian.org, sharand@packages.qa.debian.org
Subject: Bug#662022: Removed package(s) from unstable
Date: Sun, 04 Mar 2012 11:04:41 +0000
Version: 0.0.20040607-1+rm

Dear submitter,

as the package sharand has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see http://bugs.debian.org/662022

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@debian.org.

Debian distribution maintenance software
pp.
Joerg Jaspert (the ftpmaster behind the curtain)




Added tag(s) pending. Request was from Anibal Monsalve Salazar <anibal@debian.org> to control@bugs.debian.org. (Tue, 06 Mar 2012 19:06:03 GMT) Full text and rfc822 format available.

Marked as found in versions sharand/0.0.20120307-1 and reopened. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Thu, 31 Oct 2013 20:06:28 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659645; Package sharand. (Tue, 08 Apr 2014 05:09:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jari Aalto <jari.aalto@cante.net>:
Extra info received and forwarded to list. (Tue, 08 Apr 2014 05:09:10 GMT) Full text and rfc822 format available.

Message #29 received at 659645@bugs.debian.org (full text, mbox):

From: Jari Aalto <jari.aalto@cante.net>
To: submit@bugs.debian.org, 659645@bugs.debian.org
Subject: RM: sharand -- ROM; unredistributable
Date: Tue, 08 Apr 2014 08:06:01 +0300
Package: ftp.debian.org
Severity: normal

Please remove package from all flavors.

Main code licensed under the GPL; but without any particular exception
for linking to the non-free RFC part of the code.

See discussion https://bugs.debian.org/659645

Jari, Maintainer.



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 15:32:49 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.