Package: ledger Version: 3.0.0+dfsg1-1 Severity: serious ledger bundles an SHA-1 C++ implementation by Paul E. Jones which is licensed under a "Freeware Public License". This license does not allow modification and therefore does not adhere to the DFSG.
The ledger source tree contains these files: lib/sha1.cpp lib/sha1.h These files have this header: * Copyright (C) 1998 * Paul E. Jones <pau...@arid.us> * All Rights Reserved. This bundled sha1 software is taken from here: http://www.packetizer.com/security/sha1/ The ledger source tree contains the 1998 version of the sha1 software, but without any reference to a license. Unfortunately, I could not find the 1998 version of the software on the packetizer.com website to determine the license. A revised 2009 release on the website contains the following license: ========== Copyright (C) 1998, 2009 Paul E. Jones <pau...@packetizer.com> Freeware Public License (FPL) This software is licensed as "freeware." Permission to distribute this software in source and binary forms, including incorporation into other products, is hereby granted without a fee. THIS SOFTWARE IS PROVIDED 'AS IS' AND WITHOUT ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE AUTHOR SHALL NOT BE HELD LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE, EITHER DIRECTLY OR INDIRECTLY, INCLUDING, BUT NOT LIMITED TO, LOSS OF DATA OR DATA BEING RENDERED INACCURATE. ========== There was a similar issue with the "orthanc" package. This was resolved when the upstream author switched to a different library with a license compatible with the DFSG: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724947 https://lists.debian.org/debian-legal/2013/09/msg00077.html (NB: I am not a Debian user, but spotted this problem while packaging ledger-3.0.0 for Fedora.) Kind regards, -- Jamie Nguyen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org