[3281] in Kerberos-V5-bugs
krb5-libs/1026: non-MIT-style-licensed code in krb5 libs (Blame Canada!)
daemon@ATHENA.MIT.EDU (danw@ximian.com)
Thu Dec 13 14:30:07 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, danw@ximian.com
Message-Id: <200112131929.fBDJTnJ28140@twelve-monkeys.ximian.com>
Date: Thu, 13 Dec 2001 14:29:49 -0500 (EST)
From: danw@ximian.com
Reply-To: danw@ximian.com
To: krb5-bugs@mit.edu
>Number: 1026
>Category: krb5-libs
>Synopsis: non-MIT-style-licensed code in krb5 libs (Blame Canada!)
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: doc-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Dec 13 14:30:00 EST 2001
>Last-Modified:
>Originator: Dan Winship
>Organization:
Ximian, Inc.
>Release: krb5-1.2.2
>Environment:
System: NetBSD twelve-monkeys.ximian.com 1.5X NetBSD 1.5X (GENERIC) #0: Tue Jul 31 20:12:29 EDT 2001 danw@twelve-monkeys.ximian.com:/usr/src/sys/arch/i386/compile/GENERIC i386
>Description:
The krb5 README implies that (other than the OV bits), all of MIT krb5
is covered by an MIT-style license. The sources disagree:
* crypto/des/f_cbc.c, crypto/des/f_cksum.c,
crypto/des/f_sched.c, crypto/des/f_tables.c, and
des425/pcbc_encrypt.c all have a "you can't make commercial
products based on this code unless you make them available
in Canada" clause.
* crypto/md4/md4.c and crypto/md5/md5.c have a "you have to
say RSADSI if you say the name of the algorithm" clause.
* krb5/krb/strptime.c comes from NetBSD and thus has a
non-rescinded advertising clause. (Lots of other files,
particularly in krb5/posix, have the no-longer-active UCB
advertising clause, which is not a problem.)
* krb4/DNR.c says just "Copyright Apple Computer. All rights
reserved", which sounds to me like that means you can't
redistribute it at all.
* rpc/* can only be redistributed as part of something else,
not on its own.
That's just from the library code. I didn't look at the
tools/clients/servers.
>How-To-Repeat:
>Fix:
one or more of:
1) In your copious free time, reimplement all of the above code
2) Hunt down relevant parties, get them to sign copyright assignments
and/or relicense.
3) Change the README to indicate that some of the library code has
wacky terms. In particular, the first problem above makes it
potentially awkward to use MIT Kerberos in a commercial product
(and makes MIT Kerberos not Open Source[tm]). And IANAL, but I
think every single one of the problems mentioned above makes
it non-GPL-compatible.
>Audit-Trail:
>Unformatted:
