[Zlib-devel] zlib and LZMA

Greg Roelofs newt at pobox.com
Mon Jul 17 11:23:27 EDT 2006 

>> I am not a lawyer, but common sense would say that applying a bugfix
>> from the zlib developers would not constitute "modifying" the code.

Oh, but it would.  Legal tests tend to be bog-simple wherever possible,
simply because interpretive tests (in the US) require judicial rulings,
and such precedents apply only to the area covered by the court, etc.
Much simpler to make it a binary test, and I believe "modified" usually
counts as such.  (That said, you might not get dinged too badly if you
did, but companies dislike any additional legal exposure, and so do
most humans.)

> You can use modified code as long as the modifications are made open  
> source.  That would be the case for security bug fixes.  As long as  
> they were made available in source.

One of the problems with that approach is that patches usually pinpoint
the nature of the security issue, and vendors (especially of hardware)
may wish to have time to update customers before exposing them to the
presumed attacks that follow widespread knowledge of the bug.  Think
Linksys, for example.  Some companies may not have the infrastructure
in place to distribute source patches, although that's probably rare
these days, and it's understandable if you're not too concerned by it.

> They could, if they made the source of the fix public.  Only if they  
> wanted to keep the bug fix proprietary would they not be allowed to  
> use it in their closed-source product, per the license.  So if  
> someone finds a security bug, fixes it, and wants to keep that  
> proprietary, then it serves them right if the license prohibits it!   
> Maybe I should change the zlib license.

Will you (and by "you" I mean "zlib authors and contributors") have a
choice?  "Any modifications or additions to files from LZMA SDK, however,
are subject to the GNU LGPL or CPL terms."  Word number 4 is interesting...

> I understand his reasons, and I don't think he'll be persuaded.  Also  
> I think the proposed restriction is acceptable.  What do the rest of  
> you think?

I think you need to be a little careful about the ramifications.  Have
you talked with any of the Linux distributors about it?  I don't expect
too many of them would have an issue with LGPL-plus-an-exemption, but
if any did, you would suddenly have two (new) zlibs out there, not just
the one.  Compatibility issues lead to support issues lead to user
grumpiness...

I'm not saying don't do it; I'm just saying you should think through the
various possible outcomes, talk to some open-source users/distributors,
maybe consult a lawyer, etc.

Greg

More information about the Zlib-devel mailing list