Ask Slashdot: "Pseudo-Free" Software in Major Distributions?

PugMajere submitted the following: "I've been looking into using SSH and rdist to distribute around 2 gig worth of data to about 1000 machines nightly. Rdist (v6.1.5) would be perfect for this, as it automatically forks to send data to multiple machines, but it isn't totally free software. The problem is with SSH. To use SSH with rdist you need the server side of SSH on each of the machines that are running the rdist server. The licensing fees for this are simply astronomical for this kind of application. While researching all this I noticed that Red Hat includes rdist (6.1.5) in its distribution. I also now know the rdist license terms. Rdist isn't free to use in a commercial setting if it involves another company. So, if you have two companies running Linux, that are collaborating on some project, and sharing some of the data using Linux and rdist, they owe Magnicomp money. My real question here is: Does anyone else realize this? How many other packages have similar arrangements that are going to cause major headaches in the future?"

rsync, lsh

[Anonymous Coward]

rsync works somewhat differently from rdist but it's often an adequate (or even superior) replacement

lsh, an ssh replacement seems to be coming along nicely

Free alternatives

[Anonymous Coward]

Hmmm... I didn't know that rdist was under that license; I always thought it was an ancient BSD program :(

As several other people have pointed out, you can probably use rsync instead, and rsync is newer and probably better maintained these days anyway. rsync comes with Red Hat.

There is a free version of SSH 2.0 under development at:

http://www.net.lut.ac.uk/psst/

It is under the GPL, but is not finished yet. I don't know how usable that is.

If you need encryption/security, you have at least 2 free options for an rsh/rcp type program:
- Use Kerberos rcp which can encrypt data. You will have to install a Kerberos server, though, and client software
- Use a SSL version of rcp. (SSLeay or OpenSSL, I don't know what's popular these days)

Re:Strange.. (yet another reason for Debian)

[Anonymous Coward]

You will always find the program copyright for a package in /usr/doc/packagename/copyright

No more wondering what the terms are of the software you are using.

vrms :-)

[Anonymous Coward]

To my knowledge, Debian is the only distribution to offer a Virtual Richard M. Stallman. This gadget emails you once a month with a list of the non-free software on your system; future versions are expected to include inspiring quotes from the Fearless Leader encouraging the user to cast off his or her chains and live in a Free Software world. :-)

I have it installed out of curiosity :-)

Daniel

Is this a fact or an opinion?

[Anonymous Coward]

1) rpm -qi rdist says it's BSD
2) previous post says the license changed 11/98
3) ls -l rdist says rdist binary was created 8/98

Is there any proof offered from the original poster that his statement is true, or is he just trying to flame Red Hat?

Re:Alternatives, and some comments

[Anonymous Coward]

This would not have happened if you were using Debian, because Debian considers the
license of each package for compliance with the The Debian Free Software Guidelines, the
document that later became the Open Source Definition.

Um, Bruce, before you get all holier-than-thou, you might want to make sure you know what you're talking about.

[foo@baz foo]$ dpkg -S rdist
netstd: /usr/man/man8/rdistd.8.gz
netstd: /usr/bin/rdistd
netstd: /usr/bin/rdist
netstd: /usr/man/man1/rdist.1.gz
[foo@baz foo]$

Yep, that's right. Debian ships with rdist as well. It ships a BSD-licensed version, just like Red Hat does. Apology accepted.

Re: Debian does distribute non-free software

[Anonymous Coward]

Um, no. Please actually verify your FUD before you start spreading it. The Red Hat packaged rdist is under the BSD license. So's the one in the netstd pkg.

Historical Context

[Anonymous Coward]

At the 1992 Usenix Conference in Nashville TN, Keith Bostic went up at some point and asked for volunteers to complete missing or obsolete pieces of BSD 4.3 for BSD 4.4, about to be released. I went up afterwards, and volunteered to do rdist, one of his listed items and something my sysadmin group used to great effect (with triggers, etc). Mike Cooper, wearing his "Love, Peace, and Rdist" tee-shirt (with the daemon cartoon holding a flower) was standing nearby, and overhearing me was too much, and motivated him to officially take the project, stridently shouting "its mine! its mine! I want to do it!". Ok fine, I appear to have motivated this guy to do it.

And no, I couldn't get a copy of that tee-shirt, I wasn't one of some inner circle or something.

So I say, screw 'im. Wrap a conditional trigger system (etc) around rsync, and bury rdist. I'd do it, except I don't sysadmin any more.

-- Perry

[Sorry about the AC posting, but I don't post enough to be worth it to get a signon.]

Re: Debian does distribute non-free software

[Anonymous Coward]

While it is true that Debian distinguishes between free and non-free software according to the DFSG, this does not imply that Debian is only distributing free software. Far from it. Three weeks ago I counted 334 non-free packages in potato. If we add the contrib packages that depend on non-free software, say another 150 packages (don't know the exact number), it will be true to say this: Debian distributes about 484 non-free packages. This is contrary to Debian's 'social contract' which begins with the phrase "Debian Will Remain 100% Free Software" (then goes on to explain that 100% free software means free + non-free software! )

Re:rsync not rdist

[Anonymous Coward]

rsync is more like rcp than rdist. In particular, rsync does not support a configuration file, nor does it support copying files to multiple machines at the same time.

Re:Easiest "Ask Slashdot" question yet: use Debian

[Shiska]

No. AcceleratedX sucks shit. It crashes a few times a day on my machine. ...They don't support their piss poor glibc-based version of the Xserver, which I use, which means that i wasted 90 dollars.
----------------- ------------ ---- --- - - - -

Coulda used PuTTY too...

[Wakko Warner]

Another free and high-quality SSH/telnet client for Windows 9x/NT; most people I know have switched from F-Secure's SSH client to PuTTY.

- A.P.
--

"One World, One Web, One Program" - Microsoft Promotional Ad

Re: Debian does NOT DISTRIBUTE non-free software

[knghtbrd]

Debian provides non-free software on its servers as a service. It does not and will not distribute this non-free software. Other people may or may not choose to distribute it themselves but the CD images we build do not at all feature non-free software.

