Use of Debian Linux as basis of commercially dsitributed appliance box

[Renner, Clemens]

Please include me in all replies, I have currently not subscribed to 
debian-legal.

Dear list,

in a request for help posted to the  list a couple of weeks 
ago, I basically asked: 

--- 8< ---
We like Debian and want to use it as the underlying OS for building an 
appliance box for our customers (one of the keywords seems to be "vertical 
market").
Do we need to take special care to comply with the Licenses involved in the 
standard Debian distribution, i.e. Kernel and "main" (as in "not contrib, 
non-free") packages?"
--- >8 ---

Key takeaway for us was the following (Wouter Verhelst and Steffen Möller 
provided good advice):
- Avoid non-free packages
- Ensure that users can access the sources of all involved packages (obtained 
e.g. via "apt-get -d source ")

Is there anything that you guys from debian-legal would add to that?
Your help is greatly appreciated! Thank you!


(Apologies for the lengthy e-mail signature, my employer requires me to include 
it in every e-mail.)
(Apologies if this question has been asked and answered before. I did not find 
anything via the list search at https://lists.debian.org/search.html)


Mit freundlichen Grüßen / Kind regards
 
Clemens Renner
System Architect
Dairy Health and Farm Management
BU Dairy & Farm Equipment
 
GEA Farm Technologies GmbH
GEA Farm Technologies
Tel. +49 2383 937-298, Fax +49 2383 938-298
clemens.ren...@gea.com
www.gea.com
We live our values.
Excellence . Passion . Integrity . Responsibility . GEA-versity
GEA Farm Technologies GmbH, Siemensstraße 25-27, 59199 Boenen, Germany
Sitz der Gesellschaft/Registered office: Boenen, Registergericht/Court of 
Registration: Hamm, HRB 5363
Geschäftsführung/Management Board: Dr. Ulrich Huellmann; Markus Kreft
Aufsichtsratsvorsitzender/Chairman Supervisory Board: Dr. Stephan Petri
 
Vertraulichkeitshinweis
Diese E-Mail und etwaige Anlagen können vertrauliche sowie der beruflichen 
Schweigepflicht unterliegende Informationen enthalten. Sollten Sie diese E-Mail 
irrtümlich erhalten haben, benachrichtigen Sie uns bitte durch eine 
Antwort-Mail und löschen Sie diese E-Mail nebst Anlagen von Ihrem System. 
Vielen Dank!
Confidentiality note
This e-mail, including any attachment, may contain confidential and privileged 
information. If you have received it by mistake, please notify us by reply 
e-mail and then delete this e-mail and any attachment from your system. Thank 
you!


--
To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/d9980d6adb62bd4e830067ea90803e19aec92...@sv42080oel6022.emea.corp.geaag.com

Re: Use of Debian Linux as basis of commercially dsitributed appliance box

[Ian Jackson]

Renner, Clemens writes ("Use of Debian Linux as basis of commercially 
dsitributed appliance box"):
> --- 8< ---
> We like Debian and want to use it as the underlying OS for building an 
> appliance box for our customers (one of the keywords seems to be "vertical 
> market").
> Do we need to take special care to comply with the Licenses involved in the 
> standard Debian distribution, i.e. Kernel and "main" (as in "not contrib, 
> non-free") packages?"
> --- >8 ---

There are a number of other concerns which might be relevant.  Here is
a non-exhaustive list:


You should make sure that you are able to know exactly which source
code was used to make any specific binary, and identify that for the
users, so that the users are able to download the actual corresponding
source code for the binaries in the applicance.

You need to include your image build systems in the source code.

The above two principles mean that your builds should be automated and
reproducible, not some kind of ad-hoc thing thrown together from the
command line by your `build person'.

You should NOT take any measures to stop users from running modified
versions of the software on these applicances.  For example,
cryptographic signatures checked by the bootloader which prevent the
user from installing their own version.

You need to permit users to reverse-engineer the system.


If any of the above are problems for you, then you will need to avoid
some or all of the software in Debian; we don't check the licence for
suitability for activities which don't conform to these (and various
other) principles.

Also the exact scope of the applicability of these principles may
depend on the particular licence of the package; some or all of the
free software principles may apply to even some or all non-free parts
of your system.

I think you should perhaps consult some laywers.  I'm sure the
Software Freedom Law Centre will be able to recommend someone.

