On Sat, 12 Jan 2008 20:27:57 +0100 Francesco Poli wrote: [...] > The plain text version of the licence may be found at > http://www.truecrypt.org/docs/License.txt > and is pasted below in its entirety. My comments follow. As usual I would like to draw your attention on my disclaimers, that is to say: IANAL, TINLA, IANADD, TINASOTODP. [...] > TrueCrypt License Version 2.3 > > > I. Definitions [...] > 4. "Your Product" means This Product modified by You, any work You derive from > (or base on) This Product, any work in which You include This Product, or any > respective part(s) thereof. Does this mean that a mere aggregation (of the Product and other unrelated works) counts as "Your Product"? Does this broad definition interfere with DFSG#9? [...] > III. Terms and Conditions for Modification and Derivation of New Products [...] > a. The name of Your Product (or of Your modified version of This Product) > must not contain the name TrueCrypt (for example, the following names are > not allowed: TrueCrypt, TrueCrypt+, TrueCrypt Professional, iTrueCrypt, > etc.) nor any of its variations that can be easily confused with the name > TrueCrypt (e.g., True-Crypt, True Crypt, TrueKrypt, TruCrypt, etc.) I've argued several times in the past against this kind of broad restrictions. I think they go beyond what is permitted (as a compromise!) by DFSG#4. See, for instance: http://lists.debian.org/debian-legal/2007/11/msg00004.html http://lists.debian.org/debian-legal/2006/04/msg00181.html [...] > All graphics files showing any TrueCrypt logo (including the non-textual > logo consisting primarily of a key in stylized form) must be removed from > Your Product (or from Your modified version of This Product) and from any > associated materials. Logo(s) included in (or attached to) Your Product > (or in/to associated materials) must not incorporate and must not be > confusingly similar to any of the TrueCrypt logos or portion(s) thereof. If these graphics files are unmodifiable and undistributable in modified versions of the work, I think they are non-free and must be removed from a Debian package, as long as this package can otherwise be uploaded to the main archive (that is to say, as long as the other showstoppers are solved). > > b. The following phrases must be removed from Your Product and from any > associated materials: > "A TrueCrypt Foundation Release" > "Released by TrueCrypt Foundation" > "This is a TrueCrypt Foundation release." Like the above-mentioned Logos, these sentences deserve a similar treatment. > > c. Phrase "Based on TrueCrypt, freely available at > http://www.truecrypt.org/"; must be displayed by Your Product (if > technically feasible) and contained in its documentation. Alternatively, if > This Product or its portion You included in Your Product comprises only a > minor portion of Your Product, phrase "Portions of this product are based > in part on TrueCrypt, freely available at http://www.truecrypt.org/"; may be > displayed instead. In each of the cases mentioned above in this paragraph, > "http://www.truecrypt.org/"; must be a hyperlink (if technically feasible) > pointing to http://www.truecrypt.org/ and you may freely choose the > location within the user interface (if there is any) of Your Product (e.g., > an "About" window, etc.) and the way in which Your Product will display the > respective phrase. This is obnoxious, because it imposes an exact phrase to be included in the modified work. I think it's even worse than GPLv3#5d: it is very close to fail DFSG#3, if not already failing. [...] > IV. Disclaimer of Warranties and Liabilities; Indemnification [...] > 4. You shall indemnify, defend and hold all (co)authors of This Product, their > agents and associates, and applicable copyright/trademark owners, harmless > from/against any liability, loss, expense, damages, claims or causes of action, > arising out of Your use, inability to use, reproduction, (re)distribution, > import and/or (re)export of This Product (or portions thereof) and/or Your > breach of any term of this License. Warning! Indemnification clause: is it acceptable? It smells as non-free... [...] > VI. General Terms > > 1. You may not use, modify, reproduce, derive from, (re)distribute, or > sublicense This Product, or portion(s) thereof, except as expressly provided > under this License. Any attempt (even if permitted by applicable law) otherwise > to use, modify, reproduce, derive from, (re)distribute, or sublicense This > Product, or portion(s) thereof, automatically and immediately terminates Your > rights under this License. This is non-free, as explained by Ken Arromdee in http://lists.debian.org/debian-legal/2008/01/msg00132.html [...] > ____________________________________________________________ > > This is an independent implementation of the encryption algorithm: > > Twofish by Bruce Schneier and colleagues > > which is a candidate algorithm in the Advanced Encryption Standard > programme of the US National Institute of Standards and Technology. > > Copyright in this implementation is held by Dr B R Gladman but I This is very unclear: who is the "I" speaking here? If it's Dr B R Gladman speaking, why does he speak in third person a few words before? If it's not Dr B R Gladman speaking, how can he/she give permissions, when the copyright is held by Dr B R Gladman? > hereby give permission for its free direct or derivative use subject > to acknowledgment of its origin Where's the permission to copy and distribute verbatim and modified versions? Without this explicit permission, I think this "license" fails DFSG#1 or DFSG#3. > and compliance with any conditions > that the originators of the algorithm place on its exploitation. Which conditions? Where are they listed? I cannot tell whether they are DFSG-compliant conditions, until I see them! > > My thanks to Doug Whiting and Niels Ferguson for comments that led > to improvements in this implementation. > > Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999 > ____________________________________________________________ In summary, I think this work is not suitable for inclusion in Debian (main). It maybe could be distributed in non-free, but I would be happier if upstream were persuaded to re-license in a DFSG-free manner. -- http://frx.netsons.org/progs/scripts/refresh-pubring.html New! Version 0.6 available! What? See for yourself! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
Attachment:
pgpxcIMmomrgI.pgp
Description: PGP signature