Bug#328200: Problems with ntp
Marco D'Itri wrote: I do, and I stand by my opinion: the package license is intended to be applied to everything, and pretending otherwise is useless pedantry. Modern copyright law, unfortunately, demands pedantry. If you think it's useless, that's your opinion, but as far as I can tell that's not the attitude the Debian Project normally takes towards the formal requirements of copyright law. Instead Debian normally makes a strong effort to comply with them to the letter, as a matter of safety in an admittedly stupid legal climate. Copyright infringement is now a criminal offense in the US, which means that if someone in power takes it into their head to prosecute you, they may be able to do so and win even if the copyright holder doesn't want to prosecute. This is pretty damned stupid, of course, but it -- and other stupid copyright laws -- means that fixing apparently unimportant errors in licensing actually matters. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: Problems with ntp
On Sep 15, Nathanael Nerode [EMAIL PROTECTED] wrote: I see nothing wrong libparse/*, just because the files have an extra warranty disclaimer it does not mean that the package license does not apply. Then you don't understand copyright law. The package copyright notice and license states that it applies to files except where other copyright notices are present. Other copyright notices are present in the libparse/* files. With no license. No, maybe it's you who do not understand english, or probably just like armchair lawyering. The general copyright notices says that it applies unless specifically declared otherwise in an individual file, and the libparse/* files only contain a warranty disclaimer. There are no different license terms at all, so the general license applies. -- ciao, Marco signature.asc Description: Digital signature
Bug#328200: Re: [debian-ntp] Bug#328200: Problems with ntp
[EMAIL PROTECTED] wrote: Ok, I've just been through the ntp source tree looking at all the copyright and license assertions. Executive summary is that there are indeed some problems, but it's not bad, and I believe it can be fixed with an upload that elides certain bits from the upstream sources and makes one small change in the source code. Oh good. And your message covers almost all the problems. You haven't dealt in your message with the portions with barecopyright notices and no specified license, however. The general packagelicense statement clearly doesn't cover them (because it *says* it doesn'tcover files with other copyright notices -- it's tied specifically to the copyright statement for the primary author). The authors should be willingto issue license statements, but it actually has to be done.Sorry about sending this from a brain-dead mailer. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: [debian-ntp] Bug#328200: Problems with ntp
Matthew Garrett wrote: Bdale Garbee [EMAIL PROTECTED] wrote: There are several files that are BSD with advertising clause, including libntp/memmove.c, libntp/mktime.c, libntp/random.c, libntp/strerror.c, libntp/strstr.c, ntpd/refclock_jupiter.c, and ntpd/refclock_mx4200.c. These should be referenced in debian/copyright. BSD with advertising isn't GPL compatible. The UCB advertising clause has been rescinded by the copyright owner. See this authorization. ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change The advertising clause is no longer required and is deleted. With all of the usual cautions about IANAL I believe it is enough to delete that clause from the copyright and reference that document. Bob -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: Problems with ntp
Marco D'Itri wrote: No, maybe it's you who do not understand english, or probably just like armchair lawyering. Please stop being rude when you're wrong. You apparenly don't understand the difference between a license and a copyright notice. Actually, it's quite possible the authors of NTP didn't either. The general copyright notices says that it applies unless specifically ^ declared otherwise in an individual file Exactly. And the files in libparse/* contain a *different copyright notice*. The general license is attached to *one copyright notice*, that for the lead author. If the license was clearly issued by more than one copyright holder (which it's not), and the general file stated that the *license* applied to all files in the distribution unless specifically declared otherwise in an individual file, that would be different. Instead, the file states that the *copyright notice* applies to all files in the distribution unless specifically declared otherwise in an individual file, and proceeds to give a license from that copyright holder alone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: Problems with ntp
