Closed malemburg closed 16 years ago
malemburg
commented
16 years ago Since we are shipping the msvcr90.dll (+ assemblies) together with the Python installer for Windows, we need to include the MS EULA for VS2008 in the third-party licenses section as this is the license that covers the VS DLLs.
malemburg
commented
16 years ago Note that there are a few gotchas in the MS EULA, such as disallowing to ship the DLLs with GPLed Python products or requiring that the PSF prevents further redistribution of the DLLs unless used in conjunction with Python.
mhammond
commented
16 years ago Obviously IANAL, but my reading of eula.txt included with VS9 seems less restrictive than the 2003 one. It has 2 clauses that seem relevant:
[you must] require distributors and external end users to agree to terms that protect it at least as much as this agreement;
[you must not] modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is [description of GPL]
I do see how the first could be considered an issue (otoh, I'd try to argue we aren't doing anything to imply any worse terms :), but I don't see how the second is, even for GPLd programs that simply used the compiler.
Maybe it would be helpful if you referenced the specific clauses you think are of concern?
malemburg
commented
16 years ago Mark Hammond wrote:
Mark Hammond \mhammond@users.sourceforge.net\ added the comment:
Obviously IANAL, but my reading of eula.txt included with VS9 seems less restrictive than the 2003 one. It has 2 clauses that seem relevant:
[you must] require distributors and external end users to agree to terms that protect it at least as much as this agreement;
[you must not] modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is [description of GPL]
I do see how the first could be considered an issue (otoh, I'd try to argue we aren't doing anything to imply any worse terms :), but I don't see how the second is, even for GPLd programs that simply used the compiler.
Maybe it would be helpful if you referenced the specific clauses you think are of concern?
This was already discussed on the PSF members mailing list.
I don't have the VC9 EULA available, but these are the clauses of concern from VC7.1:
"""
DISTRIBUTION REQUIREMENTS AND OTHER LICENSE RIGHTS AND LIMITATIONS. If you choose to exercise your rights under Section 2, any redistribution by you is subject to your compliance with Section 3.1; some of the Redistributable Code has additional limited use rights described in Section 3.2.
3.1 General Distribution Requirements.
(a) If you choose to redistribute Sample Code, or Redistributable Code (collectively,the “Redistributables”) as described in Section 2, you agree:
(i) except as otherwise noted in Section 2.1 (Sample Code), to distribute theRedistributables only in object code form and in conjunction with and as a part of a software application product developed by you that adds significant and primary functionality to the Redistributables (“Licensee Software”);
(ii) that the Redistributables only operate in conjunction with Microsoft Windowsplatforms;
(iii) that if the Licensee Software is distributed beyond Licensee’s premises orexternally from Licensee’s organization, to distribute the Licensee Software containing the Redistributables pursuant to an end user license agreement (which may be “break-the-seal”, “click-wrap” or signed), with terms no less protective than those contained in this EULA;
(iv) not to use Microsoft’s name, logo, or trademarks to market the LicenseeSoftware;
(v) to display your own valid copyright notice which shall be sufficient toprotect Microsoft’s copyright in the Software;
(vi) not to remove or obscure any copyright, trademark or patent notices thatappear on the Software as delivered to you;
(vii) to indemnify, hold harmless, and defend Microsoft from and against anyclaims or lawsuits, including attorney’s fees, that arise or result from the use or distribution of the Licensee Software;
(viii) to otherwise comply with the terms of this EULA; and (ix) agree thatMicrosoft reserves all rights not expressly granted.
You also agree not to permit further distribution of the Redistributables by your endusers except you may permit further redistribution of the Redistributables by your distributors to your end-user customers if your distributors only distribute the Redistributables in conjunction with, and as part of, the Licensee Software, you comply with all other terms of this EULA, and your distributors comply with all restrictions of this EULA that are applicable to you.
