Closed
Bug 850003
Opened 11 years ago
Closed 11 years ago
certdata.txt no longer contains a copyright
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: mshuler, Assigned: gerv)
Details
Attachments
(1 file)
|
2.23 KB,
patch
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0
Build ID: 20130307023931
Steps to reproduce:
For a new machine-readable copyright file format, I am re-documenting copyright declarations for the Debian ca-certificates package, which contains the NSS certdata.txt file as the primary source for trusted CA certificates.
Actual results:
CVS Revision: 1.83 of certdata.txt was released to update the license from MPL-1.1 to the MPL-2.0 license in the file header and the previous copyright declaration was removed. Currently there is no copyright on certdata.txt.
Expected results:
The re-introduction of a copyright statement in certdata.txt would make things ultimately clear. However, if there will be no addition of a copyright, I would like clarification of whether I should document the current copyright status of certdata.txt as:
a) public domain
b) still copyrighted as previously designated in 1.82:
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
c) something else that I may document, based on your response to this bug.
Thanks!
--
Kind regards,
Michael Shuler
|
||
Comment 1•11 years ago
|
||
Gerv, I think this is something that only you know how to resolve properly. (In reply to Michael Shuler from comment #0) > For a new machine-readable copyright file format, I am re-documenting > copyright declarations for the Debian ca-certificates package, which > contains the NSS certdata.txt file as the primary source for trusted CA > certificates. This is a bad and dangerous idea, in general. The format of certdata.txt and/or the exact meaning of any of any value in it may change, without notice. As of now, The only correct and supported way to re-use the certificate database is to use it through the PKCS#11 interface.
Assignee: nobody → gerv
|
||
Comment 2•11 years ago
|
||
Brian, A ton of projects are already using the certificates from certdata.txt, as a reflection of the Mozilla Root Certificate Policy. Yes, there are ways that people can mess this up - which is why Adam's documented some of them and provided a 'reference' implementation at http://www.imperialviolet.org/2012/01/30/mozillaroots.html What's your suggestion for the best way for another project to adopt Mozilla's root certificates, if *not* through certdata.txt?
|
|
||
Comment 3•11 years ago
|
||
(In reply to Ryan Sleevi from comment #2) > Yes, there are ways that people can mess this up - which is why Adam's > documented some of them and provided a 'reference' implementation at > http://www.imperialviolet.org/2012/01/30/mozillaroots.html > > What's your suggestion for the best way for another project to adopt > Mozilla's root certificates, if *not* through certdata.txt? We (NSS team) don't attempt to solve that problem. In practice, I think that we'll put some effort into avoiding gratuitous changes. But, I don't think we should make any compatibility commitments here.
|
|
||
Comment 4•11 years ago
|
||
Fair enough. To get back to the original topic, I'm told it would be helpful to have that documentation in certdata.txt as well, and to my non-legal eyes, "seems" harmless, independent of whether or not other projects "should" do this.
|
Assignee | |
Comment 5•11 years ago
|
||
Michael: why do you need a copyright declaration for this file? The new MPL2 boilerplate does not, by default, include a Copyright line, because it's simply not necessary. Are you interested in the copyright which subsists in the certificates themselves, or the work of assembling them into a single file and the metadata attached to it? Gerv
|
|
Assignee | |
Comment 6•11 years ago
|
||
INCOMPLETE due to lack of info from reporter. Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
|
Reporter | |
Comment 7•11 years ago
|
||
Hi Gerv, Sorry for the gap - I was certain I had posted a reply.. First, I understand that MPL2 does not include a copyright, nor is one required. Debian has a new copyright format for documenting the upstream source copyright, and that format requires a copyright line. [0] Mozilla as the upstream source is the copyright I'm interested in, not that of each certificate. Since there was a copyright, previously, I'm a bit stuck on how this line should now read. From the copyright line description: "If a work has no copyright holder (i.e., it is in the public domain), that information should be recorded here." I also asked a trademark and copyright lawyer about the removal of the copyright, and her first question was, "So the source is now public domain?" My answer was, "It does have a license, but no copyright, so it is not public domain to the best of my understanding." :) Currently, I have left the old copyright line in the documentation and included a comment about this bug. [1] ---- The advice I'm really looking for is: How would the upstream source provider, Mozilla, like the Copyright line to be documented by a downstream, if a Copyright line is required to be declared by the downstream's redistribution policy? The possible options I see could include, but are no limited to: - the old copyright, as I have currently [1] - "Public Domain" (understandably no, but it is an interesting legal question) - "None" - "N/A" - blank The required full line I'm attempting to document is: "Copyright: <...