Re: licence for Truecrypt

To: debian-legal@lists.debian.org
Subject: Re: licence for Truecrypt
From: Michael Poole <mdpoole@troilus.org>
Date: 20 Jun 2006 10:02:05 -0400
Message-id: <[🔎] 877j3cylgi.fsf@graviton.dyn.troilus.org>
In-reply-to: <[🔎] 4497F234.2060507@internode.on.net>
References: <[🔎] 4497F234.2060507@internode.on.net>

Karl Goetz writes:

> Hi all
> I was looking at truecrypt, and noticed that the licence is not
> considered 'free' by Klause Knopper[1], but i don't see a view from
> debian-legal. does anyone know if this licence [2] would be free
> enough to ship with debian?
> Or, for that matter, if its come up before on the list and i couldn't
> find it, please do link me there :)
> 
> [1] http://lists.debian.org/debian-knoppix/2006/06/msg00019.html
> [2] http://www.truecrypt.org/license.php
> Karl

The license shows many signs of being written by someone with just
enough knowledge to be legally dangerous.  One sign is the frequent
use of alternatives -- "features/functionalities",
"product/modifications", and so forth -- rather than defining a
minimal set of terms up front and using them later.

>From III.1.d.:
   "Complete source code of your product or of the modified version must be
    freely and publicly available. If the source code is not included with
    every copy of your product/modifications, there must be a well-publicized
    means of obtaining the source code, preferably, downloading via the
    Internet without charge. The source code must not be deliberately
    obfuscated, and it must not be in an intermediate form (e.g., the output of
    a preprocessor). Source code means the preferred form in which a programmer
    would usually modify the program."

This is a lawyerbomb.  It is not clear that including a copy of the
full source code with every copy you distribute is sufficient, and it
is not clear whether "every copy of your product/modifications" is
meant to apply to copies made by third parties.

>From III.3.b.:
   "Your product/modifications (as defined in Section III.1.) are
    distributed and used only internally within the organization and only by
    members/employees of the organization for which you created the
    product/modifications and of which you were a member/employee when you
    created the product/modifications. (Here the word "organization" means
    a non-commercial or commercial organization, or a government agency.)"

Another lawyerbomb.  Under traditional laws of agency and employment,
this is redundant of III.3.a, except that it mixes in the vague term
"member" with the term of art "employee".

>From V.:
"1. Where applicable, the component licenses contained in parts of the
    source code and quoted below herein (Section "Component Legal
    Notices") might take precedence over the TrueCrypt License.

 2. This product is provided under the terms of this license
    (agreement). Any use, reproduction, distribution, or modification
    of this product or any of its parts constitutes recipient's
    acceptance of this agreement."

I don't think V.2 will stick in the US for plain use of the software,
and it is overbroad insofar as V.1 acknowledges that certain parts are
governed by different licenses.

Overall, this seems like a fairly pointless and dangerous but not
clearly unfree license; GPLv2 or v2+ with SSL exception and a
trademark note on appropriate use of "TrueCrypt" and "TrueCrypt
Foundation" seem like a much clearer choice.

Michael Poole

Reply to:

Follow-Ups:
- Re: licence for Truecrypt
  - From: MJ Ray <mjr@phonecoop.coop>

References:
- licence for Truecrypt
  - From: Karl Goetz <kamping_kaiser@internode.on.net>

Prev by Date: licence for Truecrypt
Next by Date: DomainKeys license(s) (Re: Hello and request for sponsor (DomainKeys packages))
Previous by thread: licence for Truecrypt
Next by thread: Re: licence for Truecrypt
Index(es):
- Date
- Thread