(b) If you use the Redistributables, then in addition to your compliance with theapplicable distribution requirements described for the Redistributables, the following also applies. Your license rights to the Redistributables are conditioned upon your not
(i) creating derivative works of the Redistributables in any manner that wouldcause the Redistributables in whole or in part to become subject to any of the terms of an Excluded License; or
(ii) distributing the Redistributables (or derivative works thereof) in any mannerthat would cause the Redistributables to become subject to any of the terms of an Excluded License. An “Excluded License” is any license that requires as a condition of use, modification and/or distribution of software subject to the Excluded License, that such software or other software combined and/or distributed with such software be (x) disclosed or distributed in source code form; (y) licensed for the purpose of making derivative works; or (z) redistributable at no charge. """
Specifically: -------------
3.1 (a) (iii) ... pursuant to an end user license agreement (which may be “break-the-seal”, “click-wrap” or signed), with terms no less protective than those contained in this EULA ...
The PSF license is *less* protective than the MS EULA.
3.1 (a) ... You also agree not to permit further distribution of the Redistributables ...
This clause also allows an exception to the rule, but that's mainly meant to cover distributors of the software as a whole.
3.1 (b) ... [may not be distributed together with an app under a GPL-like license] ...
This is only important for people wanting to use e.g. py2exe for creating a GPLed application.
Note that I'm not suggesting to dive into all this. We should simply put the EULA into the installer package and be done with it :-)
mhammond
commented
16 years ago MAL:
This was already discussed on the PSF members mailing list.
Yeah, but not specifically about VS2008 which this bug seemed to be specifically targetting. FWIW, this appears like *less* of a problem for 2.6 than for 2.4 and 2.5 as it doesn't appear to have as draconian clauses as the ones you quote.
Note that I'm not suggesting to dive into all this. We should simply put the EULA into the installer package and be done with it :-)
I can't argue with that - including the relevant EULA certainly would be prudent (I wonder what the license on the EULA itself is - it doesn't seem to be covered as 'Distributable Code' under the terms of its own license ;) What the hell though - at the risk of being sued, I've attached it ;)
malemburg
commented
16 years ago Attaching the VS7.1 EULA. This is only relevant for Python 2.5... should we do another patch level release.
malemburg
commented
16 years ago Mark Hammond wrote:
MAL: > Note that I'm not suggesting to dive into all this. We > should simply put the EULA into the installer package > and be done with it :-)
I can't argue with that - including the relevant EULA certainly would be prudent (I wonder what the license on the EULA itself is - it doesn't seem to be covered as 'Distributable Code' under the terms of its own license ;) What the hell though - at the risk of being sued, I've attached it ;)
Thanks. I'll have a look at the new EULA as well... I was under the assumption that EULAs tend to grow more restrictive rather then open up possibilities ;-)
I've added the VC7.1 EULA as well.
malemburg
commented
16 years ago Adding the EULA should be easy... the MSI installer code already adds the other licenses for OpenSSL, etc. to the license text in Tools/msi/msi.py (took me a while to find that file, since I would have expected this to live under PCbuild/).
The only "problem" is finding the path to the EULA text file, since that depends on the where VS is installed (and perhaps the edition as well).
malemburg
commented
16 years ago Raising priority since this needs to be resolved prior to the final release of Python 2.6/3.0.
Regarding finding the eula.txt in the VS2008 installation, there doesn't appear to be a generic way. The eula.txt is stored in a folder named after the installed version of VS2008. Finding the installation folder is easy (use VS90COMNTOOLS env setting), but determining the product name doesn't look as easy.
Perhaps there's some registry trick we could pull off ?!
warsaw
commented
16 years ago This should definitely block the final release, but not rc1.
61337411-43fc-4a9c-b8d5-4060aede66d0
commented
16 years ago I don't think this needs to be resolved before 2.6, not without a pronouncement from a lawyer advising the PSF. Layman's analyses of legal issues are void.
Thus lowering the priority.
malemburg
commented
16 years ago On 2008-09-09 17:54, Martin v. Löwis wrote:
Martin v. Löwis \martin@v.loewis.de\ added the comment:
I don't think this needs to be resolved before 2.6, not without a pronouncement from a lawyer advising the PSF. Layman's analyses of legal issues are void.
Thus lowering the priority.
That's an interesting argument :-) What makes you think that a layman's judgment over a layman's analysis is not void as well ?