We're likely to be voting very soon about removing the non-free software from our primary servers and placing it on a machine with a different hostname. If this happens it will still be available to everyone as it is now, but hopefully it will help stop silly comments like "Debian distributes non-free software" from popping up all over the place.

Not so fast...

[Brian Knotts]

I know that that part makes it sound like you can *use* the software for whatever you like, but...

From the ssh COPYING file:

--------------------------------------------------

(b) You may use the program for non-commercial purposes only, meaning that the program must not be sold commercially as a separate product, as part of a bigger product or project, or otherwise used for financial gain without a separate license. Please see Section 2, Restrictions, for more details.

--------------------------------------------------

And...from the ssh FAQ:

--------------------------------------------------

3.2 May I legally run ssh?

The UNIX version of ssh 1.2.27 may be used freely for non-commercial purposes and may not be sold commercially as a separate product, as part of a bigger product or project, or otherwise used for financial gain without a separate license. The definition of "commercial use" is generally interpreted as using ssh for anything that would generate financial gain, such as logging into a customers system to do administration, or providing ssh as a secure login to your partners or vendors.

In email between Data Fellows and the maintainer, the following questions were asked and answered:

================================================== =============
S: Steve Acheson, FAQ Maintainer
P: Petri Nyman, F-Secure SSH Product Manager for Data Fellows

S)Can a company use the 1.2.26 release of the SSH software freely for
S)internal support and administration without violating the license
S)agreement?

P)You can freely use it for internal support and administration of your own
P)equipment located in your premises.

S)Does connecting from one machine to another via SSH to
S)read email, do work, etc, violate this agreement?

P)No, unless you provide this ability to a third party or connect to a third
P)party's computer to provide a service.

S)Does connecting from a purchased PC client SSH software to a non-licensed
S)SSH server violate the agreement?

P)No.

S)Does connecting to a remote site, that is not company owned, but company
S)administered, via SSH to do administrative work violate the agreement?

P)Yes. You need a commercial license for that.
================================================ ===============

--------------------------------------------------

So, I'd say that it's at least legally questionable if you use ssh to connect to client machines, or vice-versa.

--

OT: Making Debian packages

[Matthew Weigel]

grab a .deb, change its suffix to .tar.gz (or .tgz as you like), and untar/gunzip it.

Take a look inside. I don't have Linux installed right now (in the process of clearing out a nasty and cobwebby install), so I can't say how to do it -- but look and see, I remember it was extremely easy.

If you'd like to email me for more, feel free, but I seem to recall there's also some documentation on the Debian web site. ::search search:: Yup, take a look at:

1. the FAQ, [debian.org]
2. the Debian Packaging Manual [debian.org]

I assume that #2 is what you were referring to, but I don't know.

Re:Have you looked at libio license?

[pb]

Heh. I've used libio before, it's another reason to use iostream. Unless you really need all the nifty operator-overriding functions of C++, or are working with templates, and for some reason functions and macros aren't good enough for you... All libio has ever done for me is slow my code down.

Re:Easiest "Ask Slashdot" question yet-use the GPL

[pb]

For those who don't want to see free software become tainted, this is another reason to use the GPL.

However, a decent answer to this question would involve trying to look for a solution, maybe something like SSLrdist [quick.com.au] would be appropriate. It's based on SSLeay, USC rdist, and stuff from NetBSD. So it looks free to me, and that's a good place to start. Comments?

Re:Easiest "Ask Slashdot" question yet: use Debian

[ninjaz]

With the article being titled "Pseudo-Free Software" in Major Distributions?, I think pointing out the fact that Debian is very careful about this sort of thing is quite on-topic.

Btw, an interesting tidbit from Magnicomp.com's ftp server:

The following statement is required by the original University of California copyright: This product includes software developed by the University of California, Berkeley and its contributors

What this means is they've taken something under the BSD license and made their fork proprietary. Of course, the Magnicomp.Com-unmolested code under the BSD license will remain free.

ssh / sdist

[ninjaz]

You should be using ssh-1.2.27, as it's the most recent 1.2.x version, which doesn't have the noxious licensing terms of ssh 2.x Quoth the license:

(b) Activities other than copying, distribution and modification of the Program are not subject to this License and they are outside its scope. Functional use (running) of the Program is not restricted.

The sdist program it comes with is the secure replacement for rdist (and has no restrictions on Functional use as per the COPYING file in the ssh distribution).

Re:ssh / sdist

[ninjaz]

Not as far as I know.. The latest version at the time of the rootshell incident was 1.2.26, and is detailed here [rootshell.com] This is the last mention of ssh in this light on bugtraq.

Consider CVSup

[DrZiplok]

Whilst optimised for use with CVS repositories, you might want to consider CVSup [polstra.com].

Pesky author indeed.

[Static]

I seem to remember one Michael Cooper making a nuisance of himself some years ago. I can't remember what about, unfortunately, but I was on FidoNet at the time. Maybe that will jog someone's memory...

On a more practical note, this is a perfect example of why the BSD licence is dangerous. One Brett Glass should pay attention to this situation.

Re:Welcome to $Linux$

[Matthew Kirkwood]

Nice comment, I has just one observation:

One last point: when Linux advocates tell you it's free, they are right in every sense of the word, AS LONG AS YOU WANT TO TAKE RESPONSIBILITY FOR YOUR OWN PROBLEMS. If you want someone else to do your worrying for you, you have to pay for that. That will never change. Linux gives you back control, but you still own your headaches.

You forgot to mention that you can pay Linux people to have headaches for you as well as NT people.

Re:Not so fast...

[Thomas Charron]

I look at it this way.. If you are DIRECTLY DOING SOMETHING that the company is directly making money on, then you must pay. Internal support, etc, you are not making money on. If I'm a company who provides admin services, and I use it, I AM making money by doing what I am..

