Subject: Report on ssh 1.2.12 licencing
From: Rick Moen <rick@linuxmafia.com>
Date: Sun, 3 Oct 1999 22:45:29 -0700

(In hopes that this will prove useful:)

I just examined the ssh 1.2.12 source code's licencing, in light
of the OpenBSD Project's recent actions (and claims of it being
a free-software version).  The overall licence for Tatu Ylonen's
original 1.2.12 (as distinct from OpenBSD's derived ossh code, detailed
below) indeed seems to be DFSG-free -- and that licence did indeed
become non-free as of Feb. 1996, per the v. 1.2.13 Changelog.

As expected, Ylonen's 1.2.12 package contains patent-encumbered
IDEA and RSA implementations.

In addition to Ylonen's own code under his (then-) free licence, 1.2.12
contains a number of modules licenced by the FSF under GPL v. 2; some
from the U.C. Regents under the BSD licence; some that are public
domain; some licenced by Tero Kivinen under GPL v. 2; some by Eric
Young, by Gary S. Brown, and by Jean-loup Gailly & Mark Adler under
various broad free-usage licences; and some by Eric Young under either
GPL v. 2 or the Perl Artistic Licence, at your option.

Last, there is one restrictively licenced module: a TSS encryption
algorithm implementation (tss.c, tss.h) by Timo Rinne <tri@iki.fi> and
Cirion Oy.  Its licence follows:

  /*  -*- c -*-
   *
   * ----------------------------------------------------------------------
   * TRI's Simple Stream encryption system implementation
   * ----------------------------------------------------------------------
   * Created      : Fri Apr 14 14:20:00 1995 tri
   * Last modified: Wed Jul 12 21:58:55 1995 ylo
   * ----------------------------------------------------------------------
   * Copyright (c) 1995
   * Timo J. Rinne <tri@iki.fi> and Cirion oy.
   *
   * Address: Cirion oy, PO-BOX 250, 00121 HELSINKI, Finland
   *
   * Even though this code is copyrighted property of the author, it can
   * still be used for non-commercial purposes under following conditions:
   *
   *     1) This copyright notice is not removed.
   *     2) Source code follows any distribution of the software
   *        if possible.
   *     3) Copyright notice above is found in the documentation
   *        of the distributed software.
   *
   * For possibility to use this source code for commercial product,
   * please contact address above.
   *
   * Any express or implied warranties are disclaimed.  In no event
   * shall the author be liable for any damages caused (directly or
   * otherwise) by the use of this software.
   *
   * Permission granted to Mr. Tatu Ylonen <ylo@cs.hut.fi> to include this
   * code into SSH (Secure Shell).  Permission is granted to anyone to
   * use and distribute this code for any purpose as part of that product.
   * ----------------------------------------------------------------------
   */

I have no idea how crucial the TSS module is, or how difficult to
replace (note below that OpenBSD jettisoned it), but that and the two
patented algorithms strike me as the only things standing between 1.2.12
and DFSG-free status.


The OpenBSD Project dealt with those problems and other matters in a
very systematic way (quoting their source documentation):

  [ RSA is no longer included. ]
  [ IDEA is no longer included. ]
  [ DES is now external. ]
  [ GMP is now external. No more GNU licence. ]
  [ Zlib is now external. ]
  [ The make-ssh-known-hosts script is no longer included. ]
  [ TSS has been removed. ]
  [ MD5 is now external. ]
  [ RC4 support bas been removed. ]

[...]

  There is a mailing list for ossh.  It is ossh@sics.se.  If you would
  like to join, send a message to majordomo@sics.se with "subscribe
  ssh" in body.

I doubt the ossh codebase itself would be useful to other *ix
developers, as it's probably being rapidly rendered less portable,
but it seems like a more broad-based free-software fork would also
be feasible.

I've extracted the licence paragraphs from all modules in 1.2.12.
If anyone needs to see them, ask and I'll e-mail them directly to
you.

-- 
Cheers,                   The cynics among us might say:   "We laugh, 
Rick Moen                 monkeyboys -- Linux IS the mainstream UNIX now!
rick (at) linuxmafia.com  MuaHaHaHa!" but that would be rude. -- Jim Dennis