Rather than arguing about the necessity of including the license of a 3rd party file that we intend to include in a wide-spread software release, wouldn't it be easier to just add the file and be done with it, like I suggested at the very beginning of this discussion ?
61337411-43fc-4a9c-b8d5-4060aede66d0
commented
16 years ago Rather than arguing about the necessity of including the license of a 3rd party file that we intend to include in a wide-spread software release, wouldn't it be easier to just add the file and be done with it, like I suggested at the very beginning of this discussion ?
It's certainly easier to defer the decision than to take action, especially when we don't *need* to take action (Python works fine whether or not the file is included). There are so many more important things to do.
OTOH, contributions are welcome.
malemburg
commented
16 years ago On 2008-09-09 23:09, Martin v. Löwis wrote:
Martin v. Löwis \martin@v.loewis.de\ added the comment:
> Rather than arguing about the necessity of including the license > of a 3rd party file that we intend to include in a wide-spread > software release, wouldn't it be easier to just add the file > and be done with it, like I suggested at the very beginning of > this discussion ?
It's certainly easier to defer the decision than to take action, especially when we don't *need* to take action (Python works fine whether or not the file is included).
We've had the same issue with the OpenSSL license and the other 3rd party packages which come with the Python Windows installer.
Do you really think that simply ignoring the fact that we are violating copyrights "because Python works without them" is the right way to move forward, esp. considering that the PSF itself is all about protecting copyrights ?
There are so many more important things to do.
True.
OTOH, contributions are welcome.
I'd love to, but haven't found a way to determine the path to the eula.txt file in a reliable way.
61337411-43fc-4a9c-b8d5-4060aede66d0
commented
16 years ago We've had the same issue with the OpenSSL license and the other 3rd party packages which come with the Python Windows installer.
No, the issue was completely different. Those licenses literally say "include a copy of the license text" (e.g. for OpenSSL "Redistributions in binary form must reproduce the above copyright notice, this list of conditions [...]")
That's a requirement that I can understand. For the MS EULA, I don't understand what it says, and I don't know whether including it will make compliance with the license better or worse. I need a lawyer to tell me what to do comply with the license, then I can decide whether I like to do that, and the lawyer can also tell me what the consequences might be if I did something different.
Do you really think that simply ignoring the fact that we are violating copyrights
I don't believe we are violating copyrights by not including the license (and I don't believe you when you say we do). I would believe a lawyer telling me so (although according to my experience with lawyers, the lawyer may not actually say that, but only tell me what to do).
I'd love to, but haven't found a way to determine the path to the eula.txt file in a reliable way.
So I propose to defer this until a) we have a reliable confirmation that it is the right thing to do, and b) there is also a proposal for an implementation strategy. Blocking the release for this issue is really counter-productive.
malemburg
commented
16 years ago Here's a patch that adds the MS EULA to the MSI installer.
I couldn't test this, since I don't have a Python build environment on Windows, but it should be more or less working.
malemburg
commented
16 years ago On 2008-09-10 00:15, Martin v. Löwis wrote:
Martin v. Löwis \martin@v.loewis.de\ added the comment:
> We've had the same issue with the OpenSSL license and the other > 3rd party packages which come with the Python Windows installer.
No, the issue was completely different. Those licenses literally say "include a copy of the license text" (e.g. for OpenSSL "Redistributions in binary form must reproduce the above copyright notice, this list of conditions [...]")
That's a requirement that I can understand. For the MS EULA, I don't understand what it says, and I don't know whether including it will make compliance with the license better or worse. I need a lawyer to tell me what to do comply with the license, then I can decide whether I like to do that, and the lawyer can also tell me what the consequences might be if I did something different.
> Do you really think that simply ignoring the fact that we are > violating copyrights
I don't believe we are violating copyrights by not including the license (and I don't believe you when you say we do). I would believe a lawyer telling me so (although according to my experience with lawyers, the lawyer may not actually say that, but only tell me what to do).