Seems pretty self explanitory..

Re:various things

[Thomas Charron]

So, you choose the have 1,000 points of failure vs 1? I can configure one thing on one machine, or 1 on 1,000. Seems an easy answer to me.. Pushing it out is better and easier, and can provide more redundence. Better choice would be to have 2 'push' servers, that 'pull' from eachother regularly to keep eachother in sync. Then have the 'primary' do pushing, and the 'secondary' check up to ensure the data is in fact correct..

Re:Linux & the Pseudo Free Software

[tolldog]

Hmm.... rpm present the license for each package...
No thanks... the install time would be impossible... Microsoft presents one for its OS (pluss the annoying apps that come with, can we say IE), and then one for any other seperate application/suite that you install.
Maybe, have the licenses installed to something like /var/spool/license and make it the users responsibility to read the licenses for the software installed, if you don't agree with a particular one... use the magic rpm -E.

Re:Welcome to $Linux$

[ahornby]

Use teraterm on NT instead. It is free (as in beer) and provides a a perfectly good telnet client and even a free ssh1 client using ttssh. It is wise to look at alternatives before spending money :)

Alex.

Re:Rdist is under BSD license

[Bill Sebok]

6.1.4 is the last version under the BSD licence. I did a diff -r of 6.1.4 vs. 6.1.5 and the only thing changed (besides the licensing) is some comments added with details about running rdist with ssh.

I am a bit perturbed that there was no mention of 6.1.5 or the license change on the rdist developers list. The first I heard of 6.1.5 was some note on the list asking for help with 6.1.5.

"even if the person behind MagniComp is the individual who did the work at USC (one Michael Cooper)" It is the same person. Michael Cooper left USC for Sun. MagniCorp is (I think) his own corporation for stuff he has done that is not concerned with Sun.

If someone wants a copy of rdist 6.1.4 I can send it.

Apology from "use Debian" guy.

[Freed]

I apologize for being a bit irresponsible in my post. Though I am a Debian user, I should not let that interfere with my support for Redhat. As has been pointed out to me, Redhat is as committed to free software as Debian. They just goofed on rdist, just as Debian has goofed in the past. Thanks to those who corrected me.

Re: Debian does distribute non-free software

[Phil Hands]

Hi Bruce,

While you may have written the scripts that were used to build ``bo'' CDs, I think we should probably credit Andreas Jellinghaus, who did an almost total rewrite for ``hamm'' (a.k.a. Debian 2.0).

I then maintained that set of scripts, but there has since been another rewrite by Steve McIntyre (for ``slink'', a.k.a. Debian 2.1), with contributions from a whole bunch of people on debian-cd@lists.debian.org.

Apart from that, you are correct in saying that the Official Debian GNU/Linux CDs contain only software that meets the Debian Free Software Guidelines [debian.org].

Cheers, Phil.
P.S. rsync ? I think you mean rdist. rsync is GPL. Debian's rdist is rdist-6.1.3 (usc.edu:/pub/rdist) which is BSD.

Older BSD rdist?

[Colin Smith]

Does this mean that the Debian rdist is the older BSD rdist which uses -Server option? If so, I've been looking for it everywhere. I'm going to have to try Debian out.

Re:Older BSD rdist?

[Colin Smith]

BTW, _finally_ found source for the old BSD version of rdist and got it built for Linux. If anyone else is having problems finding this version, i'll stick it on my web pages.

You can catch me at:
Colin.Smith@yelm.freeserve.co.uk

Alternatives, and some comments

[Bruce Perens]

Try Omirr [debian.org], the Online Mirror Daemon, or Rsync [debian.org]. Both are free software.

This would not have happened if you were using Debian, because Debian considers the license of each package for compliance with the The Debian Free Software Guidelines [debian.org], the document that later became the Open Source Definition.

Thanks

Bruce

Re:Have you looked at libio license?

[Bruce Perens]

Yes, it's annoying. I'm tempted to put together a LGPL version of libio - I wrote one once for Zortech C++, it took about a week.

Bruce

Re: Debian does distribute non-free software

[Bruce Perens]

It's not in any current Debian distribution (I ran find on my Debian mirror). If it was in an older distribution, it was probably the BSD-licensed version.

Bruce

Re:Alternatives, and some comments

[Bruce Perens]

OK, Debian ships the free version in the Debian ships the free version. Maybe if you extract the red hat source package you can tell what version they ship - they don't install license files on their system the way Debian does.

I'm more than a bit wary of a program with two very different licenses on the same site. It sounds as if some left hands don't know what the right ones are doing.

Bruce

Nope, Red Hat version is non-free.

[Bruce Perens]

I spoke too quickly. Debian ships the free version. Red Hat's version is restricted by an addition to the BSD license that makes it non-free.

Bruce

Re: Debian does distribute non-free software

[Bruce Perens]

Oops, it's in the Debian netstd package. Debian is shipping a free version. The Red Hat version has an addition to the BSD license that makes it non-free.

Bruce

Re:100% redhat FUD.

[Bruce Perens]

Nope, sorry. Debian contains an earlier version under an unmodified BSD license. The RH version doesn't allow commercial use.

Bruce

Re:Alternatives, and some comments

[Bruce Perens]

But that's not the BSD license! That's a BSD-license with an addendum that makes it non-free. The "BSD" tag on the .rpm is wrong, and would mislead the customer into believing that adendum was not there!

Gotcha!

Bruce

Re:Alternatives, and some comments

[Bruce Perens]

It turns out I was right, AC. Apology accepted :-)

Re:Summary

[Bruce Perens]

Yeah rdist. It's getting late. Thanks for the verification.

Re:Alternatives, and some comments

[Bruce Perens]

One would think that a license that prohibits your use of the program for commercial gain would get in the way of completing your work. In this case, Debian protected you from that license, allowing you to get your work done. RH, through an innocent oversight no doubt, did not.