>" where <...> should contain something, or perhaps nothing? [0] http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/#copyright-field [1] http://anonscm.debian.org/gitweb/?p=collab-maint/ca-certificates.git;a=blob;f=debian/copyright;hb=HEAD -- Kind regards, Michael Shuler
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
|
|
Assignee | |
Comment 8•11 years ago
|
||
How does this new format deal with a work where the copyright belongs to a large number of people? The copyright in Firefox, for example, belongs to thousands or tens of thousands of individuals. The certs are not in the public domain. The answer is that copyright remains with the individual CAs who submitted them, but by submitting them to us, they gave Mozilla a right to distribute them under the terms we distribute our software under. Gerv
|
|
Reporter | |
Comment 9•11 years ago
|
||
The Firefox source code (unbranded name Iceweasel in Debian) is documented for copyright and licenses in exactly the same way (as is every package in Debian): http://ftp-master.metadata.debian.org/changelogs/main/i/iceweasel/iceweasel_23.0.1-1_copyright Since certdata.txt is a unique file creation by Mozilla that does not simply contain a bunch of PEM blocks from the individual CAs, I can understand why it had a copyright. I will see if I can get some legal and Debian policy guidance for what I might use to "fill in the blank". -- Kind regards, Michael
|
|
Assignee | |
Comment 10•11 years ago
|
||
(In reply to Michael Shuler from comment #9) > http://ftp-master.metadata.debian.org/changelogs/main/i/iceweasel/ > iceweasel_23.0.1-1_copyright Hmm. That file doesn't mention the MPL 2, which is a pretty big oversight :-) It needs some fairly serious updating. > Since certdata.txt is a unique file creation by Mozilla that does not simply > contain a bunch of PEM blocks from the individual CAs, I can understand why > it had a copyright. Well OK, if you are asking who owns the copyright on the other bits, I guess the answer is "Mozilla Contributors", as with the rest of the code. > I will see if I can get some legal and Debian policy guidance for what I > might use to "fill in the blank". OK :-) Gerv
|
|
Reporter | |
Comment 11•11 years ago
|
||
[I would like to keep this bug open for a bit longer - I'll update when everyone seems happy] (In reply to Gervase Markham [:gerv] from comment #10) > (In reply to Michael Shuler from comment #9) > > http://ftp-master.metadata.debian.org/changelogs/main/i/iceweasel/ > > iceweasel_23.0.1-1_copyright > > Hmm. That file doesn't mention the MPL 2, which is a pretty big oversight > :-) It needs some fairly serious updating. Indeed. I will look at the various Mozilla packages in Debian and see if I can get some bugs filed for them, if they don't already exist. The help provided on this bug report should serve as good documentation for other software under MPL-2. > Well OK, if you are asking who owns the copyright on the other bits, I guess > the answer is "Mozilla Contributors", as with the rest of the code. Thanks for the elegant suggestion. Here is a snippet of the debian/copyright file for the next ca-certificates upload, which I hope (I'm confident) passes Mozilla's and Debian's approval: ==== Files: mozilla/certdata.txt mozilla/nssckbi.h Copyright: Mozilla Contributors Comment: Original Copyright: 1994-2000 Netscape Communications Corporation (certdata.txt <= CVS Revision: 1.82) NSS no longer contains explicit copyright. Upstream indicates that "Mozilla Contributors" is an appropriate attibution for the required Copyright: field in Debian's machine-readable format. https://bugzilla.mozilla.org/show_bug.cgi?id=850003 License: MPL-2.0 Mozilla Public License Version 2.0 ================================== . 1. Definitions -------------- . 1.1. "Contributor" <...full license text...> ==== -- Kind regards, Michael
|
|
Reporter | |
Comment 12•11 years ago
|
||
The above "Copyright: Mozilla Contributors" was included in the latest upload of the ca-certificates package and migrated to testing/Jessie (the next Debian release). I will follow up with MPL-2.0 bug reports for other Mozilla software in Debian, but this bug can be closed. Thanks again for the help! -- Kind regards, Michael Shuler
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•