This part sparked the original discussion:
""" For any Distributable Code you distribute, you must ... require distributors and external end users to agree to terms that protect it at least as much as this agreement; """
The PSF license doesn't provide the same level of protection as the MS EULA, so the only way to maintain the protection is to either add special terms that fulfill this requirement to the license covering the DLLs, or to simply include the MS EULA and tell the user that the DLLs are covered by that license.
I proposed to do the latter, since it's the easiest way to avoid any issues.
> I'd love to, but haven't found a way to determine the path to the > eula.txt file in a reliable way.
So I propose to defer this until a) we have a reliable confirmation that it is the right thing to do, and b) there is also a proposal for an implementation strategy. Blocking the release for this issue is really counter-productive.
It's not ideal, but if all it takes is including the EULA (and the PSF lawyer should be able to get back to us on this within the time frame of the release schedule), then it's easy to resolve.
VanL
commented
16 years ago Sorry for the long comment. There are two parts to this comment. First, my recommendation, and second, the somewhat tedious analysis of the Microsoft EULAs. The second part is the verbiage to justify the first.
Recommendation \==============
To comply with Microsoft's EULA, the PSF should include text like the following in the Windows binary installer license text:
----
"This program is linked with and uses Microsoft Distributable Code, copyrighted by Microsoft Corporation. The Microsoft Distributable Code includes the following files:
[...]
If you further distribute programs that include the Microsoft Distributable Code, you must comply with the restrictions on distribution specified by Microsoft. In particular, you must require distributors and external end users to agree to terms that protect the Microsoft Distributable Code at least as much as Microsoft's own requirements for the Distributable Code. See Microsoft's documentation (included in its developer tools and on its website at microsoft.com) for specific details.
Redistribution of the Windows binary build of the Python interpreter complies with this agreement, provided that you do not:
alter any copyright, trademark or patent notice in Microsoft's Distributable Code;
use Microsoft’s trademarks in your programs’ names or in a way that suggests your programs come from or are endorsed by Microsoft;
distribute Microsoft's Distributable Code to run on a platform other than Microsoft operating systems, run-time technologies or application platforms;
include Microsoft Distributable Code in malicious, deceptive or unlawful programs; or
modify or distribute the source code of any Microsoft Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that the code be disclosed or distributed in source code form; or others have the right to modify it.
These restrictions apply only to the Microsoft Distributable Code as defined above, not to Python itself or any programs running on the Python interpreter. The redistribution of the Python interpreter and libraries is governed by the Python Software License included with this file, or by other licenses as marked.
----
Commentary on the distribution requirements \===========================================
VS 2008 (labels added for clarity) ----------------------------------
"ii. Distribution Requirements. For any Distributable Code you distribute, you must
(A) add significant primary functionality to it in your programs;"
This term is satisfied by the addition of the Python interpreter.
(B) "for any Distributable Code having a filename extension of .lib, distribute only the results of running such Distributable Code through a linker with your program;"
This prohibits distributing libraries in .lib form. Based on what I see in the MSI, we do not do this. We do include _msi.lib, but that is not Microsoft's _msi.lib, but the ready-for linking version of MvL's msilib.
(C) "distribute Distributable Code included in a setup program only as part of that setup program without modification;"
Python does not include any Distributable Code included in a setup program.
(D) "require distributors and external end users to agree to terms that protect it at least as much as this agreement;"
This term specifies that any Distributable Code that we distribute must itself have some sort of agreement that protects Microsoft's rights in "it" (the code) "at least as much as this agreement."
The important term here is "it." The antecedent here is "Distributable Code you distribute," (Microsoft's code, in this case the msvcrt.dll), not "your programs" (Python).
(E) "display your valid copyright notice on your programs; and"
Python complies with this requirement, as we display our own license agreement and include sys.copyright.
(F) "indemnify, defend, and hold harmless Microsoft from any claims, including attorneys’ fees, related to the distribution or use of your programs."
Under this provision, we agree not to sue Microsoft for distributing Python.
"iii. Distribution Restrictions. You may not
(G) alter any copyright, trademark or patent notice in the Distributable Code;"
Python complies with this requirement, as the Microsoft Distributable Code is distributed unaltered.