On Sep 15, Nathanael Nerode [EMAIL PROTECTED] wrote: You apparenly don't understand the difference between a license and a copyright notice. I do, and I stand by my opinion: the package license is intended to be applied to everything, and pretending otherwise is useless pedantry. -- ciao, Marco signature.asc Description: Digital signature
Bug#328200: Problems with ntp
Russ Allbery wrote: While it would be nice to clean up this sort of thing just to avoid future confusion, this doesn't strike me as a serious problem worthy of removing the software from Debian unless the upstream copyright holders indicate that they really had intended to offer no license for those files. Well, I'd remove it if any key upstream copyright holder can't be contacted, as well. But certainly we should expect the copyright holders to be willing to clarify the license. I only suggested removal because I found the disturbingly-licensed arlib directory on my first pass, and because removal had already been suggested due to the RC bugs. It is an odd situation. I strongly suspect that most of the contributors to NTP have simply not been paying attention to copyright law. It's likely that there are copyright-significant contributions by other people without any copyright notices; unless they were employed by David Mills, or signed copyright assignments, they still hold copyrights, but they haven't formally licensed anything. :-P The only one who's done so is Mills. If I were contacting upstream, I would recommend that the current copyright notice be replaced by the following -- but only provided it's actually true, of course: The following copyright notice applies to all files collectively called the Network Time Protocol Version 4 Distribution. Unless specifically declared otherwise in an individual file, this notice applies as if the text was explicitly included in the file. /* Copyright (c) David L. Mills 1992-1998 */ In addition, portions of the files are copyright each of the individuals acknowledged as authors below. The following license applies to all files collectively called the Network Time Protocol Version 4 Distribution, unless a different license is specifically declared in an individual file. This license applies as if the text was explicitly included in the file. This license is granted by David L. Mills and all the other copyright holders in the files. /**/ * Permission to use, copy, modify, and distribute this software and * * its documentation for any purpose and without fee is hereby * * granted, provided that the above copyright notice appears in all* * copies and that both the copyright notice and this permission * * notice appear in supporting documentation, and that the name* * University of Delaware not be used in advertising or publicity * * pertaining to distribution of the software without specific,* * written prior permission. The University of Delaware makes no * * representations about the suitability this software for any * * purpose. It is provided as is without express or implied * * warranty. * **/ The following individuals contributed in part to the Network Time Protocol Distribution Version 4 and are acknowledged as authors of this work. [remainder as before]Please note the differences. As is, the license appears to be granted *only* byDavid Mills. He doesn't actually acknowledge in the maincopyright statement that anyone else has a copyright interest, even though heacknowledges them as authors. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: Problems with ntp
On Wed, Sep 14, 2005 at 01:07:30AM -0400, Nathanael Nerode wrote: I just discovered that the ntp source is a nest of licensing problems. The arlib subdir isn't distributable. Neither is the entire libparse subdir, or anything else by Frank Kardel. I'm not actually sure it will build without these bits. So I guess NTP should be removed from Debian. It's not very maintained anyhow, having multiple RC bugs open for quite a while. What are you going to replace it with? AFAIK, ntp is the only package we have in Debian which supports useful clock synchronization, which is essential for a number of other services (e.g., Kerberos). Obviously we can't ship non-distributable code, but I'm not going to remove ntp from testing just because it appears at first blush to be inconsistently licensed. The maintainers should have a chance to clear up this question first. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Bug#328200: Problems with ntp
