On Mon, 26 Jul 2004 19:11:26 -0700, Russ Allbery wrote: > MiguelGea <[EMAIL PROTECTED]> writes: > >> Hello debian-legal, >> I'm thinking about packaging SRP for debian. > >> Question 1: I'm not sure if there are any problem on packaging it. What >> do you think about? > > Please note that SRP is patented; that's part of SRP's licensing that > tends to make people nervous. The most current information that I have on > the SRP patent is at: > > <http://availtech.stanford.edu/Scripts/otl.cgi/docket?docket=97-006>
Actually, I remember looking at SRP a while back; I noticed they had two different algorithms/releases/versions. I assume both are patented; however, one required royalties, the other was free for use. Grabbing srp-2.1.0-beta1.tar.gz and peeking at docs/LICENSE, I see the following that was left out of MiguelGea's initial post: SRP is royalty-free worldwide for commercial and non-commercial use. The SRP library has been carefully written not to depend on any encumbered algorithms, and it is distributed under a standard BSD-style Open Source license which is shown below. This license covers implementations based on the SRP library as well as independent implementations based on RFC 2945. The SRP distribution itself contains algorithms and code from various freeware packages; these parts fall under both the SRP Open Source license and the packages' own licenses. Care has been taken to ensure that these licenses are compatible with Open Source distribution, but it is the responsibility of the licensee to comply with the terms of these licenses. This disclaimer also applies to third-party libraries that may be linked into the distribution, since they may contain patented intellectual property. The file "Copyrights" contains a list of the copyrights incorporated by portions of the software. Broader use of the SRP authentication technology, such as variants incorporating the use of an explicit server secret (SRP-Z), may require a license; please contact the Stanford Office of Technology Licensing (http://otl.stanford.edu/) for more information about terms and conditions. Also, following your link, I see: Licensing: * Non-commercial or commercial use of SRP/SRP-3 in its implicit-server-authenticating form (e.g. RFC2945) is royalty-free, and you can download the license at http://otl.stanford.edu/pdf/97006.pdf. Use of SRP for explicit bidirectional authentication (e.g. SRP-Z for explicit server authentication) is specifically not included under the royalty-free license. Please contact Mary Watanabe for license terms. I'm not sure how to interpret this; I'm not familiar enough w/ SRP-Z. Is this a different algorithm, such that the source would need to be significantly modified (such that SRP-Z is essentially a separate thing, convered by its own license; converting SRP-3 to SRP-Z is just as difficult as converting openssh to SRP-Z)? Is this merely a layer on top of SRP-3 (thereby restricting a derived work, and making it DFSG-incompatible)?