(H) "use Microsoft’s trademarks in your programs’ names or in a way that suggests your programs come from or are endorsed by Microsoft;"
Python complies with this requirement, as we do use Microsoft's trademarks in the program name and we don't suggest that Python comes from or is endorsed by Microsoft.
(I) "distribute Distributable Code to run on a platform other than Microsoft operating systems, run-time technologies or application platforms;"
While Python could technically run on non-Microsoft platforms (e.g. Wine), the Windows binary distribution is explicitly provided *for Windows.* Other platforms are provided source code or explicit binaries. Therefore, the PSF does not "distribute Distributable Code to run on a platform other than Microsoft operating systems."
(J) "include Distributable Code in malicious, deceptive or unlawful programs; or"
Python complies with this requirement, as it is not malicious, deceptive, or unlawful.
(K) "modify or distribute the source code of any Distributable Code so that any part of it becomes subject to an Excluded License. An Excluded License is one that requires, as a condition of use, modification or distribution, that
the code be disclosed or distributed in source code form; or
others have the right to modify it."Python complies with this requirement, as it does not express any claim or licensing requirement on any part of the code that goes into a binary distribution.
-----
(VS 7.1 EULA) -------------
The analysis for the VS 7.1 EULA is similar to the 2008 EULA above.
"3.1 General Distribution Requirements.
(a) If you choose to redistribute Sample Code, or Redistributable Code (collectively, the “Redistributables”) as described in Section 2, you agree:"
The PSF redistributes "Redistributables", so this section applies to us.
"(i) except as otherwise noted in Section 2.1 (Sample Code), to distribute the Redistributables only in object code form and in conjunction with and as a part of a software application product developed by you that adds significant and primary functionality to the Redistributables (“Licensee Software”);"
This is similar to requirement (A) above in the 2008 EULA. The Python interpreter fulfills this requirement.
"(ii) that the Redistributables only operate in conjunction with Microsoft Windows platforms;"
As discussed above relative to paragraph (I) above, and end user could conceivably take the Windows binary distribution of Python and run it on Wine. Regardless, the Windows binary build is clearly marked for use on the Microsoft Windows platform and other platforms have their own builds. Accordingly, Python fulfills this requirement.
"(iii) that if the Licensee Software is distributed beyond Licensee’s premises or externally from Licensee’s organization, to distribute the Licensee Software containing the Redistributables pursuant to an end user license agreement (which may be “break-the-seal”, “click-wrap” or signed), with terms no less protective than those contained in this EULA;"
The wording in the VS 7.1 EULA is not as clear as in the 2008 EULA, but these license terms only apply to the Microsoft Redistributables, not to Python itself. The PSF will comply with this provision by incorporating Microsoft's terms by reference and explicitly applying them to the Microsoft Redistributables only.
"(iv) not to use Microsoft’s name, logo, or trademarks to market the Licensee Software;"
As discussed relative to paragraph (H) above, Python complies with this provision.
"(v) to display your own valid copyright notice which shall be sufficient to protect Microsoft’s copyright in the Software;"
As discussed relative to paragraph (E) above, Python complies with this provision.
"(vi) not to remove or obscure any copyright, trademark or patent notices that appear on the Software as delivered to you;"
As discussed relative to paragraph (G) above, Python complies with this provision.
"(vii) to indemnify, hold harmless, and defend Microsoft from and against any claims or lawsuits, including attorney’s fees, that arise or result from the use or distribution of the Licensee Software;"
As discussed relative to paragraph (F) above, Python complies with this provision.
"(viii) to otherwise comply with the terms of this EULA;"
The PSF and the Python Windows binary distribution otherwise comply with the EULA.
"and (ix) agree that Microsoft reserves all rights not expressly granted."
The PSF can agree to this provision, again as it refers only to the Microsoft Distributable Code, not Python itself.
"You also agree not to permit further distribution of the Redistributables by your end users except you may permit further redistribution of the Redistributables by your distributors to your end-user customers if your distributors only distribute the Redistributables in conjunction with, and as part of, the Licensee Software, you comply with all other terms of this EULA, and your distributors comply with all restrictions of this EULA that are applicable to you."
