Draft question for SFLC:
Some members of the Debian project have some concerns about the PHP licence. These worries are dismissed by other members and by relevant upstreams. We would like some advice. We are concerned here with the PHP 3.01 Licences, which can be found here: http://php.net/license/3_01.txt There are two concerns (I and II, below), which need to be read with some context (III, below): I. Requirement to perhaps-falsely acknowledge: Paragraph 6 of the main licence text requires this notice: "This product includes PHP software, freely available from <http://www.php.net/software/>". This is probably unproblematic for PHP itself. However, most PHP addons are also distributed under the PHP licence. The worry is that putting that statement in the copyright information for a PHP addon package might be making a false statement, since (i) the package itself does not include PHP and (ii) the addon may not in fact be available via that URL. Counterarguments which may be relevant or have been put forward include: (a) A licensor who uses this licence obviously did not intend the licencees to make a false statement, and the requirement in the licence should be read down accordingly. (b) The word `product' does not refer to a specific package but the to the system as a whole, including PHP itself. (c) PHP addon packages (at least those whose upstream versions are available from www.php.net) should be regarded as `PHP software' for the purposes of this statement. (But what if the addon later ceases to be distributed from www.php.net, or was never so distributed?) We have the following questions: Q1. What is the best approach for Debian and its downstreams to take to comply with this licence ? Should we always include the statement as requested ? Q2. If the answer to Q1 is to always include the statement, does including this statement pose any ethical, legal or practical risk to anyone in the Free Software community ? Is it fair to say that the statement is or can be materially false or misleading ? Q3. Do the answers to these questions depend on whether the addon is currently, or was ever, distributed via http://www.php.net/software/ ? II. Inaccuracy of the disclaimer text: The warranty disclaimer text (in capitals after para 6 of the licence) says that `THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM' etc. The licence itself (para 1) requires this text to be included. When the PHP licence is used for software which is not provided by the PHP development team, the statement appears to be inaccurate. Q4. Does including this statement pose any ethical, legal or practical risk in the case where the software is _not_ in fact written or provided by the PHP Development Team ? Note that in Debian we do not normally worry whether warranty disclaimers are effective in protecting Debian contributors. So we are not interested in whether the warranty disclaimer does its job, only in whether it poses additional risks (beyond those which we would hypothetically face if it wasn't present at all) by virtue of it containing an apparently inaccurate statement. III. Restrictions on the name `PHP' Debian routinely modifies all the software that we distribute, and we expect our downstreams to further modify it. (Because we want the freedom to modify to be available not only to us, but also to all of those downstreams, we have a practice of refusing to submit our modifications for approval and declining to accept any Debian-specific permissions.) Paragraphs 3 and 4 can be read to mean that Debian should not be distributing its modified versions of PHP itself, and of PHP addons, under the name `PHP'. (Note that PHP is not a trademark - this restriction is applied through the copyright licence.) We have been informally assured by members of the PHP community that this is not the intent and that the PHP project does not want us to rename things. Similar situations often arise in relation to trademarks. Our usual approach in such cases has been to rely on the informal assurances, and not seek any kind of formal trademark licence amendment. However, we remain prepared to rename the software. If we receive a formal legal request or threat from a trademark holder, or we hear of our downstreams receiving such communications, we will rename the software to avoid any potential infringement of the trademark. For example, Mozilla insisted on prior written approval of patches, so our version of Firefox is called Iceweasel. Our reactive rather than proactive approach has served us and our downstreams very well. Q5. Does the fact that the PHP licence conditions about the use of the PHP name are contained in the actual copyright licence, rather than in a separate trademark licence, significantly increase the risks we would face if we had a disagreement with upstream about our modifications (or our failure to seek approval) ? IV. Context When answering these questions, please have regard to this context: Firstly, as we say above, we are concerned not just about the risk to contributors to and participants in Debian, but also about risks to our downstreams. Our downstreams include derivative distros, individual users, and also other contributors who may simply produce and distribute further-modified versions of some package(s). As a matter of principle, we don't want to expose our downstreams to risks we judge unacceptable for ourselves. Sadly we must consider in this context the fact that it does happen - thankfully rarely - that an upstream takes offence to something Debian does and attempts to revoke or renounce the licence or claim that the licence forbids our activities. It is important to us that we can still, under such conditions, continue to distribute the software (perhaps under a different name), since we may have come to rely on it. However, in general we do not concern ourselves with the risk that future upstream versions of a program will be insufficiently free. It is enough that we and our downstreams have the relevant freedoms in relation to the upstream versions we actually use. In extremis we deal with unfavourable upstream licence changes by forking from the last sufficiently free version. Thanks, Ian. -- Ian Jackson personal email: <ijack...@chiark.greenend.org.uk> These opinions are my own. http://www.chiark.greenend.org.uk/~ijackson/ PGP2 key 1024R/0x23f5addb, fingerprint 5906F687 BD03ACAD 0D8E602E FCF37657 -- To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/21471.31858.104698.720...@chiark.greenend.org.uk
