search

silnrsi / teckit

A Text Encoding Conversion toolkit
Other
17 stars 11 forks source link

teckit-2.5.9.tar.gz bundles zlib-1.2.3 without a zlib license #22

Closed ppisar closed 4 years ago

ppisar commented 5 years ago

teckit-2.5.9.tar.gz archive contains zlib-1.2.3 directory where many files contain this license declaration:

/* adler32.c -- compute the Adler-32 checksum of a data stream
 * Copyright (C) 1995-2004 Mark Adler
 * For conditions of distribution and use, see copyright notice in zlib.h
 */

But there is no zlib.h file. When I look at original zlib-1.2.3 sources, the zlib.h reads:

  This software is provided 'as-is', without any express or implied
  warranty.  In no event will the authors be held liable for any damages
  arising from the use of this software.

  Permission is granted to anyone to use this software for any purpose,
  including commercial applications, and to alter it and redistribute it
  freely, subject to the following restrictions:

  1. The origin of this software must not be misrepresented; you must not
     claim that you wrote the original software. If you use this software
     in a product, an acknowledgment in the product documentation would be
     appreciated but is not required.
  2. Altered source versions must be plainly marked as such, and must not be
     misrepresented as being the original software.
  3. This notice may not be removed or altered from any source distribution.

That means the teckit archive violates zlib license because it removed the copyright notice from the source distribution. Please add zlib.h or at least the portion with with the copyright notice back to the teckit release archive. I can see it exists in your git repository.

tim-eves commented 5 years ago

Yes I see that you're correct, we'll have to check the archive process as it seems to have stripped all the zlib headers.

devosb commented 5 years ago

It seems to me that the archive process is not stripping out the zlib header files, it just does not include them to begin with. If I add the zlib header files to source/Makefile.am then they are placed in the generated tarball.

While reviewing the list of zlib C files, it seems that not all of those files are listed in source/Makefile.am. Files such as gzio.c are in the repo, but not listed, and therefore not in the tarball.