License Issue about Distributing NVIDIA's cuDNN library via Debian

Paul Wise pabs at debian.org
Thu May 25 02:51:30 UTC 2017 

On Wed, May 24, 2017 at 2:42 PM, lumin wrote:

> Hi Debian Legal Team,

debian-legal are not Debian's legal advisors, just a bunch of people
subscribed to a mailing list.

> I intend to package[1] a proprietary deep learning
> library named "cuDNN"[2], which is definitely useful
> to deep learning researchers.

Personally I would like to see the amount of proprietary nVidia stuff
in Debian reduced, not increased. I would suggest focussing your
efforts on OpenCL/Vulkan based and open source deep learning libraries
instead of proprietary stuff that only acts as lock-in for other
proprietary nVidia technologies (CUDA).

> @lyeager kindly provided some help[3] on this but I'm
> not really good at these legal terms.
>
> Generally, to download the cudnn library, one needs
> to fist register or login at nvidia's website. Next,
> the user is required to click "I agree ..."[4] to continue.
> Now the secured library download link is exposed to the user.[5]

The license you linked to both allows and disallows redistribution,
seems like it needs a rewrite to be less bizarre. The allowance of
distribution is time-limited. Personally I would not be comfortable
distributing this and I do not think that Debian should do so either.

> Initially I don't think such a well-protected proprietary
> can be distributed by Debian, untill I find this package
> in Archlinux's community repo[6].

They may be relying on the clauses allowing time-limited
redistribution, or they may have simply not read the EULA.

> I don't know how the Arch guys achieved this but in their
> PKGBUILD file (arch packaging script) there is a anonymously
> downloadable link to the cudnn library[7]. What is notable
> is the "redist" keyword in the URL. I can't find this "redist"
> URL in nvidia's website.

Probably nVidia need to remove this redist directory from their
website, since it is supposed to be only distributed behind a
click-wrap license.

> What makes me more confused is nvidia legal guy's word conveyed
> by @lyeager [8]. Once a package is uploaded to the Archive, isn't
> the distributor (legally) the Debian Organization? It's so weird
> for an individual to take the role of distributor for a package
> in Archive and I think it's impossible.

There is a long chain of many distributors: firstly you distribute it
to mentors.d.n, then mentors.d.n distributes it to your sponsor, then
your sponsor distributes it to Debian ftpmasters, then Debian
ftpmasters distribute it to Debian mirrors and CD vendors, then Debian
mirrors and CD vendors distribute it to Debian users, then Debian
derivatives (Ubuntu etc) distribute it to their mirrors and users.
Every one of those is potentially liable if they have been found to do
something illegal.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

More information about the pkg-nvidia-devel mailing list