[ On Thursday, June 14, 2001 at 03:22:12 (-0300), David Maxwell wrote: ]
> Subject: Re: pkgsrc license issues (was: security/ssh vs distfiles/vulnerabilities)
>
> IANAL also :-) it seems that ssh 2.4 would be "can't distribute sources,
> but can modify (patch), and use, on NetBSD, for commercial or
> non-commercial purposes." but "... for non-commercial use on the
> non-NetBSD platforms pkgsrc supports".
> 
> Unless anyone reads that license differently, I'll presume we can update
> pkgsrc to 2.4
> 
> http://www.ssh.com/products/ssh/ssh_license_agreement.html

I think pkgsrc should be updated to 2.4 A.S.A.P.  I've got a working
pkgsrc module if anyone wants a copy of it.....

SSH.COM's entire licensing scheme is completely bogus and unenforcable
in any sane legal jurisdiction.  The above linked document is written
like a contract yet w.r.t. the sources in ssh-2.4.0.tar it can only be a
copyright license since that software is freely and anonymously
available to anyone and everyone without any legally binding contract
being entered into (obviously -- that's the implication of "anonymous"!).

Given the number and variety of current mirror sites, I expect there's
no actual restriction on redistribution of original copies either (many
of the mirrors listed allow secondary mirroring from themselves, thus
all control over redistribution has implicitly been given up).  In other
words the original sources may be "freely redistributed" -- i.e.
redistributed so long as no profit is made from their distribution.
Note that this only applies to the current version and not necessarily
any future version, though they'll have to be sure to make it impossible
for mirror sites to pick up any new version before they'll be able to
enforce any change in their redistribution rights.

In other words the correct interpretation for NetBSD pkgsrc is simply:

	1. cannot redistribute sources for profit (eg. on CD-ROM).

	2. cannot redistribute binaries (neither original nor modified).

PERIOD.  I.e. that's all that's of concern to NetBSD pkgsrc.  In other
words the distfile can be kept on ftp.netbsd.org, but binary packages
cannot; and neither form can be put on any CD-ROM that's sold for profit.

Third parties should also be aware that they:

	3. cannot redistribute modified (derrivative) source versions
           (i.e. a pre-patched version cannot be redistributed).

The rest of the idiotic SSH.COM license is totally unenforcable in any
sane legal jurisdiction I'm aware of.  There's no need to mention the
word "commercial" in any way whatsoever.  The only "commercial purpose"
possible under copyright law *is* redistribution!  Since anyone can
anonymously fetch a legal copy, anyone can do with as they please (just
so long as they don't make another copy of it available to anyone else).

Copyright licenses cannot prevent you from installing and running a
legally obtained copy of the software on a machine in any way shape or
form, or for any purpose whatsoever.  Copyright primarily only protects
an author (or otherwise licensed owner) from unauthorised publication
(i.e. redistribution).  Since the software is anonymously available it
is by implication "freely redistributable".

Obviously you can apply (anyone's) patches to your legally obtained copy
as well.  You can write silly comments in it too if you want.  There's
no need to ever mention the right to modify -- it's a guaranteed right
for all owners of legal copies (at least in any sane jurisdiction I'm
aware of).

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>