- Package:
- src:libfonts-java
- Source:
- libfonts-java
- Submitter:
- Pierre Gruet
- Date:
- 2021-08-30 12:36:07 UTC
- Severity:
- serious
- Tags:
Dear Maintainer,
The file patches/itext-1.5.2.patch incorporates a non-free license, stating
Sun Microsystems grants you ("Licensee") a non-exclusive, royalty free, license
to use, modify and redistribute this software in source and binary code form,
provided that i) this copyright notice and license appear on all copies of the
software; and ii) Licensee does not utilize the software in a manner which is
disparaging to Sun Microsystems.
This breaks at least DFSG-6, due to the "disparaging to Sun Microsystems"
clause.
Best regards,
Hi Pierre, A couple of comments: 1) In that patch file, I see: The non-DFSG phrase referring to "disparaging" is from SUN's samples license (1). License (2) (again, merely quoting that sun.txt file) includes the problematic clause: However, when I search the patch, the Java source files included don't refer to either of those licenses explicitly. The only file that does include a copyright and license statement is DFSG-free, but I'm not sure about the other files. 2) I'm wondering what such a clause would mean anyway now that "Sun Microsystems" is defunct since 2010. How would a licensee disparage a non-existent entity? My second question is more just wondering what happens... I guess we will have to figure out the files that are (presumably) licensed under the problematic licenses. Cheers, tony
Hi Tony, Thanks for looking at this! Le 11/08/2021 à 20:40, tony mancill a écrit : I must say I submitted a batch of 6 bugs with this "disparaging to Sun" clause and did not go that much into details for each package. Arguably neither of those licenses is suitable for us... yet I just attempted a build of libfonts-java while repacking to remove the patches/ directory, and it succeeded. Of course this is not enough, but I think it might be worth looking at it more carefully to check this directory can be safely removed. In any case, we will have to rely on a point release of Bullseye to fix this in stable, so I guess we have a bit of time. I also don't know, but who knows who holds the assets now? Presumably the risk is low, but still... I share your concerns. Best regards,
Hello, After a deeper examination, I see the file with the non-free contents is useless anyway, none of the files it attempts to patch exists. I think this file got lost here as it obviously comes from itext, not libfonts. I offer to team-upload the package soon. Best,
Hi Pierre, Thank you for helping us clean up some of the cruft that has accumulated in these packages. Cheers, tony
We believe that the bug you reported is fixed in the latest version of
libfonts-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 992087@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pierre Gruet <pgt@debian.org> (supplier of updated libfonts-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 30 Aug 2021 14:07:06 +0200
Source: libfonts-java
Architecture: source
Version: 1.1.6.dfsg2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Pierre Gruet <pgt@debian.org>
Closes: 687364 965639 992087
Changes:
libfonts-java (1.1.6.dfsg2-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.1.6.dfsg2, repacking without the non-free (and also
useless) contents in the patches/ directory. (Closes: #992087)
* d/watch with version 4, also addings opts for the repack
* Depending on debhelper-compat 13, dropping compat 5 file (Closes: #965639)
* Vcs- fields now point to Salsa
* Standards version set to 4.6.0:
- Using Machine-readable 1.0 copyright format for d/copyright
- Rules-Requires-Root: no in d/control
* Refreshing d/copyright
* Now building with dh instead of cdbs
* Aligning the list of (build-)dependencies, adding missing commas
* Polishing suggests and recommends
* Acknowledging source format 3.0 (quilt) is now used
* Modifying d/rules to manually add some missing files in the jar
* Correcting spelling errors in d/control with the patch of Clayton Casciato
(Closes: #687364)
* Adding a Lintian override for embedded javascript
Checksums-Sha1:
703149c41a0a77dc3f3c86d5a5a73d3034e7c9ae 2202 libfonts-java_1.1.6.dfsg2-1.dsc
3196628acee146d13333351f389fc4e721078895 974314 libfonts-java_1.1.6.dfsg2.orig.tar.gz
33185fed87ab77874414dba08870f53dbcc9b6d5 6992 libfonts-java_1.1.6.dfsg2-1.debian.tar.xz
539eb137ae773fa9db0825f0a161ecd6110e7d9c 11215 libfonts-java_1.1.6.dfsg2-1_amd64.buildinfo
Checksums-Sha256:
a99209a147c7fe62b4e79fcd687fb7aefc1010a3eda2b004cef32bced5def08c 2202 libfonts-java_1.1.6.dfsg2-1.dsc
781dd967a840e7aef6bd49dd61157380b87d1b9fdc2886843b0af7c70f5de9a7 974314 libfonts-java_1.1.6.dfsg2.orig.tar.gz
3f44d600dd3b239367612f28d324c39e26eadb10e0fac6e4bb684a86bfaa9cc9 6992 libfonts-java_1.1.6.dfsg2-1.debian.tar.xz
76d3f8214e8b1581254fc227edfa33a19e80fe040d443050d10f01dd881dcd89 11215 libfonts-java_1.1.6.dfsg2-1_amd64.buildinfo
Files:
f80375aaae480bd565724919f76871ca 2202 java optional libfonts-java_1.1.6.dfsg2-1.dsc
51613ec5a03aab8beac63b48cb5fcc68 974314 java optional libfonts-java_1.1.6.dfsg2.orig.tar.gz
e3fac0c8fe687a9f40bc29934b5121da 6992 java optional libfonts-java_1.1.6.dfsg2-1.debian.tar.xz
a8ff6bae99cc1f1fbdcc6a70c79724a4 11215 java optional libfonts-java_1.1.6.dfsg2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEM8soQxPpC9J9y0UjYAMWptwndHYFAmEszUcACgkQYAMWptwn
dHYmbw/6AwAwpT01m5a18nfUlWWADsZZBDpyaaVNd8e+uRemaiApATtbqwN9yEA9
qYrw9XpbRkDt5dwP0LwxDFkgzya2tX5MXx2LFBZNXsbar5WPZ+kCrboiqBbtumEv
BfJmDjvQie79/nxuYZBdTOP7wcw401EoyoTvHdnzp0iwqS25pPhxFZRHrXwBPbx8
FHIYvuy/z5R+P5ieYVEXs5hmCdEjXwmfi6sMtEEq8xHyy3CrB+eS6NkzFzKGBpm9
AEajK20/GlEOL0ZBzcoC1IbvISk3puGMJm0vt0K9MuMcXU9V7L9FZlI+yfGk8qaL
dWQFTOlMh9cI/zFhslhn5dQO2qGk1DjHRgSYXciRlgYnfeWec/AZdUNM2EGjfGY/
fl9k6Kho5o/0zw46o9IuANYt8yFN8wSZmaBxzr38kvHnul5lLJe1pcwZKcN3g+kQ
AwMgciYGrsS7lTOyUVThZjEEYpwDHGnjirwqWwS8tP9L3aiWI3xoAUYu9GIHnkoq
R6bDU5bbSE5B16kjhBVO4FHuCDWgIntKmUlcwt4lGWaGvNr+DgXFHTh3xEqH+yiD
Wrf++BHFOoUJnPos7WjLVe6pOuw+yEBmd3VQICi3i+w8/tN/CToDst+tYM9ByxIE
huelzseIRZf25bwentQgswZXklF2Uoi44FcNxgnE1fMsfCSSLO0=
=JLl/
-----END PGP SIGNATURE-----