Bug#896806: systemd-resolved violates The Debian Free Software Guidelines
Martin Hanson
greencoppermine at yandex.com
Tue Apr 24 11:44:04 BST 2018
Package: systemd
Version: 232-25
The systemd-resolved violates the Debian Free Software Guidelines due to the hardcoded the Google DNS servers into the source code of the application.
Line 894 in: https://github.com/systemd/systemd/blob/e16cb2e4efaba83f47da8355adc65fd83bbe8327/configure.ac
The first violation is the "Distribution of License" which states: "The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties."
This is violated as Google demands the acceptance of their proprietary license, Google Terms of Service, which is an additional license: https://policies.google.com/terms
The second violation is the "License Must Not Contaminate Other Software" part, which state: "The license must not place restrictions on other software that is distributed along with the licensed software." This is also violated due to the need to accept the Google Terms of Service.
When the resolved application is run without a configuration overwriting the default and it defaults to the hardcoded DNS fall backs, the user MUST accept the Google Term of Service as is required by Google.
The hardcoded Google DNS fallback servers kicks in when:
1. You do not have DNS set up via DHCP
2. You do not have DNS set up via /etc/resolv.conf
3. You are using systemd-resolved for internal DNS resolution
4. You have not configured systemd-resolved with a different policy for when no discoverable DNS is available and /etc/resolv.conf contains nothing or invalid entries.
Unless all four conditions are true, the default Google DNS servers are not used.
However, there is a GREAT risk of a compromise of user privacy rights if the application has a bug that result in the hardcoded values taking preference even though one of the four conditions are met! This is not something easily detected and which pose a great risk to people such as journalists and other who might be using a VPN connection. Also the default hardcoded settings could result in a DNS leakage if configured wrongly by mistake.
Debian has no associations or partnership with the American company Google. Running with Google DNS servers hardcoded into the Debian code is deeply problematic as the company is not only know for violating peoples privacy, but also because NSA has infiltrated Googles data centers are revealed by the Snowden documents: https://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html
Debian must not associate itself with a proprietary company like Google this way as it clearly violates the Debian license.
If hardcoded defaults really are needed by Debian, which shouldn't be the case as this is mostly only relevant for embedded systems without configuration files, then we need an alternative to a proprietary American company. Preferably Debian running its own DNS servers!
I recommend that systemd-resolved gets patched so that the hardcoded DNS servers from Google are removed. If seriously needed, an alternative truly "free" solution must be used instead.
An alternative solution is to remove systemd-resolved from the main system and moved into the non-free section.
Kind regards
More information about the Pkg-systemd-maintainers
mailing list