Re: Debian does distribute non-free software

[Bruce Perens]

OK, I created the scripts (and the concept of the Debian Official CD and its policies). I've no wish to steal credit from people who have re-written them in recent times.

I got rsync and rdist confused in more than one posting. Sorry. Time to go to sleep.

Thanks

Bruce

Re:Older BSD rdist?

[Bruce Perens]

Nope, it's not that old.

Re:informing redhat...

[Bruce Perens]

I'm sure they know by now. And I'm sure it wasn't deliberate and they'll fix it right away. OK, RH let one get by and Debian didn't, but I agree it's not RH's policy to let this stuff slip by and they will fix it.

Bruce

Re: Debian does distribute non-free software

[Bruce Perens]

There's no non-free software on the Debian Official CD. If you want to use the non-free stuff, you have to get a non-free CD from your CD distributor that's separate from the Official CD, or you have to download it. In either case, the words "non-free" are staring you in the face.

The Debian Social Contract was not written to eliminate non-free software from the face of the earth, but to keep it out of Debian's "main" directory. The contrib and non-free directories aren't an official part of Debian.

Bruce

Re: Debian does distribute non-free software

[Bruce Perens]

I wrote the scripts that master the Debian Official CD set. The ISO 9660 files that are the output of these scripts are distributed to CD manufacturers by Debian. If you want to call it the Official CD, you can replicate the ISO 9600 images that Debian distributes to you, but you can not change them. You can of course distribute other versions of Debian as long as you do not call them official.

The Official CD ISO 9660 images do not contain non-free software. They do contain an old BSD version of rsync.

Bruce

Summary

[Bruce Perens]

Let's see if I've got this straight. There are three rsync licenses. The license on their web site is seriously non-free. The license in the red hat version has an addendum to the BSD license that doesn't allow for-profit use, so it's non-free as well. The red hat one-line license indicator just says "BSD" and that's wrong. The Debian version is from 1996 and is under the straight BSD, so it's free software.

Bruce

Re:Welcome to $Linux$

[Bruce Perens]

Everything in Linux is like this. They grab you by telling you everything is free then when you want to do anything necessary to get a big corporatoin running, your forced to fork over big bucks to companies you've never heard of

That, sir, is why we're so "fanatical" about licenses. To protect you from exactly what you described.

Thanks

Bruce

Re: Debian does distribute non-free software

[Bruce Perens]

I checked. There's really an addendum to the Red Hat version that makes it non-free. Extract the source package and look just before the usual BSD license text.

Re:rsync not rdist

[aqua]

Rsync is GPLed, and a lot more efficient than rdist for most purposes -- the debian ISO mirror process is one good example.

If you do go with rdist-style distribution, check into sdist, which might (I can't recall with any certainty) have a more liberal license than rdist, and uses SSH.

For the SSH portion, there are troubles. Free implementations of ssh are underway (the ssh1 license allows some levels of commercial use, ssh2's is too restrictive to be commercially useful), but taking their time.

Re:rsync not rdist

[Marsala]

rsync does indeed have a configuration file, and it's pretty easy to set up an rsync server. The rsyncd.conf file looks a lot like an smb.conf file (probably because Andrew Tridgell and Paul Mackerras wrote the sucker) and by jamming a simple shell script into the crontab on different machines you can mirror data pretty easily.

Re:Linux & the Pseudo Free Software

[jbgreer]

Agreed, that reading licenses during an install for each package, separately presented, would be a kind of legalistic hell. The point I'm trying to make, and I think you've picked up on, is that usable mechanism should be put in place. I'd like a universal mechanism, capable of provided all types of licenses and covering all situations, including installs, upgrades, etc.

Linux & the Pseudo Free Software

[jbgreer]

It's nice to see so many folks chiming in with comments about ssh & rdist replacements; the competition to build a better mousetrap sometimes seems a bit ridiculous, but then you run into a situation like this and you're grateful.
Unfortunately, being able to name a replacement is not the point. The point is that someone out there is not going to know that there is a licensing distinction for some piece of software including on one of the distros and they're going to violate the terms of the license. And they're going to get caught. And they're going to raise a stink. Not that this is a real problem; I think all of the distributions should band together to develop some universal mechanism for informing users when they are installing a "pseudo-commercial" licensed product.
I think that rpm, yast, apt and whatever tools that are used to install packages should be modified to present the license to a user when it varies from the license used by a majority of the distribution. Or that a user should have to read/accept each license in kind.

Re:Have you looked at libio license?

[Jason Merrill]

The plan is to remove the GCC requirement. The new exception will be

// As a special exception, you may use this file as part of a free software
// library without restriction. Specifically, if other files instantiate
// templates or use macros or inline functions from this file, or you compile
// this file and link it with other files to produce an executable, this
// file does not by itself cause the resulting executable to be covered by
// the GNU General Public License. This exception does not however
// invalidate any other reasons why the executable file might be covered by
// the GNU General Public License.

informing redhat...

[kevin lyda]

redhat has a track record of knocking non-free software off their cd's if given an alternative.

has anyone considered informing them? or is it just more fun to piss and moan about it here?

Re:Linuxppc

[broonie]

> .. has a similiar directory structure for their RPMS. Why does this make Debian superior?

Most people are somewhat i386 centric? Debian is rather anal about licenses.

> 1. how does one upgrade a debian box if a security issue is found with a package?

Either grab the deb and install it manually, or use dselect/apt to work out if there are any updates and install them (see next question).

> 2. What exactly does apt-get update actually do (it seems to just change a few gzipped files on my machine representing the directory structure of the debian ftp site)

That's what it does - it updates the list of avalible packages. To upgrade all the upgradeable packages, use "apt-get upgrade". To upgrade/install a specfic package, use "apt-get install foo".

> Does ir get packages which have been changed due to security related issues?

No. If you have the security updates archive locations (security.debian.org and proposed-updates) in your sources file, then doing "apt-get update ; apt-get upgrade" should do the right thing.

