Source: dropbox Version: 1.0.10-1 Severity: serious Justification: Policy 2.2.3, 4.5
dropbox bundles many 3rd party binary-only libraries in a way that violates their licenses:
1) ncrypt-0.6.4-*.egg/, according to its PKG-INFO (which is horribly mangled, BTW), contains a GPL-licensed library with accompanying source. Additionally, this library is linked to OpenSSL, but those two licenses are incompatible.
2) netifaces-0.5*.egg/ contains the netifaces library, which is MIT-licensed. One of the clause of the license is "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software." Neither is included in dropbox.
3) _dbus*_bindings.so is the python-dbus library. It is MIT-licensed, but copyright & permission notices are not included.
4) _librsync.so contains statically-linked librync library which is under LGPL-2.1+ license. No source is provided.
5) _speedups.so contains (parts of) the simplejson library. It is MIT-licensed, but copyright & permission notices are not included.
6) pyexpat.so contains statically linked Expat library. It is MIT-licensed, but copyright & permission notices are not included.
7) libcrypto.so.0.9.8, libssl.so.0.9.8 are parts of the OpenSSL library. Its license require that "Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution." Neither is reproduced in dropbox.
8) libncurses.so.5 is the ncurses library. It is MIT-licensed, but copyright & permission notices are not included.
(Disclaimer: I didn't do full audit of the shipped code. There might be other license problems in dropbox.)
-- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
