#367 Incompatibility between GPL and RSA md5 license makes codeblocks (exporter plugin) non-distributable

[Vincent C.]

Forwarded from https://bugs.debian.org/826379

Codeblocks is licensed under GPL v3, but some files in the source tarball contain code that is licensed as per the terms of RSA Data Security, Inc.'s MD5 Message Digest Algorithm; this license is as follows:

src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfencrypt.cpp
src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfxml.cpp

/*

---

Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.

License to copy and use this software is granted provided that
it is identified as the "RSA Data Security, Inc. MD5 Message
Digest Algorithm" in all material mentioning or referencing this
software or this function.

License is also granted to make and use derivative works
provided that such works are identified as "derived from the RSA
Data Security, Inc. MD5 Message Digest Algorithm" in all
material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning
either the merchantability of this software or the suitability
of this software for any particular purpose. It is provided "as
is" without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this
documentation and/or software.

---

*/

This license is problematic for codeblocks because while it is free / compatible with Debian's Free Software Guidelines, it contains an advertising clause akin to the original / 4-clause BSD license that renders it incompatible with the GPL, which is what the majority of codeblocks' codebase is licensed under. The GNU project has documented this incompatibility at [1]. There's also some discussion of this issue on debian-legal [2].

I've also found precedent of other GPL-licensed free software projects removing RSA-licensed code from their codebase, so I don't think codeblocks is alone with this issue, e.g. tmemproxy [3] and opie [4], both of which were fixed by using an alternative md5 implementation (both have sample patches). Another freely licensed md5 implementation that can be used is dpkg's implementation [5] (that's supposed to be a drop-in replacement for the RSA implementation?).

[1] http://www.gnu.org/licenses/license-list.html#OriginalBSD
[2] https://lists.debian.org/debian-legal/2016/05/msg00011.html
[3] https://github.com/twitter/twemproxy/issues/120
[4] https://bugs.debian.org/328923
[5] https://sources.debian.net/src/dpkg/1.18.7/lib/compat/md5.c/

[Teodor Petrov]

The problem here is that wxPdfDocument is a bundled library, so you'll have to talk to their maintainers (if they are still active) to fix it and then we can update our copy.

[Ulrich Telle]

I'm the creator and maintainer of wxPdfDocument and I'm definitely still active.

I was not aware of this license issue, but came across this post by chance. I will take a look at the mentioned dpkg's implementation of the MD5 algorithm. If it can be used as a drop-in replacement I will use it to replace the RSA code in wxPdfDocument.

[Vincent C.]

A fellow Debian Developer offered this patch to replace RSA's md5 implementation at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=826379;filename=05-replace-md5-impl.patch;msg=12 (based off of http://openwall.info/wiki/people/solar/software/public-domain-source-code/md5). I haven't yet had time to take a look and forward it upstream, but if you're already taking a look at this issue now, perhaps that'd be somewhere to start. Thanks!

[ollydbg]

Hi, Ulrich Telle, I think there is another issue that can be fixed from wxPdfDocument side. See here: Code::Blocks / Tickets / #355 Please remove all lena.jpg images in source tarball, thanks.

[Ulrich Telle]

I will replace the lena.jpg by another image in course of fixing the MD5 issue.

[Ulrich Telle]

I replaced the MD5 code by a public domain version and replaced the file lena.jpg by another graphics file, see commit ee44c64 in the wxPdfDocument github repository.

[ollydbg]

Hi, Ulrich, great work, and now I think from C::B source, we can use your git head version now.

[ollydbg]

[[r10867]](https://sourceforge.net/p/codeblocks/code/10867/) should fix the issue.

* updated wxPDFDoc library to recent GIT version to resolve licensing issues

-------------------------------
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/docs/Doxyfile
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/include/wx/pdfdocdef.h
A(TP) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/samples/minimal/flower.jpg
D     : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/samples/minimal/lena.jpg
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/samples/minimal/transparency.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfdc29.inc
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfencrypt.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdffontdatacore.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdffontdatatype0.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdffontparsertruetype.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdffontparsertype1.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfkernel.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfocg.cpp
M(T ) : /trunk/src/plugins/contrib/source_exporter/wxPdfDocument/src/pdfprint.cpp

[Vincent C.]

Awesome, thanks!