> 3. DOes anyone have a script/howto for making debs. RPMS seem really easy, but the stuff for debs on the debian site seemed a litte too confusing.

I found the easiest thing was to just do it. It's sometimes instructive to look at the diff files of existing packages to see how they do things. A good starting point is to use dh_make to put in a skeleton which works for packages configured using autoconf (ISTR the potato version broke - if it's still broken, try the one from slink). Use lintian to check for errors in the built debs - it's very useful.

> 4. Has the debian open-source manual been released, yet?

Pass. There's a whole bunch of debian manuals - take a look at the Debian Documentation Project for more info (it's linked from the devel section of the web site).

Re:Are software licenses legal?: Revisited.

[jwilloug]

"THIS SOFTWARE IS SOLD AS IS, WITHOUT WARRANTY OF ANY KIND"

My personal favorite is the clause that usually comes right after this: "including implied warranties of merchantability and fitness." In other words, the software isn't actually worth enough to sell (but worth far too much to give away! Programmers would starve!), and even if it were, it's not useful for any particular purpose, anyway.

If manager types read these things, they'd go nuts. Wait! We just spent how many thousands of dollars? And all we have is crates full of coasters and many copies of the same useless software that is collectively worth somewhat less than a penny?

Re:Have you looked at libio license?

[JoeBuck]

But the LGPL also have problems; it isn't suitable for embedded systems customers, who have, in effect, been paying most of the bills for gcc development (via Cygnus support contracts). Switching libio to the LGPL would not be acceptable to the people that are doing or paying for most of the work.

The current license (GPL with special exception) requires that at least one .o file be compiled with gcc. But the LGPL has many more requirements: the executable must be shipped in linkable form, and there are other requirements as well.

Switching libio to the LGPL will make matters worse for many. Some other solution is needed.

VPN maybe?

[True Dork]

Could a VPN like vpnd work for you? you could create a private IP network inside it and use unencrypted free tools inside an encrypted tunnel. Just a thought :)

Re:VPN maybe?

[True Dork]

Well, there is a howto for a vpn with ssh in /usr/doc/HOWTO/mini/VPN (in RedHat anyway). What it does is use a pppd over ttys over ssh. It works quite well, but the only problem I have is that it doesnt notice when it is dead and tends to leave ghosted ppp's floating around. I'm sure that could be scripted though. One hint: Since you are on a 10mb lan, make sure you dont use compression in the ssh part. It will slow you down painfully. It did that to me on a 3mb link. On slow connections, the compression works beautifully.

Vpnd was probably referring to slip because a VPN is a virtual point to point connection, and then you can route through that point. I would think PPP would make more sense than slip, but who knows.

I've seen a few other projects that look promising. Check out the FreeS/WAN project at http://www.xs4all.nl/~freeswan/. It uses IPSEC so it should work with other IPSEC devices.

The reason I suggested a vpn of some sort is after you have securely connected two networks, encrypting file transfers, ttys, etc become unneeded unless you've got people inside your own network you have to worry about. This allows many more tools to be used for administration.

Use stunnel/stelnet: they're free

[leonbrooks]

These can effectively replace ssh: as to rdist, wouldn't rsync do? You could stunnel it if you felt it necessary.

You're wrong on the terms

[hatless]

The license terms look similar to those for MySQL. That is, it's free of charge when a person, company or org puts it on its own machines, regardless of who uses the machines. Payment and/or negotiation are required for redistribution.

As with MySQL, you seem to be welcome to build resale solutions around it without anyone getting paid, so long as your app leaves it to the customer to obtain and install rdist themselves separately.

The terms are weird and tortuous, but they do not seem to require payment for commercial or business-to-business use per se.

Re:Have you looked at libio license?

[msw]

Richard assured me in Paris that all the necessary permissions have been granted for the glibc maintainers to change the libio license to LGPL.

rsync not rdist

[consumer]

You should use rsync instead. It's faster, and support SSH.

Re:Free

[InfiniteReality]

Slackware is oudated? Well, for one, that's wrong, and obviously Slack is doing something right, as it is the 3rd most popular distribution behind Red Hat and Debian. The old you refer to is probably Slack still being based on Libc5. However, Libc5 is rock solid stable.

Re:Apology from "use Debian" guy.

[c_r_a_s_h]

Freed

Thanks for posting that. Your point is well taken...anybody who claims to have all free software but doesn't *should* be called on it (and it doesn't matter who it is...Debian, RedHat, S.u.S.e, or any others.)

However, a point that is just under the surface there is this: one of our greatest strengths is that GNU/Linux comes in so many different packages. It's the same core but with many different makers (distros) which all provide their own set of options. What distro A lacks, B has, so if you need that function/option, B is the better choice. However, as sure as that B will lack something that A has.

I tend to view the fact that we have different distros and so many variations, yet all based very much on the same core system as a strength. If a Micro~1 product falls short, who can you turn to while keeping with Windows? No-body (generally speaking here.) If a GNU/Linux distro falls short, there is another to step-in and take its place.

I sometimes find it interesting how we spend so much time fighting each other and trying to destroy what is actually one of our strong selling-points.

I don't mind this

[jfroebe]

As long as it is clearly documented, I don't have a problem with this. Most companies will pay $$$ for the free software (remember the Cygnus tools?) if it comes with some level of support. We aren't talking about personal usage here.

However, if the software is distributed in a RPM or similiar package, I believe that it should be a requirement of the distribution that the description in the package clearly states that "if you use this for commercial use, please read the license file" or such.

It's alright that someone gets paid for their work.

Jason

p.s. Does anyone know how to change the email address of a slashdot account? I've since moved ISPs.

Re:ssh / sdist

[Carl Nasal]

I believe an earlier version was if you configured it in a VERY certain way (which was not a normal configuration). Anyway, 1.2.7 fixes this problem although even earlier releases might have this bug fixed.

SSH 1.2.7 is probably the best version available (for cost & what you get) IMHO.


