Package: abuse-sfx Version: 2.00-8 Severity: serious Justification: Policy 2.3
To view the license terms, see the copyright file: http://packages.debian.org/changelogs/pool/non-free/a/abuse-sfx/abuse-sfx_2.00-8/copyright First off, the license only grants the right to *use* the software: > For purposes of this section, "use" means loading the Software into > RAM, as well as installation on a hard disk or other storage > device. After granting this right, it then proceeds to list many things that one is *not* allowed to do: > You may not: modify, translate, disassemble, decompile, reverse > engineer, or create derivative works based upon the Software. You > agree that the Software will not be shipped, transferred or exported > into any country in violation of the U.S. Export Administration Act > and that you will not utilize, in any other manner, the Software in > violation of any applicable law. Nowhere does it grant permission to distribute the software. I'd say it's strongly implied by the second sentence (why would they bother specifying that distributing to T7 countries is prohibited if distribution isn't permitted at all in the first place) but, according to Policy 2.3, "no distribution or modification of a work is allowed without an explicit notice saying so". An even greater worry is a clause that appears to make the Project responsible for enforcing compliance with the license terms: > You agree to use your best efforts to see that any user of the > Software licensed hereunder complies with this Agreement. First of all, does the Project really agree to that? If not: > If you fail to comply with any terms of this Agreement, YOUR LICENSE > IS AUTOMATICALLY TERMINATED. And if OTOH we *do* agree to that ridiculous condition, we are already in violation of this policeman clause due to our own policy regarding the US Export Administration Act. AIUI, the resolution of the crypto-in-main issue involved implementing reverse IP lookups on the main archive[1] and having no official mirrors in the T7 countries[2], thus showing a good-faith attempt to prevent exporting software to these so-called terrorist states. Re-exportation, e.g. via a mirror not implementing similar restrictions, would pose no legal threat to Debian proper since we would no longer be the ones doing the exporting. Unfortunately, this license would have us go even further. The Project would have to actively pressure all the mirror admins to implement similar restrictions, since the current stance of leaving the decision entirely up to them would IMO be highly unlikely to count as "best efforts" on our part to bring them into compliance. Needless to say, I think it'd be far easier (and more moral) just to drop this package, together with anything else that has a similarly odious clause. Thoughts, comments, critiques? I very much doubt that we can continue to distribute this in light of the above, but I'd be interested to hear what others think. [1] http://lists.debian.org/debian-legal/2002/02/msg00181.html [2] http://lists.debian.org/debian-legal/2002/02/msg00176.html -- Andrew Saunders
