License Issue about Distributing NVIDIA's cuDNN library via Debian

[lumin]

Hi Debian Legal Team,

I intend to package[1] a proprietary deep learning
library named "cuDNN"[2], which is definitely useful
to deep learning researchers.

@lyeager kindly provided some help[3] on this but I'm
not really good at these legal terms.

Generally, to download the cudnn library, one needs
to fist register or login at nvidia's website. Next,
the user is required to click "I agree ..."[4] to continue.
Now the secured library download link is exposed to the user.[5]

Initially I don't think such a well-protected proprietary
can be distributed by Debian, untill I find this package
in Archlinux's community repo[6].

I don't know how the Arch guys achieved this but in their
PKGBUILD file (arch packaging script) there is a anonymously
downloadable link to the cudnn library[7]. What is notable
is the "redist" keyword in the URL. I can't find this "redist"
URL in nvidia's website.

I'm confused.

What makes me more confused is nvidia legal guy's word conveyed
by @lyeager [8]. Once a package is uploaded to the Archive, isn't
the distributor (legally) the Debian Organization? It's so weird
for an individual to take the role of distributor for a package
in Archive and I think it's impossible.

Anyway I'm not good at the legal field. I need help.

Thank you in advance :-)

P.S. "cuDNN", i.e. "CUDA Deep Neural Network", is a library
built upon nvidia's proprietary CUDA toolkit, which was available
in our archive for years[9].

[1] https://bugs.debian.org/862524
[2] https://developer.nvidia.com/cudnn
[3] https://github.com/CDLuminate/nvidia-cudnn/issues/1
[4] Unluckily this licence file is secured, only available after login:
http://developer2.download.nvidia.com/compute/machine-
learning/cudnn/secure/v6/prod/Doc/NVIDIA_SLA%2BcuDNN_Supp_Feb2017_relea
se.pdf
[5] https://developer.nvidia.com/compute/machine-learning/cudnn/secure/
v6/prod/8.0_20170427/cudnn-8.0-linux-x64-v6.0-tgz
[6] https://www.archlinux.org/packages/community/x86_64/cudnn/
[7] http://developer.download.nvidia.com/compute/redist/cudnn/v6.0/cudn
n-8.0-linux-x64-v6.0.tgz
[8] https://github.com/CDLuminate/nvidia-cudnn/issues/1#issuecomment-30
1827809
[9] https://tracker.debian.org/pkg/nvidia-cuda-toolkit

[Luke Yeager]

Adding Maitreyi, who is the Product Manager for cuDNN.

-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information. Any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------

[Paul Wise]

On Wed, May 24, 2017 at 2:42 PM, lumin wrote:

> Hi Debian Legal Team,

debian-legal are not Debian's legal advisors, just a bunch of people
subscribed to a mailing list.

> I intend to package[1] a proprietary deep learning
> library named "cuDNN"[2], which is definitely useful
> to deep learning researchers.

Personally I would like to see the amount of proprietary nVidia stuff
in Debian reduced, not increased. I would suggest focussing your
efforts on OpenCL/Vulkan based and open source deep learning libraries
instead of proprietary stuff that only acts as lock-in for other
proprietary nVidia technologies (CUDA).

> @lyeager kindly provided some help[3] on this but I'm
> not really good at these legal terms.
>
> Generally, to download the cudnn library, one needs
> to fist register or login at nvidia's website. Next,
> the user is required to click "I agree ..."[4] to continue.
> Now the secured library download link is exposed to the user.[5]

The license you linked to both allows and disallows redistribution,
seems like it needs a rewrite to be less bizarre. The allowance of
distribution is time-limited. Personally I would not be comfortable
distributing this and I do not think that Debian should do so either.

> Initially I don't think such a well-protected proprietary
> can be distributed by Debian, untill I find this package
> in Archlinux's community repo[6].

They may be relying on the clauses allowing time-limited
redistribution, or they may have simply not read the EULA.

> I don't know how the Arch guys achieved this but in their
> PKGBUILD file (arch packaging script) there is a anonymously
> downloadable link to the cudnn library[7]. What is notable
> is the "redist" keyword in the URL. I can't find this "redist"
> URL in nvidia's website.

Probably nVidia need to remove this redist directory from their
website, since it is supposed to be only distributed behind a
click-wrap license.