Thank you,
Carl Nasal
ZZWeb.net Web Hosting [zzweb.net] - $15 & $30/month accounts!

--
ZZWeb.net Web Hosting - http://www.zzweb.net

Re:Free Software is Business-Friendly

[cloudmaster]

Yes, why should I have to read the liscense for software I'm concerned about. It's not like using the software usually implies I agree with the liscense and thus know what the liscense says or anything... I should depend on someone else to know everything for me. :) But, with sarcasm mode turned off, the earlier poster who mentioned a list of free and kindafree stuff has a good idea. There oughtta be a liscense summary or something with distribs...

Re:Welcome to $Linux$

[Cally]

> Where it becomes more questionable is in a
> mid-sized environment. Sometimes time is
> cheaper than money -- use Linux. Sometimes
> money is cheaper than time -- use Microsoft,
> but be aware that you will probably spend
> more time than you ought maintaining things.

My employers, who I am trying to subvert from within ;) , use Netware file servers, NT application (email, web, DNS/DHCP) servers and '95 on the 230-ish clients (including ~35% laptops). Shock result:

• The Netware box has crashed twice in eighteen months (a dodgy NLM.)
• The NT servers are tempramental -- OK-ish for a few months, then randomly crashing / locking up several times a day for a while.
• The client machines are on a six month duty cycle : twice I year, regardless of whether problems have been reported, they are pulled in, stripped down and rebuilt.

I'm running the webservers -- I can't do anything about NT *yet*, but Apache performed exactly as the previous poster described in comparison with IIS. IIS 'works' approximately out of the box, whilst Apache will *not* work until you've at least read and understood the .conf files. However there's been loads of issues with IIS (security holes, exploits, old-fashioned bugs etc) and ours crash the server or grab 100% of the CPU every few weeks. Apache 1.3.* OTOH has required zero maintenance since started.

Re:Look at cfengine

[GeekBoy]

Hi,

We use at the company I work for on about 1000 desktop workstations. It works great and makes life a hell of alot easier for us CSA's.

Cheers
**************************************** ****
Superstition is a word the ignorant use to describe their ignorance. -Sifu

Re:OT: Making Debian packages

[rillian]

grab a .deb, change its suffix to .tar.gz (or .tgz as you like), and untar/gunzip it.

This isn't precisely correct. You have to unar it first to get the tar.gz files. Coincidentally, there are detailed instructions for this in the accellerated glx project faq [openprojects.net].

Re:rsync not rdist

[__aasmho4525]

hello all. i totally agree. it should be noted that rsync is generally best at being used to "pull" content, where rdist is best at "pushing" it. different paradigm, different design goals. i've found pull to be (arguably) easier to manage in *most* cases; i find it easier to make pull emulate push, but the other way around seems significantly more difficult to achieve. both serve their purposes well. i myself i use rsync wherever possible. it's horribly efficient when synchronizing very large structures of related directory structures around. cheers! Peter

Re:Look at cfengine

[Splork]

We've got nearly 500 systems (Irix, Solaris, Linux, Unicos & ConvexOS) running it here. It makes host management a dream.

As for the author, well... Mark is a little backwards in his views on how to develop things. He's afraid of using patch, doesn't see the point in a CVS repository (he doesn't even use RCS), etc. So it can be difficult to get him to incorporate things; but it does happen.

Be realistic though. You shouldn't try and get *him* to add things; you should develop the addition yourself along with a discussion of how to implement it on the mailing list. If he likes the idea he'll add it to a future version.

Look at cfengine

[Splork]

cfengine is a GNU project which easily replaces rdist. It uses its own protocol rather than relying on a seperate program (ie: rsh or ssh) to transfer the data. Encrypted transfers are an option in the most recent (v1.5) version.

Check it out at the cfengine home page [hioslo.no]

Rdist is under BSD license

[jurgen]

I don't know who MagniComp is, but the version of rdist included with RedHat is 6.1.3 from University of Southern California and is distributed under the BSD license.

MagniComp appears to have forked their version off the USC source tree and "hijacked" the license. This is possible with the BSD license, which is why some of us feel that the GPL is better. The However, they definitely can't lay any claim on the version of rdist that comes with RedHat... even if the person behind MagniComp is the individual who did the work at USC (one Michael Cooper), that version had not yet been hijacked, so it's safe.

various things

[cs]

1: Ssh1 is not that expensive, just ssh2.
2: You don't need the server stuff on your 1000
hosts, just on the central one. Just have the
clients pull the files from the server (eg from
a cron job, like we do here).
3: Use rsync instead of rdist - it's much better.

Re:Easiest "Ask Slashdot" question yet: use Debian

[_Stryker]

It may not be flaimbait but it certainly is not on topic since it does not address the original question.
---

Re:ssh / sdist

[Yinon]

Isn't ssh1 voulnerable to some nasty buffer overflows? (The ones used to hack into rootshell)

Strange..

[ivan_13013]

It looks like the author, Michael Cooper, sold the software to MagniComp (and perhaps works there since his email address is now @MagniComp in recent documentation versions). The license that rdist is distributed under on MagniCorp.com is obviously unfree because of for-profit distribution restrictions and use restrictions.

One thing to consider is that RedHat may have paid MagniComp or Mr. Cooper to recieve rights to distribute rdist under the terms of the BSD license or another nonrestrictive license, instead of MagniComp's regular EULA. However, I can't verify this because my (RedHat binary) copy does not include a copyright or license file in /usr/doc/rdist-6.1.5, just a README which does not contain a license. The man pages don't have licenses either. Grr.

If you download it from MagniComp and read the copyright in the source distribution, it's a standard BSD license with Michael's text at the top saying you can't make any money from distributing or using it, without an agreement in writing from him. According to the changelog, the copyright notice was changed in November of 1998.

Re:Strange..

[ivan_13013]

Ahem. Please read more carefully. The license is **NOT** BSD. It is a modified BSD license which includes the standard rights to distribute with an advertising clause. It **ALSO** includes an addition at the top of the file clearly added by Mr. Cooper which puts additional restrictions on commercial use, you must get his permission and send him lots of money, etc etc etc. So it is not free.

