Opened 4 years ago

Closed 4 years ago

#8650 closed defect (fixed)

potential license issues for the PT bundles

Reported by: weasel Owned by: erinn
Priority: Immediate Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: flashproxy
Cc: dcf@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

[I'm unsure if this is in the right component - if not, maybe flashproxy might me more appropriate?]

I have looked at https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/doc/bundle-gnulinux.txt and if this is the procedure we use to build the PT bundles then we might be in violation of several licenses and/or infringe several people's copyrights.

Copying things out of /usr and shipping it is something that needs to be done very carefully. Please investigate the licensing details and in particular redistribution requirements for all the things that you lift out of the installed system.

Child Tickets

Attachments (1)

0001-Add-license-for-zope.interface-to-LICENSE.patch (3.4 KB) - added by dcf 4 years ago.

Download all attachments as: .zip

Change History (9)

comment:1 Changed 4 years ago by dcf

Cc: dcf@… added
Keywords: flashproxy added

Thank you for taking the time to look over the build instructions.

As for the dependencies of flash proxy, I have tried to document their licenses in
https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/LICENSE,
which gets copied into the bundles. I'm not an expert but I have tried my best to make sure we are in compliance with the license. If any dependencies are missing, it's a mistake I will fix.

As for the dependencies of obfsproxy, I don't know that their licenses are being copied. Apart from those shared with flash proxy, I think they are

  • pycrypto
  • twisted
  • zope
  • argparse
  • pyptlib

Basically the same dependencies are included on all platforms, except for Mac, which I think excludes twisted and zope because they are installed on the system by default. The difference is that on Windows and Mac, we build or install those dependencies manually because we can't easily apt-get them. In the case of Windows, the copying of the libraries is done implicitly by py2exe.

comment:2 in reply to:  1 ; Changed 4 years ago by asn

Replying to dcf:

Thank you for taking the time to look over the build instructions.

As for the dependencies of flash proxy, I have tried to document their licenses in
https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/LICENSE,
which gets copied into the bundles. I'm not an expert but I have tried my best to make sure we are in compliance with the license. If any dependencies are missing, it's a mistake I will fix.

As for the dependencies of obfsproxy, I don't know that their licenses are being copied. Apart from those shared with flash proxy, I think they are

  • pycrypto
  • twisted
  • zope
  • argparse
  • pyptlib

Basically the same dependencies are included on all platforms, except for Mac, which I think excludes twisted and zope because they are installed on the system by default. The difference is that on Windows and Mac, we build or install those dependencies manually because we can't easily apt-get them. In the case of Windows, the copying of the libraries is done implicitly by py2exe.

OK, I'll start looking at the licenses of the dependencies of pyobfsproxy. BTW, do I really need to look at the license of zope? It's Twisted's dependency, not pyobfsproxy's.

comment:3 in reply to:  2 Changed 4 years ago by dcf

Replying to asn:

OK, I'll start looking at the licenses of the dependencies of pyobfsproxy. BTW, do I really need to look at the license of zope? It's Twisted's dependency, not pyobfsproxy's.

I think yes, just because it's software we are redistributing.

Really I think all we use is zope.interface, if that helps. Here is the Debian-extracted license: http://packages.debian.org/changelogs/pool/main/z/zope.interface/zope.interface_3.5.3-1/python-zope.interface.copyright.

What we should really do, is have a repository for these bundle-related files. Right now flashproxy/doc is serving as a de-facto home for them. If you want, I can put your license files there until we find a better home for everything.

comment:5 Changed 4 years ago by dcf

Status: newneeds_review

Thanks George. I think the license for zope is still missing. We have to include the licenses of all the software we redistribute in the bundles.

Now really, these licenses of dependencies don't belong in obfsproxy's LICENSE (nor in flash proxy's LICENSE), because they are for the bundle and not the transports per se. And really, the licenses (along with the bundle building instructions) should be in their own separate `/pluggable-transports' repo.

But does distributing these files satisfy our obligations under the licenses?

comment:6 Changed 4 years ago by dcf

Here is a patch to add the zope.interface license. Can you add it? I want to include this in new bundles.

comment:7 Changed 4 years ago by asn

pushed. thank you.

comment:8 Changed 4 years ago by dcf

Resolution: fixed
Status: needs_reviewclosed

I think it's fixed; please reopen if not.

Note: See TracTickets for help on using tickets.