[ptxdist] libmd: specification of license tags

[ptxdist] libmd: specification of license tags

[Andreas Pretzsch]

While updating the license stuff in a customer BSP, libmd hit me.

libmd provides MD2, MD4, MD5, SHA-1 and RIPEMD-160 message digest
algorithms.
Each of the respective implementations includes different license
statements, with wrappers under beer-ware license.
Copied them in below, for reference.

The ptxdist rule file does not specify a license. Well, no surprise.
Question would be how to handle this.

One option is of course to simply ignore it, i.e. not use it ;-)
As of now, in ptxdist I see ntp pulling it in, for MD5. But it has its
own implementation, so...
Also, libarchive would be willing to take it, but prefers
OpenSSL/libcrypto, as being more complete. Also no dependency in ptxdist
here.
Maybe other packages would take it, too, didn't check.

Now, as I have this can of worms open anyway, what would be the best way
to specify a license tag ?
I only see providing ptxdist patches to copy out the license headers to
files, and referring to them in LIBMD_LICENSE_FILES.
In addition to a list in LIBMD_LICENSE. Like "RSA (MD2, MD4) ;
public-domain (MD5) ; unknown (RIPEMD160) ; public-domain (SHA-1) ;
beer-ware (ALL)", or similar.

Probably one has to go even further (to avoid the RSA attribution
clauses) and provide options for MD2 and MD4.

But before investing the time: Does anybody care ?



MD2
===
/* MD2C.C - RSA Data Security, Inc., MD2 message-digest algorithm
 * $Id: md2c.c,v 1.5 1997/02/22 15:07:15 peter Exp $
 */
/* Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All
   rights reserved.

   License to copy and use this software is granted for
   non-commercial Internet Privacy-Enhanced Mail provided that it is
   identified as the "RSA Data Security, Inc. MD2 Message Digest
   Algorithm" in all material mentioning or referencing this software
   or this function.

   RSA Data Security, Inc. makes no representations concerning either
   the merchantability of this software or the suitability of this
   software for any particular purpose. It is provided "as is"
   without express or implied warranty of any kind.

   These notices must be retained in any copies of any part of this
   documentation and/or software.
 */
/* md2hl.c
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
 * <phk@login.dkuug.dk> wrote this file.  As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 *
 * $Id: md2hl.c,v 1.8.2.1 1998/02/18 02:24:05 jkh Exp $
 *
 */

MD4
===
/* MD4C.C - RSA Data Security, Inc., MD4 message-digest algorithm
 * $Id: md4c.c,v 1.5 1997/02/22 15:07:19 peter Exp $
 */
/* Copyright (C) 1990-2, RSA Data Security, Inc. All rights reserved.

   License to copy and use this software is granted provided that it
   is identified as the "RSA Data Security, Inc. MD4 Message-Digest
   Algorithm" in all material mentioning or referencing this software
   or this function.

   License is also granted to make and use derivative works provided
   that such works are identified as "derived from the RSA Data
   Security, Inc. MD4 Message-Digest Algorithm" in all material
   mentioning or referencing the derived work.

   RSA Data Security, Inc. makes no representations concerning either
   the merchantability of this software or the suitability of this
   software for any particular purpose. It is provided "as is"
   without express or implied warranty of any kind.

   These notices must be retained in any copies of any part of this
   documentation and/or software.
 */
/* md4hl.c
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
 * <phk@login.dkuug.dk> wrote this file.  As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 *
 * $Id: md4hl.c,v 1.8.2.1 1998/02/18 02:24:05 jkh Exp $
 *
 */

MD5
===
/*
 * This code implements the MD5 message-digest algorithm.
 * The algorithm is due to Ron Rivest.  This code was
 * written by Colin Plumb in 1993, no copyright is claimed.
 * This code is in the public domain; do with it what you wish.
 *
 * Equivalent code is available from RSA Data Security, Inc.
 * This code has been tested against that, and is equivalent,
 * except that you don't need to include two pages of legalese
 * with every copy.
 *
 * To compute the message digest of a chunk of bytes, declare an
 * MD5Context structure, pass it to MD5Init, call MD5Update as
 * needed on buffers full of bytes, and then call MD5Final, which
 * will fill a supplied 16-byte array with the digest.
 */
/* md5hl.c
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
 * <phk@login.dkuug.dk> wrote this file.  As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 *
 * $Id: md5hl.c,v 1.8.2.1 1998/02/18 02:24:05 jkh Exp $
 *
 */