Free software of all kinds is great. Programmers choose licenses based on how they want their work used, and that's great too. My favorite licenses for free software are XFree, GPL and BSD, all great. This program is no longer free and is under a license which essentially prohibits commercial use or commercial distribution of any kind, making it not-so-great.

Re:Are software licenses legal?: Revisited.

[Surak]

Unfortunately, yes. The courts have traditionally held that licenses *are* enforceable.

The Berne convention, the basis for most international copyright laws, states that all original works are automatically copyrighted and that the author, unless she specifically waives certain rights by declaring otherwise, is entitled to every protection under the copyright law, including the right to redistribute the work.

Basically, without the license, you have NO right to copy the work or really even to use it, except under "fair use" exemptions. What entails "fair use" is somewhat vague...and depends greatly on the type of work in question.

If software licenses were held to be unenforceable, however, this would be GREATLY *hurt* the free software movement, which actually depends on these licenses. Remember that the GPL, and other similiar licenses are just that: they are software liceneses and they do place restrictions on how software can be copied, modified and distributed. The fact that these restrictions are designed to protect people's rights to redistribute and modify free software is completely irrelevant.

The real question is not whether software licenses are enforceable per se, but whether or not *certain provisions* of these licenses are enforceable, such as restrictions about who and who cannot use a program.

I would say that distribution and copying can be controlled under copyright, but personally I would argue that if someone has *paid* for a license to use a program then that person cannot be denied the right to use the program under fair use, but if someone was *given* a program, but the license does not allow distribution to that particular person (or company) then they *could* be denied the right to use the program.

For a complete discussion by an excellent copyright attorney, you should check out "The Software Developer's Complete Legal Companion" by Thorne D. Harris III (Prima Publishing).

DISCLAIMER: I am not a lawyer, so this represents only a laypersons opinion. You should consult a lawyer if you really need to.

MySQL is another bad one

[memra]

MySql is another bad one and it doesn't even attempt to follow the SQL standards!

Use PostgreSQL [postgresql.org] instead.

As for mirroring multiple machines, the best way to do this is to use rsync [samba.org] along with SSH 1.2.27 [cs.hut.fi] and the blowfish encryption which uses less CPU time. Also make sure to turn on compression in rsync, -z I believe.
--
Michael Dillon - E-mail: michael@memra.com

Re:Strange..

[Eraserhd]

Under RedHat, rpm -qi will tell you the license, or at least the gist of it. (It's a one-line fields).

For rdist, it says BSD, tho.

Hrmm...

Major Distros with Pseudo-Free Software

[Untainted]

I think that any distro that is not completely free (speech) should have a clearly visible and accessible list of what is not OSS, so that any corporate employee that is trying to implement something like this does not suddenly run into trouble when they discover that they indeed cannot use such and such software in that manner. As far as I know, no such list is included or easily findable. I don't believe this poses much of a problem to individual home users, since most of that type of use falls under the legal part of the license, however this could be disastrous for small company that had trusted an employee to get something together, only to realize that this employee over looked a critical license issue, because, as a previous poster noted, this could be disastrous in the future, when Linux is much more widely used in corporate (high license adherence) enviroment.

Just my thoughts on this.

Re:Rdist is under BSD license

[A Masquerade]

RedHat 6.0 includes rdist 6.1.5 which is under the Magnicorp license.

The answer is to fork from the last free rdist version and then merge in any relevant bug fixes (you probably need to clean room this so that you aren't accused of just hijacking the Magnicorp version). Could this code fork be transfered to GPL?

BTW RedHat used to use a different rdist. The Michael Cooper version is much superior and we want to stay with that if at all possible. People do need an rdist version - rsync can't do somethings at present (ie script triggers on updates) although modifying rsync in that way is another option.

Re:Free alternatives

[Le douanier]

>I always thought it was an ancient BSD program

Well, this WAS a modified version of BSD program that was modified and put under a more restricted license. The BSD license allow you to do that. The GPL don't (unless it don't stand up in court), this i swhy I prefer the GPL (and why other people prefer the BSD license too ;)).

Re:ssh / sdist

[arl bean]

There is a GPL secure shell called lsh under development. See http://www.net.lut.ac.uk/psst/ [lut.ac.uk] I have not tried it and it does currently have the warning

This directory contains snapshots of lsh development. lsh is a free implementation of the ssh protocol.
lsh is far from finished; don't expect these snapshots to compile or work, and even if they appear to work, beware that lsh currently does *NOT* provide any security at all.
/Niels Möller

Re: Debian does distribute non-free software

[PugMajere]

P.S. rsync ? I think you mean rdist. rsync is GPL. Debian's rdist is rdist-6.1.3 (usc.edu:/pub/rdist) which is BSD.

There's a non-Magnicomp rdist that's greater than version 6.1.0 out there? How intriguing. The only one I was able to track down (and which prompted this posting) was the 6.1.5 version.

Time to do some more investigating.

Later: By the way, ftp.usc.edu/pub/rdist says "RDist_MOVED_TO_www.MagniComp.com"
Oh well.

Re:rsync not rdist

[PugMajere]

That's actually the issue that's giving me more problems than the rdist issues. I'm impressed by the MagniComp guys, and their licensing is extremely reasonable for ridiculously large numbers of machines. SSH 2, when combined with rdist, is unbelievably expensive. (You need the ssh server on each machine that rdist distributes to. 1000 x 300 is not a manageable cost to push in the name of security.)

Re:various things

[PugMajere]

It's more complicated than that - there are multiple sets of files that get sent to those 1000 machines, and those must be configured on a machine-by-machine basis. Currently that's handled via a centralized web interface.

I won't deny that it's possible to rework the whole system to use rsync, but it's probably much easier to rework the system to split internal destinations from external (client/vendor) destinations, and reduce our ssh licensing costs to something manageable that way.

