apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sam Ruby" <ru...@intertwingly.net>
Subject Re: apr-util removal of md4/md5 algorithms (legal issue)
Date Wed, 10 Sep 2008 15:13:28 GMT
On Wed, Sep 10, 2008 at 4:24 AM, Joe Orton <jorton@redhat.com> wrote:
> On Mon, Sep 08, 2008 at 01:24:58PM -0400, Tom O'Brien wrote:
>> Hi all:
>> I'm using the Log4Cxx logging library in a project, and it uses apr and
>> apr-util as part of the implementation. In reviewing the license to
>> apr-util, I noticed it contained a reference to the RSA reference
>> implementation to md4 and md5. The lawyers here got a look at the
>> license, and were not amused (no specific right to redistribute). I saw
>> that the Debian team had raised a similar issue in the mailing list archive.
>
> I just noticed that this issue is covered in the Fedora licensing FAQ:
>
> http://fedoraproject.org/wiki/Licensing/FAQ
>
> which references this statement from RSA:
>
> http://www.ietf.org/ietf/IPR/RSA-MD-all [plain text sent as text/html, oops]
>
> the Fedora FAQ says that based on this, we can simply strip the
> restrictive licensing statements from the MD4/MD5 implementation,
> retaining the RSA copyright notice alone.
>
> Can legal-discuss@ confirm whether this is an acceptable course of
> action?

First, the above seems to present a conflicting state of affairs.
I've only followed the links provided, so I may not understand the
true story.  But if the original code was made available under the
original BSD with advertising clause, then there is a specific right
to redistribute provided, right?

Second, if we accept code, it either needs to be covered under a CLA
(or, in the case of minor patches, be covered by the definition of a
Contribution in the Apache License, Version 2.0), or we need a
separate license.  Perhaps we could consider treating the statement
posted on the IETF site as such.

Since we have actual lawyers engaged (ones who are reportedly not
amused), how about inquiring as to whether such a course of action
would, in fact, tickle their fancy?

If so, we can proceed to determine what ASF policy adjustments would
be required to enable this, and decide whether or not we were
comfortable with such.  I, for example, am currently uncomfortable
with the thoughts of us modifying such code (under what license would
we use for such modifications?) and specifically uncomfortable about
removing licensing statements.

- Sam Ruby

Mime
View raw message