Subject: Re: pkgsrc license issues (was: security/ssh vs distfiles/vulnerabilities)
To: David Maxwell <>
From: Greg A. Woods <>
List: tech-pkg
Date: 06/14/2001 01:37:35
[ On Thursday, June 14, 2001 at 10:00:56 (+0900), wrote: ]
> Subject: Re: security/ssh vs distfiles/vulnerabilities 
> >The comment in the Makefile seems to indicate that we're not allowed to
> >modify versions >1.2.28
> 	at some point in 2.x, there is a license change again, which is
> 	somewhat less restrictive.  IIRC, specifically excluded NetBSD
> 	(and some other free software operating system) from the definition of
> 	"commercial use".  i haven't checked 3.x yet.

None of the SSH.COM licenses conform to copyright law, at least not in
Canada.  So you can either take the lax view and assume that only their
definitions of "use" are flat-out wrong[1], and keep all their other
terms; or you can take the pessimistic view and assume that since their
license is fundamentally broken then it reverts to "all rights reserved"
and thus there can be no redistribution and the only legal copies are
those obtained directly from the owner.  However since they seem to
encourage free redistribution of at least unmodified copies I think the
"lax" view is probably more likely to be the correct interpretation.

In any case there's almost always, in all jurisdictions, an exception is
granted for "fair use", and a patch has traditionally always been
considered to be "fair use".

So, in other words, pkgsrc is in a perfect position to enable users to
make use of any publicly available SSH.COM source code since pkgsrc
itself only makes fair use of the code (by providing patches), and the
end user is actually responsible for obtaining a legal copy of the
software (i.e. through the "make fetch" step of the process), and
creation of the derrivative work is done in private ("make patch").

[1] copyright laws normally (i.e. for most types of works) only cover
redistribution, publication, presentation, etc.; not what you actually
use a legally licensed copy for.  As such copyright licenses use the
term "commercial use" in a vastly different context than the average
computer user might understand it to mean.  It would be a very far and
impractical stretch for anyone to try to argue that running their
software in such a way that any member of the public could connect to a
running instance of it via the public Internet is even remotely similar
to being a "presentation" or any form of publication.  I.e. no copyright
license can prevent you from running software in any shape or form, or
for any purpose whatsoever (unless perhaps it's self-reproducing
software!  ;-).  In other words the restriction preventing "commercial
use" in the SSH.COM's licenses can only prevent you from profiting from
redistribution of their code.  If they wanted to prevent you from
running it in such a way that it provides a commercial service then they
would have to enter with you into a legally binding contract that
included such terms.  If you do not commercially redistribute their code
then you cannot be held to any terms controlling how/when/where you
execute a legally obtained copy of their software.

Which reminds me.  This rather less than intelligent propogation of
random silly copyright license "types" in pkgsrc is bogus.  There are
only two primary concerns for pkgsrc, and very few subsiduary related
concerns:  1) Either a source distribution can be freely redistributed,
or it cannot.  2) Either a binary product (essentially a derrivative
work) can be freely redistributed, or it cannot.  The only complications
come from supporting sources that are not freely available in the first
place, and there only tag necessary for them is just that they are "not
freely available" and must be (legally) obtained and manually placed in
the distfiles directory (and obviously neither they nor any derrivitave
works can be redistributed in any way).  That's it.  Period.  These
three binary variables are all that's needed.  Anything more can only
lead to confusion and inappropriate policy implementation.  Everything
else of concern to pkgsrc (both its users and those who publish it,
including third-party publishers since it is itself freely
redistributable) can be derived automatically from their state (eg.
whether or not the source and binary can be placed on an FTP site, or on
a CD-ROM, or both, etc.)  It would be nice if fetched copies of
non-redistributable sources and binary packages of those who's binaries
are not redistributable could automatically be made readable only by the
user doing the fetch/build.  That way third parties making their
distfiles and packages directories available to anonymous FTP wouldn't
have to manually fix their permissions....

(FYI, I am obviously not a lawyer, but I do have my well read copy of
the "Canadian Copyright Act and Regulations" sitting here beside me....)

							Greg A. Woods

+1 416 218-0098      VE3TCP      <>     <>
Planix, Inc. <>;   Secrets of the Weird <>