On Wednesday 14 September 2005 10:03, Steve Langasek wrote: On Wed, Sep 14, 2005 at 01:07:30AM -0400, Nathanael Nerode wrote: I just discovered that the ntp source is a nest of licensing problems. The arlib subdir isn't distributable. Neither is the entire libparse subdir, or anything else by Frank Kardel. I'm not actually sure it will build without these bits. So I guess NTP should be removed from Debian. It's not very maintained anyhow, having multiple RC bugs open for quite a while. What are you going to replace it with? AFAIK, ntp is the only package we have in Debian which supports useful clock synchronization, which is essential for a number of other services (e.g., Kerberos). I've never tested openntpd, but it is the obvious replacement in case of legal problems with ntp and it has been released with sarge. Obviously we can't ship non-distributable code, but I'm not going to remove ntp from testing just because it appears at first blush to be inconsistently licensed. The maintainers should have a chance to clear up this question first. Agreed. -- pub 4096R/0E4BD0AB 2003-03-18 people.fccf.net/danchev/key pgp.mit.edu fingerprint 1AE7 7C66 0A26 5BFF DF22 5D55 1C57 0C89 0E4B D0AB -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: Problems with ntp
George Danchev wrote: On Wednesday 14 September 2005 10:03, Steve Langasek wrote: On Wed, Sep 14, 2005 at 01:07:30AM -0400, Nathanael Nerode wrote: I just discovered that the ntp source is a nest of licensing problems. The arlib subdir isn't distributable. Neither is the entire libparse subdir, or anything else by Frank Kardel. I'm not actually sure it will build without these bits. So I guess NTP should be removed from Debian. It's not very maintained anyhow, having multiple RC bugs open for quite a while. What are you going to replace it with? AFAIK, ntp is the only package we have in Debian which supports useful clock synchronization, which is essential for a number of other services (e.g., Kerberos). I've never tested openntpd, but it is the obvious replacement in case of legal problems with ntp and it has been released with sarge. I use openntpd and that works better then ntp IMHO. Obviously we can't ship non-distributable code, but I'm not going to remove ntp from testing just because it appears at first blush to be inconsistently licensed. The maintainers should have a chance to clear up this question first. Agreed. Also agreed. Regards, Matthijs Mohlmann -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: [debian-ntp] Bug#328200: Problems with ntp
Hi Matthijs, I've never tested openntpd, but it is the obvious replacement in case of legal problems with ntp and it has been released with sarge. I use openntpd and that works better then ntp IMHO. Last time i checked, - it doesn't support attached clocks, so no stratum 1 - it only seems to speak SNTP, so it has lower accurancy than ntp, it also doesn't lock its memory from being swapped. - it doesn't seem to have multicast support. At least for me, it doesn't work better than ntp ;-) Thanks, Jochen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: [debian-ntp] Bug#328200: Problems with ntp
On Wed, 2005-09-14 at 00:03 -0700, Steve Langasek wrote: The maintainers should have a chance to clear up this question first. I'll have a look at it today. Bdale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: [debian-ntp] Bug#328200: Problems with ntp
On Wed, 2005-09-14 at 00:03 -0700, Steve Langasek wrote: The maintainers should have a chance to clear up this question first. Ok, I've just been through the ntp source tree looking at all the copyright and license assertions. Executive summary is that there are indeed some problems, but it's not bad, and I believe it can be fixed with an upload that elides certain bits from the upstream sources and makes one small change in the source code. Here's what I found... The contents of the ElectricFence subdirectory are GPL, redundant with the Debian packages, and comletely unused. Since we have to elide the upstream source anyway, we could clip this tree, or we could leave it and add a suitable content to debian/copyright. The file util/ansi2knr.c is also GPL. I'm pretty sure it's unused, but an easy reference in debian/copyright would cover it. The contents of the adjtimed subdirectory and a few files scattered around the rest of the tree are copyright by Tai Jin, with a unique license that is clearly DFSG-ok. I suggest we add suitable content to debian/copyright taken from adjtimed/adjtimed.c. The arlib subdirectory contents are non-free, but only relevant if configure is called with the --with-arlib option that we don't use. I suggest this be elided from the upstream source for the Debian source package. The file html/build/hints/solaris-dosynctodr.html appears to have been taken from a sun.com web page complete with links to a license assertion on Sun web content that I don't even want to read. We should remove this file from our source package. The