Bug#1036751: RFS: mini-httpd/1.30-4 [ITA] -- Small HTTP server

On 2023-07-02 16:43, Alexandru Mihail wrote:
> mini-httpd contains early portions of code commited by Rob
> McCool which seem to originate from NCSA httpd.

Just htpasswd.c (which is what I get when searching for Rob McCool), or
something else?

> How do we proceed to clarify this situation?

Figure out (from the history of the code, etc.) if that license applies.

Looking into this a bit, I found this repository (which I am _assuming_,
but have not verified, is a faithful import of NCSA httpd):
https://github.com/TooDumbForAName/ncsa-httpd/

I definitely see some code from mini-httpd's htpasswd.c in
cgi-src/util.c in the HEAD of that repository above.

Looking at git blame on that, it came from auth/htpasswd.c in httpd 1.1:
https://github.com/TooDumbForAName/ncsa-httpd/commit/9572b626b7f10ab57e4715b3f3ff41b3f0696684#diff-7c5a48b0225b3fd1048000f4dfe2c4d9f56faa29f74876ff724384244d6d099d

So that seems to be the original source of the code in question.

In that same version, the top-level README says:

----
This code is in the public domain. Specifically, we give to the public
domain all rights for future licensing of the source code, all resale
rights, and all publishing rights.

We ask, but do not require, that the following message be included in
all derived works:

Portions developed at the National Center for Supercomputing
Applications at the University of Illinois at Urbana-Champaign.

THE UNIVERSITY OF ILLINOIS GIVES NO WARRANTY, EXPRESSED OR IMPLIED,
FOR THE SOFTWARE AND/OR DOCUMENTATION PROVIDED, INCLUDING, WITHOUT
LIMITATION, WARRANTY OF MERCHANTABILITY AND WARRANTY OF FITNESS FOR A
PARTICULAR PURPOSE.
----

--
Richard

Best,

Alexandru

On Mon, Jun 26, 2023 at 16:41, Alexandru Mihail <alexandru_mihail@protonmail.ch> wrote:

Hello,
Posting the debian-legal original post link here for easy reference:
https://lists.debian.org/debian-legal/2023/06/msg00019.html

Best,
Alexandru

------- Original Message -------
On Thursday, June 22nd, 2023 at 4:46 PM, Alexandru Mihail <alexandru_mihail@protonmail.ch> wrote:

> Hello Nicholas,
> Hehe, thanks a lot :D
>
> > Wow, you are good at this! :D
>
> I mailed debian-legal and am waiting for a reply.
> Cheers,
> Alex
>
> ------- Original Message -------
> On Wednesday, June 21st, 2023 at 9:52 PM, Nicholas D Steeves nsteeves@gmail.com wrote:
>
>
>
> > Hi Alexandru,
> >
> > Thanks for the ping. I had forgotten that I had a WIP draft.
> >
> > Alexandru Mihail alexandru_mihail@protonmail.ch writes:
> >
> > > > > remember the original NCSA httpd licence. P.S. It feels like
> > > > > archaeology to find missing documentation for something from the > > dawn of
> > >
> > > Eureka !
> > > I present the original NCSA httpd license in its purest form after some software archeology:
> > > https://web.archive.org/web/20060830015540/http://hoohoo.ncsa.uiuc.edu/docs-1.5/Copyright.html
> >
> > Wow, you are good at this! :D
> >
> > > (NCSA HTTPd Development Team / httpd@ncsa.uiuc.edu / Last Modified 08-01-95)
> > > ====================== LICENSE START ===========================
> > > NCSA HTTPd Server
> > > Software Development Group
> > > National Center for Supercomputing Applications
> > > University of Illinois at Urbana-Champaign
> > > 605 E. Springfield, Champaign IL 61820
> > > httpd@ncsa.uiuc.edu
> > >
> > > Copyright (C) 1995, Board of Trustees of the University of Illinois
> > >
> > > NCSA HTTPd software, both binary and source (hereafter, Software) is copyrighted by The Board of Trustees of the University of Illinois (UI), and ownership remains with the UI.
> > >
> > > The UI grants you (hereafter, Licensee) a license to use the Software
> > > for academic, research and internal business purposes only, without a
> > > fee.
> >
> > Hmm, the above grant looks like it may not be DFSG compatible. Do you
> > see how?
> >
> > https://www.debian.org/social_contract#guidelines
> > or https://wiki.debian.org/DebianFreeSoftwareGuidelines
> > or with a story
> > https://en.wikipedia.org/wiki/Debian_Free_Software_Guidelines
> >
> > > Licensee may distribute the binary and source code (if released) to third parties provided that the copyright notice and this statement appears on all copies and that no charge is associated with such copies.
> >
> > If Rob McCool didn't ever relicense the part of NCSA HTTPd that is part
> > of mini-httpd, then it looks like we might need to provide this notice,
> > and upstream mini-httpd should have been doing so.
> >
> > > Licensee may make derivative works. However, if Licensee distributes any derivative work based on or derived from the Software, then Licensee will (1) notify NCSA regarding its distributing of the derivative work, and (2) clearly notify users that such derivative work is a modified version and not the original NCSA HTTPd Server software distributed by the UI by including a statement such as the following:
> > >
> > > "Portions developed at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign."
> >
> > Is this DFSG compatible?
> >
> > > Any Licensee wishing to make commercial use of the Software should contact the UI, c/o NCSA, to negotiate an appropriate license for such commercial use. Commercial use includes (1) integration of all or part of the source code into a product for sale or license by or on behalf of Licensee to third parties, or (2) distribution of the binary code or source code to third parties that need it to utilize a commercial product sold or licensed by or on behalf of Licensee.
> >
> > And is this DFSG compatible?
> >
> > > Any commercial company wishing to use the software as their commercial World Wide Web server and are not redistributing the software need not commercially license the software but can use it free of charge.
> >
> > and this? Note the clause "and are not redistributing the software".
> > So you can't sell copies of this software?
> >
> > > Should we include a mention of this under debian/copyright stating
> > > something along the lines of 'parts of mini_httpd.c under NCSA HTTPD
> > > and include a copy of the license somewhere?
> >
> > Most likely, yes, but the bigger issue is if this license is not
> > DFSG-compatible.
> >
> > > As far as I could dig, this is the license which should be attributed in our case. This is the 1.15 htttpd license, and with 99.9999% certainty, this was the chunk of code still found in mini_httpd.c. The logic is, NCSA httpd had, historically, two licenses (chronologically): one open and one proprietary. mini_httpd is a fork of the open one, that we can be sure of. I think there is little reason to involve debian-legal at this point.
> > > What's your opinion here?
> >
> > Thank you for the note about this history. I didn't know NCSA httpd had
> > two licenses. I wonder if there was later a change to "everything that
> > was 'open' is now permissively licensed" at some point?
> >
> > If the chunk of code is still big enough and original enough to meet the
> > minimum threshold for originality, then yes, the original copyright and
> > license would apply; however, I think this would mean that we need to
> > find documentation that someone contacted the U of I (and/or Rob
> > McCool).
> >
> > A quick query of tldrlegal shows an NCSA license that is shorter and
> > more permissive:
> > https://www.tldrlegal.com/license/university-of-illinois-ncsa-open-source-license-ncsa
> >
> > I suspect that NCSA httpd may have been relicensed to this shorter
> > version. Yeah, this seems to be a case where it's worth contacting
> > debian-legal, especially given those bits that don't look very
> > DFSG-free.
> >
> > On the upside, I'm almost totally certain that that mini-httpd will be
> > ready to upload after this issue is resolved!
> >
> > Regards,
> > Nicholas