Starting work on the shibboleth-sp2 packages

Russ Allbery rra at debian.org
Tue Jun 24 21:58:48 UTC 2008 

"Scott Cantor" <cantor.2 at osu.edu> writes:

> So, off the top of my head, before I get a final answer, I can say that
> I *think* the reason the schemas aren't separately copyrighted is that
> the normative specs (the ODT/PDF files) actually have the schemas inside
> them, it's just broken up into sections.
>
> One of the long-standing SAML rules has been that the specs win. If the
> schema file is out of sync, it loses. So given that, I think the
> presumption you can operate from is that the copyright on the specs
> applies to the schema files, even though it doesn't appear on them. Not
> saying that holds "legally", but in terms of what the TC's intent has
> been, I believe that's the reason for the difference.
>
> I'll find out for sure, but I think you can operate from that assumption
> for the moment.

The concern that I have is that the implications of that assumption may be
that Shibboleth cannot be included in Debian and we'll need to remove the
existing packages from Debian.  :/  If Shibboleth relies on something that
is covered by a license that doesn't meet the DFSG, we have to remove it
from the distribution.  I'm not sure if backports.org will be willing to
take packages either in that case.

Shibboleth itself could still be included in the separate contrib
repository, which is what I'd do at that point, but that loses a lot of
project resources unfortunately (autobuilds for other platforms, for
example).  The package that actually contains the schemas would have to
move to non-free, in this hypothetical case.

I'm certainly not about to do this unless it has to be done, of course,
and I think it would be a frankly rather silly outcome on several fronts.
I'm really hoping to avoid having to even think about it, and 
I'd certainly seek the advice of debian-legal before doing that.

I think it's basically the worst case scenario for everyone, Debian most
certainly included (and probably primarily).  So I'll try to avoid that if
at all possible.  I just wanted to be clear up-front on why I'm concerned
and why I'm pursuing this.

I'm fairly sure that OASIS doesn't really want to put a non-DFSG license
on the schema even if they think that they do, and I'd try to convince
them not to if at all possible if they believe that's what they're
currently doing and intend to do that.  It doesn't really gain them
anything that I can see.  That W3C doesn't is hopefully a helpful argument
on that front.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>

More information about the Pkg-shibboleth-devel mailing list