> What makes me more confused is nvidia legal guy's word conveyed
> by @lyeager [8]. Once a package is uploaded to the Archive, isn't
> the distributor (legally) the Debian Organization? It's so weird
> for an individual to take the role of distributor for a package
> in Archive and I think it's impossible.

There is a long chain of many distributors: firstly you distribute it
to mentors.d.n, then mentors.d.n distributes it to your sponsor, then
your sponsor distributes it to Debian ftpmasters, then Debian
ftpmasters distribute it to Debian mirrors and CD vendors, then Debian
mirrors and CD vendors distribute it to Debian users, then Debian
derivatives (Ubuntu etc) distribute it to their mirrors and users.
Every one of those is potentially liable if they have been found to do
something illegal.

--
bye,
pabs

https://wiki.debian.org/PaulWise

[Paul Wise]

On Thu, May 25, 2017 at 10:51 AM, Paul Wise wrote:

> Personally I would like to see the amount of proprietary nVidia stuff
> in Debian reduced, not increased. I would suggest focussing your
> efforts on OpenCL/Vulkan based and open source deep learning libraries
> instead of proprietary stuff that only acts as lock-in for other
> proprietary nVidia technologies (CUDA).

For example, Intel's just released clDNN:

https://github.com/01org/cldnn

[Lumin]

Hi,

On 25 May 2017 at 02:51, Paul Wise <pa...@debian.org> wrote:

> Personally I would like to see the amount of proprietary nVidia stuff
> in Debian reduced, not increased. I would suggest focussing your
> efforts on OpenCL/Vulkan based and open source deep learning libraries
> instead of proprietary stuff that only acts as lock-in for other
> proprietary nVidia technologies (CUDA).

Me too. But cuDNN, in fact, is the fastest[1] DNN library supporting
many state-of-the-art research works (e.g. [2]) and production. And
in my real life work about deep learning I have no intention to try
those *slow* OpenCL libraries...

Indeed there are people working on the OpenCL side but OpenCL
is not the major force, at least now.

[1] https://github.com/soumith/convnet-benchmarks
[2] https://tensortalk.com/?cat=conference-cvpr-2016&t=type-code

>> @lyeager kindly provided some help[3] on this but I'm
>> not really good at these legal terms.
>

> The license you linked to both allows and disallows redistribution,
> seems like it needs a rewrite to be less bizarre. The allowance of
> distribution is time-limited. Personally I would not be comfortable
> distributing this and I do not think that Debian should do so either.

>> Initially I don't think such a well-protected proprietary
>> can be distributed by Debian, untill I find this package
>> in Archlinux's community repo[6].
>
> They may be relying on the clauses allowing time-limited
> redistribution, or they may have simply not read the EULA.

The whole cuDNN package contains only a header and several
binary blobs, which should be easy for users to install by themself
as long as they know how. However If it turns out that it shouldn't
be uploaded to Debian, I'll not be able to build my deep learning
packages against the fastest lib, and users still need to compile
by themself against cuDNN.

I'm fine with both results. If no cudnn, we'll not introduce more
non-free stuff. if there is cudnn, we'll have the fastest library
in archive in an easy-to-use format.

>> I don't know how the Arch guys achieved this but in their
>> PKGBUILD file (arch packaging script) there is a anonymously
>> downloadable link to the cudnn library[7]. What is notable
>> is the "redist" keyword in the URL. I can't find this "redist"
>> URL in nvidia's website.
>
> Probably nVidia need to remove this redist directory from their
> website, since it is supposed to be only distributed behind a
> click-wrap license.

The license of the current version of cuDNN is actually more permissive
than that of previous versions. And the servey before downloading the
blobs is canceled. Nvidia's attitude towards this library seems to be more
and more permissive and I hope this is true.

>> What makes me more confused is nvidia legal guy's word conveyed
>> by @lyeager [8]. Once a package is uploaded to the Archive, isn't
>> the distributor (legally) the Debian Organization? It's so weird
>> for an individual to take the role of distributor for a package
>> in Archive and I think it's impossible.
>
> There is a long chain of many distributors: firstly you distribute it
> to mentors.d.n, then mentors.d.n distributes it to your sponsor, then
> your sponsor distributes it to Debian ftpmasters, then Debian
> ftpmasters distribute it to Debian mirrors and CD vendors, then Debian
> mirrors and CD vendors distribute it to Debian users, then Debian
> derivatives (Ubuntu etc) distribute it to their mirrors and users.
> Every one of those is potentially liable if they have been found to do
> something illegal.

Thank you for the explanation :-)