files in html/pic include a couple of small images of products that I presume came from manufacturer web sites, which are used to illustrate the documentation. No explicit assertions of copyright or license. I believe this is fair use, but if not they could be replaced with an icon or something and nothing important would be lost. The file include/global.h has an RSA copyright assertion with all rights reserved and no other grant. However, the files that include it clearly came from the rsaref2.0 package, which has a BSD-like license with advertising clause. I believe this header file also was part of that package and therefore covered by the same RSA license terms. Therefore, I suggest the copyright and license terms from libntp/md5c.c should be added to debian/copyright to cover all inclusions from rsaref2.0. There are several files that are BSD with advertising clause, including libntp/memmove.c, libntp/mktime.c, libntp/random.c, libntp/strerror.c, libntp/strstr.c, ntpd/refclock_jupiter.c, and ntpd/refclock_mx4200.c. These should be referenced in debian/copyright. There are several files that are BSD-like with advertising clause (several different copyright holders), including libntp/md5c.c (mentioned above), libntp/ntp_rfc2553.c, ntpd/refclock_jjy.c, ntpd/refclock/palisade.c, ntpd/refclock_ripencc.c, ntpd/refclock_ulink.c, scripts/ntpsweep.in, and all of the sntp subdir (which I believe is unused). These should also be referenced in debian/copyright. The file libntp/ranny.c is non-free, with a unique copyright and license assertion: /* * Random number generator is: * * Copyright 1988 by Rayan S. Zachariassen, all rights reserved. * This will be free software, but only when it is finished. * * Used in ntp by permission of the author. If copyright is * annoying to you, read no further. Instead, look up the reference, * write me an equivalent to this and send it back to me. */ /* * Random number generator; see Knuth Vol 2. 2nd ed. p.27 * (section 3.2.2) */ There is exactly one use of the ranp2() function defined in this file, which appears in ntpd/ntp_peer.c. I don't have Knuth nearby, but staring at the source, this looks like a pseudo-randum generator that as called is returning an unsigned long containing a random number in the bottom 16 bits. Since all it is being used for is to initialize an association ID, I don't see why we couldn't replace the call to init_random() in ntp/ntpd.c with a call to srand(time()), and then replace ranp2(16) in ntpd/ntp_peer.c with rand() 0x? That would allow us to elide libntp/ranny.c and the references to it in libntp/Makefile* from our source package, which is probably easier than finding the author and asking him to relicense this bit. That's it. The rest looks fine to me. Bdale -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: [debian-ntp] Bug#328200: Problems with ntp
Bdale Garbee [EMAIL PROTECTED] wrote: The file util/ansi2knr.c is also GPL. I'm pretty sure it's unused, but an easy reference in debian/copyright would cover it. This may be a problem if it is used, as: There are several files that are BSD with advertising clause, including libntp/memmove.c, libntp/mktime.c, libntp/random.c, libntp/strerror.c, libntp/strstr.c, ntpd/refclock_jupiter.c, and ntpd/refclock_mx4200.c. These should be referenced in debian/copyright. BSD with advertising isn't GPL compatible. -- Matthew Garrett | [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#328200: Problems with ntp
On Wed, 14 Sep 2005 00:03:36 -0700 Steve Langasek wrote: What are you going to replace it with? AFAIK, ntp is the only package we have in Debian which supports useful clock synchronization, which is essential for a number of other services (e.g., Kerberos). Isn't chrony a possible replacement? It conflicts with ntp, among other things... -- :-( This Universe is buggy! Where's the Creator's BTS? ;-) .. Francesco Poli GnuPG Key ID = DD6DFCF4 Key fingerprint = C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4 pgpxwXA8136Ac.pgp Description: PGP signature
Bug#328200: Problems with ntp
On Thu, Sep 15, 2005 at 01:02:51AM +0200, Francesco Poli wrote: On Wed, 14 Sep 2005 00:03:36 -0700 Steve Langasek wrote: What are you going to replace it with? AFAIK, ntp is the only package we have in Debian which supports useful clock synchronization, which is essential for a number of other services (e.g., Kerberos). Isn't chrony a possible replacement? It conflicts with ntp, among other things... I don't think it implements algorithms as sophisticated as NTP does (well, I don't know anything about them, though). It probably conflicts with NTP simply because having two programs setting your clock is disgusting :) -- Clear skies, Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]