Licenses for everythying!!!

[mwcjr]

One of my favorite comics, an old Fifth Wave I think, has a person paying for software with a check that says that it is presented as is and that it's cashing functionality isn't guarenteed. :-)

Have you looked at libio license?

[poopie]

Basically this means that you can't make commercial software on linux that uses libio unless you use a GNU compiler.

-----------------------

http://www.cygnus.com/pubs/gnupro/4_libs/c_The_G NU_C++_Iostream_Library/libioIntroduction_ to_Iostreams.html

Licensing terms for libio

Since the iostream classes are so fundamental to standard C++, the Free Software Foundation has agreed to a special exception to its
standard license, when you link programs with libio.a.

As a special exception, if you link this library with files compiled with a GNU compiler to produce an executable, this does not cause the
resulting executable to be covered by the GNU General Public License. This exception does not however invalidate any other reasons why
the executable file might be covered by the GNU General Public License.

The code is under the GNU General Public License (version 2) for all purposes other than linking with this library which means that you can
modify and redistribute the code as usual; remember that, if you do, your modifications, and anything you link with the modified code, must
be available to others on the same terms.

Re:Are software licenses legal?: Revisited.

[werdna]

The enforceability of shrink-wrap or non-wrap license agreements certainly remains, at least, an open question. While at least one Circuit Court (the Seventh) has found them to be enforceable, several others have not enforced shrink-wrap provisions for various reasons. Recent District Court cases in other Circuits have characterized the Seventh Circuit position as "the minority view."

In short, I respectfully dissent from the second sentence of the message to which I respond.

I note, with interest, that recent efforts to add a new article 2 to the UCC were directed to precisely this question, which would tend to support OSS non-wrap licenses. It is ironic that these proposals were largely rebuffed without much analysis by the open source community, precisely because the proposals were also supported by IP holders.

It is important to recall that, at least, the Stallman view --which eschews the notion of public domain free software in favor of GNU-like licenses-- depends upon the enforceability of Copyrights and related license agreements.

Open Source Compliance Opinions

[werdna]

In my legal practice, I am more and more frequently asked by clients (one or more a month now) to review ALL licenses of incorporated or embedded open source code and to advise or opine as to the specific obligations arising from the mix of software and the manner in which it the software is mixed with putatively proprietary code.

Unsurprisingly, clients' first question is whether (and if so, how much and how) code must be distributed in open source or at least offered for distribution. They are often surprised that there may be serious questions whether the software can be distbuted at all!

As it turns out, these questions are rarely easy ones to answer, even after assuming that the agreements are all fully enforceable. On the other hand, the failure to perform such an analysis can lead to substantial downsides such as the suggested example.

Re:ssh / sdist

[_Sprocket_]

Check out this link [www.ssh.fi]. It talks about the entire "Rootshell Incident", including the IBM team's "findings" and later retraction.

Basically, there was never a verifiable problem with SSH 1.2.26 (the version available when this whole incident took place). The IBM team that suggested a possible exploit (the same warning Rootshell latched on to in attempts to explain their compromise) ended up retracting their claim. However, panic and some politics have made this whole issue unclear.

1.2.27 took care of a hard-to-duplicate issue involving Kerberos support. And, as of right now, I'm not aware of any exploits at all against 1.2.27 (current version in the SSH1 tree).

I'd be glad to hear of any new developments I've missed out on. :)

The SSH Legal Issue

[_Sprocket_]

Before I get going on this, I'd like to begin by stating "I am not a lawyer." My observations are based on application of "common sense" to the documentation included. However, if common sense was infallible when applied to law, the Law profession would be much less lucrative!

With that being said...

Commercial use of SSH generally requires a license. But there are non-commercial allowances in both SSH1 and SSH2. The trouble is what the definition of "non-commercial" includes. SSH2 is very restrictive and pretty much discounts any use of the suite near anything "commercial" in any manner. SSH1 allows for greater leeway:

The file named COPYING [cam.ac.uk] that is included in the distribution reads:

Companies are permitted to use this program as long as it is not used for revenue-generating purposes. For example, an Internet service provider is allowed to install this program on their systems and permit clients to use SSH to connect; however, actively distributing SSH to clients for the purpose of providing added value requires separate licensing. Similarly, a consultant may freely install this software on a client's machine for his own use, but if he/she sells the client a system that uses SSH as a component, a separate license is required. If a company includes this program or a derivative work thereof, as part of its product, commercial licensing is required.

The interpretation I get from this is that a Commercial enterprise may use SSH1 as long as it is not a part of a specific service. Administration of local servers is OK. Services that include "Remote secure backups of your systems for pennies a day!" or "Checking accounts now come with secure online banking!" that includes SSH1 as its method of secure communications do not fit in the "non-commercial" license.

Once again, it would be wise to point out that it seems the folks selling SSH later decided against this kind of policy. SSH2's license is much more restrictive and reserves "non-commercial" licensing to personal use and educational use as part of academic research and/or teaching (note: educational institutions don't get to use it for administration).

But you're not out of the legal woods yet. SSH1 uses a whole slew of libraries and intellectual property that adds additional layers of license concerns. Thankfully, most of them are cleared by allowances for use of those properties in SSH1.

Two big concerns that aren't covered include IDEA and RSA. IDEA is easy to get around by not including it in your compile (opting for Blowfish instead). RSA is a tougher issue. You'll have to look at it yourself if you're still trying to figure it out (I luck out with a license granted to the US Government for RSA since a partial Gov't grant helped develop it at MIT).

Are software licenses legal?: Revisited.

[orichter]

This re-raises the issue:

Are software licenses legal or enforcable.
It's one thing when Microsoft has a license which states that by clicking on this button, you sign your soul over to bill, but I never clicked such a button when I installed my Redhat 5.2. Would this make Redhat responsible for license violations. Can you enforce a contract which one side has never even seen? I suspect the ideas of software licenses will have to be revisited by the legislature at some point (Scary thought).