This provision has two parts. First, the PSF agrees to only allow the redistribution of the Microsoft Distributable Code with the Python interpreter, and second, redistributions of the Microsoft Distributable Code need to comply with the EULA.
The provided statement complies with both of these provisions by making the restrictions on the Microsoft Distributable Code clear and by incorporating Microsoft's restrictions by reference.
"If you use the Redistributables, then in addition to your compliance with the applicable distribution requirements described for the Redistributables, the following also applies. Your license rights to the Redistributables are conditioned upon your not (i) creating derivative works of the Redistributables in any manner that would cause the Redistributables in whole or in part to become subject to any of the terms of an Excluded License; or (ii) distributing the Redistributables (or derivative works thereof) in any manner that would cause the Redistributables to become subject to any of the terms of an Excluded License. An “Excluded License” is any license that requires as a condition of use, modification and/or distribution of software subject to the Excluded License, that such software or other software combined and/or distributed with such software be (x) disclosed or distributed in source code form; (y) licensed for the purpose of making derivative works; or (z) redistributable at no charge."
As discussed relative to paragraph (K) above, Python complies with this provision, as it does not express any claim or licensing requirement on any part of the code that goes into a binary distribution.
malemburg
commented
16 years ago Thank you, Van, for this comprehensive analysis.
By including your text we'll also bypass the issues with finding the EULA file in the Visual Studio installation.
The text should be easy to add as extra file and we can then reference this file in the MSI installer builder (much like we do for all other 3rd party licenses. I can't help with that in the next few days, though, since I'm on vacation the next week.
One nit I found with the text, but that may not be legally relevant: The MS website does not appear to list the EULA texts anywhere.
VanL
commented
16 years ago The important part is that we point out the Microsoft redistributables are subject to Microsoft's restrictions; we don't need to point to a specific EULA URL. People installing Python will agree to the license terms as they apply to the different pieces of the binary, and thus satisfy the PSF's obligation.
61337411-43fc-4a9c-b8d5-4060aede66d0
commented
16 years ago Van, your recommendation is much appreciated. I'll add your text to the LICENSE file of the next release candidates.
c277c4e9-699c-4a9a-9259-3fd356715ce8
commented
16 years ago The recommended addition includes the 'excluded license' section which appears unnecessary as Python does not distribute any source code redistributables, only the .DLL file which is a binary executable. Including this is likely to confuse those who wish to use the GPL when distributing projects which include Python since the license is trying to limit their redistributing something they will not be able to find and so remove from Python.
VanL
commented
16 years ago Neil, you are right. I was thinking about linking to the binary dll (which some people think might impose licensing restrictions under some circumstances), but the text does refer to the source code.
As Python does not distribute any source code from Microsoft, it is better to remove the last restriction identified by Neil from the recommended text (and fix the grammar accordingly).
61337411-43fc-4a9c-b8d5-4060aede66d0
commented
16 years ago This is now fixed in r66460 and r66462; the text that gets included is in Tools/msi/crtlicense.txt.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields: ```python assignee = None closed_at =
created_at =
labels = ['OS-windows', 'release-blocker']
title = 'Add MS EULA to the list of third-party licenses in the\tWindows installer'
updated_at =
user = 'https://github.com/malemburg'
```
bugs.python.org fields:
```python
activity =
actor = 'loewis'
assignee = 'none'
closed = True
closed_date =
closer = 'loewis'
components = ['Windows']
creation =
creator = 'lemburg'
dependencies = []
files = ['11187', '11188', '11449']
hgrepos = []
issue_num = 3617
keywords = ['patch']
message_count = 24.0
messages = ['71527', '71528', '71605', '71613', '71618', '71620', '71621', '71622', '72334', '72464', '72875', '72882', '72911', '72922', '72927', '72930', '72931', '73128', '73140', '73145', '73195', '73197', '73198', '73235']
nosy_count = 8.0
nosy_names = ['lemburg', 'loewis', 'mhammond', 'barry', 'theller', 'nyamatongwe', 'tvaught', 'vanl']
pr_nums = []
priority = 'release blocker'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue3617'
versions = ['Python 2.6', 'Python 2.5', 'Python 3.0']
```