RIPEMD160
=========
/*
 * RIPEMD160.c - European RIPE Message Digest, 160 bit (RIPEMD-160)
 *
 * The algorithm is by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel.
 *
 * The code below is based on the reference implementation by Bosselaers.
 * It is available at the time of writing from
 * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
 *
 * Hacked for use in libmd by Martin Hinner <mhi@penguin.cz>
 */
/* rmd160hl.c
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
 * <phk@login.dkuug.dk> wrote this file.  As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 *
 * $Id: rmd160hl.c,v 1.8.2.1 1998/02/18 02:24:05 jkh Exp $
 *
 */

SHA-1
=====
/*
 * sha.c - NIST Secure Hash Algorithm, FIPS PUB 180 and 180.1.
 * The algorithm is by spook(s) unknown at the U.S. National Security Agency.
 *
 * Written 2 September 1992, Peter C. Gutmann.
 * This implementation placed in the public domain.
 *
 * Modified 1 June 1993, Colin Plumb.
 * Modified for the new SHS based on Peter Gutmann's work,
 * 18 July 1994, Colin Plumb.
 *
 * Renamed to SHA and comments updated a bit 1 November 1995, Colin Plumb.
 * These modifications placed in the public domain.
 *
 * Comments to pgut1@cs.aukuni.ac.nz
 *
 * Hacked for use in libmd by Martin Hinner <mhi@penguin.cz>
 */
/* shahl.c
 * ----------------------------------------------------------------------------
 * "THE BEER-WARE LICENSE" (Revision 42):
 * <phk@login.dkuug.dk> wrote this file.  As long as you retain this notice you
 * can do whatever you want with this stuff. If we meet some day, and you think
 * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
 * ----------------------------------------------------------------------------
 *
 * $Id: shahl.c,v 1.8.2.1 1998/02/18 02:24:05 jkh Exp $
 *
 */


-- 

carpe noctem engineering
Ingenieurbuero fuer Hard- & Software-Entwicklung Andreas Pretzsch
Dipl.-Ing. (FH) Andreas Pretzsch        Tel. +49-(0)7307-936088-1
Lange Strasse 28a                       Fax: +49-(0)7307-936088-9
89250 Senden, Germany                   email: apr@cn-eng.de


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] libmd: specification of license tags

[Roland Hieber]

[-- Attachment #1.1.1: Type: text/plain, Size: 985 bytes --]

Hi,

> One option is of course to simply ignore it, i.e. not use it ;-)

I don't think this is a good option ;-)

> […]
> Now, as I have this can of worms open anyway, what would be the best way
> to specify a license tag ?

Apparently util-linux is similar to that, its README.licenses says:

> Please, check the source code for more details. A license is usually at the start
> of each source file.

The rules file simply specifies multiple licenses:

> UTIL_LINUX_NG_LICENSE := GPL-2.0, GPL-2.0+, GPL-3.0+, LGPL-2.0+, BSD-3-Clause, BSD-4-Clause, public_domain
> UTIL_LINUX_NG_LICENSE_FILES := \
>   file://Documentation/licenses/COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>   file://Documentation/licenses/COPYING.BSD-3;md5=58dcd8452651fc8b07d1f65ce07ca8af \
>   file://Documentation/licenses/COPYING.UCB;md5=263860f8968d8bafa5392cab74285262 \
>   file://Documentation/licenses/COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c

 - Roland


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

[-- Attachment #2: Type: text/plain, Size: 91 bytes --]

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] libmd: specification of license tags

[Michael Olbrich]

On Mon, Oct 03, 2016 at 10:18:56PM +0200, Andreas Pretzsch wrote:
> While updating the license stuff in a customer BSP, libmd hit me.
> 
> libmd provides MD2, MD4, MD5, SHA-1 and RIPEMD-160 message digest
> algorithms.
> Each of the respective implementations includes different license
> statements, with wrappers under beer-ware license.
> Copied them in below, for reference.
> 
> The ptxdist rule file does not specify a license. Well, no surprise.
> Question would be how to handle this.
> 
> One option is of course to simply ignore it, i.e. not use it ;-)
> As of now, in ptxdist I see ntp pulling it in, for MD5. But it has its
> own implementation, so...
> Also, libarchive would be willing to take it, but prefers
> OpenSSL/libcrypto, as being more complete. Also no dependency in ptxdist
> here.
> Maybe other packages would take it, too, didn't check.
> 
> Now, as I have this can of worms open anyway, what would be the best way
> to specify a license tag ?
> I only see providing ptxdist patches to copy out the license headers to
> files, and referring to them in LIBMD_LICENSE_FILES.
> In addition to a list in LIBMD_LICENSE. Like "RSA (MD2, MD4) ;
> public-domain (MD5) ; unknown (RIPEMD160) ; public-domain (SHA-1) ;
> beer-ware (ALL)", or similar.
> 
> Probably one has to go even further (to avoid the RSA attribution
> clauses) and provide options for MD2 and MD4.
> 
> But before investing the time: Does anybody care ?