Note that contributors to Debian (which includes me, and the others
who have replied) do not intend to take responsibility for your use of
the software; we check the licences for our own purposes and to serve
our own principles.  If your business it at stake we won't be held
legally responsible for any mistakes or misunderstandings.

Regards,
Ian.


-- 
To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/21462.34211.980669.106...@chiark.greenend.org.uk

Fwd: packages in new

[Brian May]

Hello,

I am trying to get a LDAP python package included in Debian, however
ftpmaster have queried the license on schema files that was copied from the
Openldap Debian package.

Unfortunately they are not responding to my emails, which makes it so much
harder to resolve the issue, or even know if there is still an issue. It is
possible that they were happy with my explanation, and haven't got around
to saying so. I asked if I should raise the issue on debian-legal and got
no response.

Is the license ok? Or is the Openldap package in Debian bad?

The problem appears to be with the source package, so just removing the
files from the binary would be insufficient, and they are used for tests. I
would rather not have to repackage the source just for Debian, and even
then I would end up using the same files from the openldap package - which
unfortunately are conffiles so could have local changes.

Please Cc responses to me, I am not subscribed.

Upstream code (including latest debian/ directory)

https://pypi.python.org/pypi/python-tldap/0.3.4
https://github.com/Karaage-Cluster/python-tldap

debian/copyright file from python-tldap contains:

=== cut ===
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: python-tldap
Upstream-Contact: Brian May 
Source: https://github.com/Karaage-Cluster/python-tldap

Files: *
Copyright: 2010-2014, Brian May 
License: LGPL-3+

Files: debian/*
Copyright: 2010-2014, Brian May 
License: LGPL-3+

Files: tldap/test/ldap_schemas/*
Copyright: 1998-2007 The OpenLDAP Foundation
License: Schema

License: LGPL-3+
 python-tldap is free software: you can redistribute it and/or modify
 it under the terms of the GNU Lesser General Public License as published
 by the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 .
 python-tldap is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU Lesser General Public License for more details.
 .
 You should have received a copy of the GNU Lesser General Public License
 along with python-tldap in the COPYING and COPYING.LESSER files.
 If not, see .
 .
 On Debian systems, the full text of the GNU General Public
 License version 3 can be found in the file
 `/usr/share/common-licenses/LGPL-3'.

License: Schema
 The version of this file as distributed by the OpenLDAP Foundation
 contains text claiming copyright by the Internet Society and including
 the IETF RFC license, which does not meet Debian's Free Software
 Guidelines.  However, apart from short and obvious comments, the text of
 this file is purely a functional interface specification, which is not
 subject to that license and is not copyrightable under US law.
=== cut ===

-- Forwarded message --
From: Brian May 
Date: 22 July 2014 09:34
Subject: Re: packages in new
To: Thorsten Alteholz 
Cc: ftpmas...@debian.org


On 21 July 2014 22:55, Thorsten Alteholz  wrote:

> On Mon, 21 Jul 2014, Brian May wrote:
>
>> Just wondering if there are any problems with my 2 packages that appear to
>> be stuck in NEW?
>>
>
> I am not sure whether I can follow the argumentation about the
> schema-files in python-tldap. Do you mind removing them from the source
> package?


The files are required for the tests to work. We can;'t setup a test LDAP
server without the schemas to do it.

They have been copied from the openldap package, so if it is a problem
here, it will also be a problem in the openldap package too.

Have considered using the files directly from the openldap package,
however, there are two issues (1) would that make it Debian specific,  and
(2) they live under /etc as conffiles, so there is no guarantee that they
haven't been modified for local requirements.

Did you want me to raise this issue on debian-legal?


e.g. /etc/ldap/schema/core.ldif has at the top the following text. I
assumed that the "Copyright 1998-2007 The OpenLDAP Foundation" claim is not
valid, so I left it out. Including the non-free RFC license generated a
Lintian error, so I left it out too.


# OpenLDAP Core schema
# $OpenLDAP: pkg/ldap/servers/slapd/schema/core.ldif,v 1.1.2.5 2007/01/02
21:44:09 kurt Exp $
## This work is part of OpenLDAP Software .
##
## Copyright 1998-2007 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## .
#

# The version of this file as distributed by the OpenLDAP Foundation
# contains text claiming copyright by the Internet Society and including
# the IETF RFC license, which does not meet Debian's Fre