Ludovic Rousseau sent a mail to me, and the debian-legal list about
license problems with OpenSC. It seems there are header files that are
not licensed under the LGPL and are licensed under some RSA
license. The thread is here:
seems to be conflict between the LGPL and this RSA license (please see
the thread). Do you guys have any thoughts on this? Is it possible to
-----BEGIN GEEK CODE BLOCK-----
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+
G e h! r- y+
------END GEEK CODE BLOCK------
Hello, please Cc: me on replies,
The opensc package includes rsaref headers  from RSA. The RSA disclaimer has
added in a new upstream version  and should be included in a next Debian
The RSA disclaimer is :
" Regarding the header / include files:
License to copy and use this software is granted provided that it is
identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
(Cryptoki)" in all material mentioning or referencing this software or this
License is also granted to make and use derivative works provided that such
works are identified as "derived from the RSA Security Inc. PKCS #11
Cryptographic Token Interface (Cryptoki)" in all material mentioning or
referencing the derived work.
This software is provided �AS IS� and RSA Security, Inc. disclaims all
warranties including but not limited to the implied warranty of
merchantability, fitness for a particular purpose, and noninfringement. "
I found a reference to a similar licence in  about the md5 implementation
from RSA. But I did not find an explanation about if or why it was non-free.
- is this licence DFSG compliant? I would say yes but the (re)distribution right
is not explicitely given.
- is this licence GPL compatible? I would say no since it has the same problem
than the original BSD licence .
first: don't worry about applications like gpgsm that might
link with opensc - to be exact: libopensc1. those are not
affected, since the header is only used for opensc-pkcs11.so,
and any application using the pkcs#11 interface already
has the same license used on it's side of the interface.
second: good news! mozilla has those header files under
lgpl/mpl/gpl! bad news! they have an additional clause:
* Copyright (C) 1994-1999 RSA Security Inc. Licence to copy this document
* is granted provided that it is identified as "RSA Security In.c Public-Key
* Cryptography Standards (PKCS)" in all material mentioning or referencing
* this document.
I mailed debian-legal about that, too, so we can wait
what the experts think of it.
I'm not sure if switching the header files will do any good, since
the one clause that causes problems is in both versions. also the mozilla
version seems to be older (v2.0 or v2.11 with some v2.20 api definitions,
versus current real v2.20 header files).