On Wed, 2005-09-14 at 00:03 -0700, Steve Langasek wrote: > The maintainers should have a chance to clear up this question first.
Ok, I've just been through the ntp source tree looking at all the copyright and license assertions. Executive summary is that there are indeed some problems, but it's not bad, and I believe it can be fixed with an upload that elides certain bits from the upstream sources and makes one small change in the source code. Here's what I found... The contents of the ElectricFence subdirectory are GPL, redundant with the Debian packages, and comletely unused. Since we have to elide the upstream source anyway, we could clip this tree, or we could leave it and add a suitable content to debian/copyright. The file util/ansi2knr.c is also GPL. I'm pretty sure it's unused, but an easy reference in debian/copyright would cover it. The contents of the adjtimed subdirectory and a few files scattered around the rest of the tree are copyright by Tai Jin, with a unique license that is clearly DFSG-ok. I suggest we add suitable content to debian/copyright taken from adjtimed/adjtimed.c. The arlib subdirectory contents are non-free, but only relevant if configure is called with the --with-arlib option that we don't use. I suggest this be elided from the upstream source for the Debian source package. The file html/build/hints/solaris-dosynctodr.html appears to have been taken from a sun.com web page complete with links to a license assertion on Sun web content that I don't even want to read. We should remove this file from our source package. The files in html/pic include a couple of small images of products that I presume came from manufacturer web sites, which are used to illustrate the documentation. No explicit assertions of copyright or license. I believe this is fair use, but if not they could be replaced with an icon or something and nothing important would be lost. The file include/global.h has an RSA copyright assertion with "all rights reserved" and no other grant. However, the files that include it clearly came from the rsaref2.0 package, which has a BSD-like license with advertising clause. I believe this header file also was part of that package and therefore covered by the same RSA license terms. Therefore, I suggest the copyright and license terms from libntp/md5c.c should be added to debian/copyright to cover all inclusions from rsaref2.0. There are several files that are BSD with advertising clause, including libntp/memmove.c, libntp/mktime.c, libntp/random.c, libntp/strerror.c, libntp/strstr.c, ntpd/refclock_jupiter.c, and ntpd/refclock_mx4200.c. These should be referenced in debian/copyright. There are several files that are BSD-like with advertising clause (several different copyright holders), including libntp/md5c.c (mentioned above), libntp/ntp_rfc2553.c, ntpd/refclock_jjy.c, ntpd/refclock/palisade.c, ntpd/refclock_ripencc.c, ntpd/refclock_ulink.c, scripts/ntpsweep.in, and all of the sntp subdir (which I believe is unused). These should also be referenced in debian/copyright. The file libntp/ranny.c is non-free, with a unique copyright and license assertion: /* * Random number generator is: * * Copyright 1988 by Rayan S. Zachariassen, all rights reserved. * This will be free software, but only when it is finished. * * Used in ntp by permission of the author. If copyright is * annoying to you, read no further. Instead, look up the reference, * write me an equivalent to this and send it back to me. */ /* * Random number generator; see Knuth Vol 2. 2nd ed. p.27 * (section 3.2.2) */ There is exactly one use of the ranp2() function defined in this file, which appears in ntpd/ntp_peer.c. I don't have Knuth nearby, but staring at the source, this looks like a pseudo-randum generator that as called is returning an unsigned long containing a random number in the bottom 16 bits. Since all it is being used for is to initialize an association ID, I don't see why we couldn't replace the call to init_random() in ntp/ntpd.c with a call to srand(time()), and then replace ranp2(16) in ntpd/ntp_peer.c with rand() & 0xffff? That would allow us to elide libntp/ranny.c and the references to it in libntp/Makefile* from our source package, which is probably easier than finding the author and asking him to relicense this bit. That's it. The rest looks fine to me. Bdale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]