In this case, I'd say, let's just move the package to staging and not use
it at all. As I noted in my other mail, even ntp is not using it any more,
so it is no longer needed.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] libmd: specification of license tags

[Michael Olbrich]

On Tue, Oct 04, 2016 at 01:25:35AM +0200, Roland Hieber wrote:
> Apparently util-linux is similar to that, its README.licenses says:
> 
> > Please, check the source code for more details. A license is usually at the start
> > of each source file.
> 
> The rules file simply specifies multiple licenses:
> 
> > UTIL_LINUX_NG_LICENSE := GPL-2.0, GPL-2.0+, GPL-3.0+, LGPL-2.0+, BSD-3-Clause, BSD-4-Clause, public_domain
> > UTIL_LINUX_NG_LICENSE_FILES := \
> >   file://Documentation/licenses/COPYING.GPLv2;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
> >   file://Documentation/licenses/COPYING.BSD-3;md5=58dcd8452651fc8b07d1f65ce07ca8af \
> >   file://Documentation/licenses/COPYING.UCB;md5=263860f8968d8bafa5392cab74285262 \
> >   file://Documentation/licenses/COPYING.LGPLv2.1;md5=4fbd65380cdd255951079008b364516c

Send patches :-)

> Hi,
> 
> > One option is of course to simply ignore it, i.e. not use it ;-)
> 
> I don't think this is a good option ;-)
> 
> > […]
> > Now, as I have this can of worms open anyway, what would be the best way
> > to specify a license tag ?
> 
Btw, if the license text ist only part of the file then you can use
startline/endline to 'cut' it, see e.g. rules/e2fsprogs.make.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] libmd: specification of license tags

[Andreas Pretzsch]

On Di, 2016-10-04 at 16:19 +0200, Michael Olbrich wrote:
> In this case, I'd say, let's just move the package to staging and not use
> it at all. As I noted in my other mail, even ntp is not using it any more,
> so it is no longer needed.

ACK. Just sent a patch, with some information why:
"libmd: move to staging (license issues and no more users inside ptxdist)"
Not tested, but...

Feel free to adapt as you like, e.g. by adding some remove-by date.

-- 

carpe noctem engineering
Ingenieurbuero fuer Hard- & Software-Entwicklung Andreas Pretzsch
Dipl.-Ing. (FH) Andreas Pretzsch        Tel. +49-(0)7307-936088-1
Lange Strasse 28a                       Fax: +49-(0)7307-936088-9
89250 Senden, Germany                   email: apr@cn-eng.de


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] libmd: specification of license tags

[Andreas Pretzsch]

On Di, 2016-10-04 at 16:26 +0200, Michael Olbrich wrote:
> > > Now, as I have this can of worms open anyway, what would be the best way
> > > to specify a license tag ?
> > 
> Btw, if the license text ist only part of the file then you can use
> startline/endline to 'cut' it, see e.g. rules/e2fsprogs.make.

Noted also yesterday night. Good thing, congrats!
And it's even in the docs.
For those who follow this thread, quoted from "doc/ref_manual.rst":

``<PKG>_LICENSE``
  The license of the package. The SPDX license identifiers should be used
  here. Use ``proprietary`` for proprietary packages and ``ignore`` for
  packages without their own license, e.g. meta packages or packages that
  only install files from projectroot/.

``<PKG>_LICENSE_FILES``
  A space separated list of URLs of license text files. The URLs must be
  ``file://`` URLs relative to ``<PKG>_DIR``. Absolute URLs using
  ``$(PTXDIST_WORKSPACE)`` can be used in case the license text is missing
  in the upstream archive. Arguments are appended with ';' as separator.
  The ``md5=<md5sum>`` argument is mandatory. It defines the md5 checksum
  of the full license text. ``startline=<number>;endline=<number>`` can be
  used in case the specified file contains more than just the license text,
  e.g. if the license is in the header of a source file. For non ASCII or
  UTF-8 files the encoding can be specified with ``encoding=<enc>``.


-- 

carpe noctem engineering
Ingenieurbuero fuer Hard- & Software-Entwicklung Andreas Pretzsch
Dipl.-Ing. (FH) Andreas Pretzsch        Tel. +49-(0)7307-936088-1
Lange Strasse 28a                       Fax: +49-(0)7307-936088-9
89250 Senden, Germany                   email: apr@cn-eng.de


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de