[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Cryptlib licence

On Thu, Mar 04, 2004 at 03:58:55PM -0300, Humberto Massa wrote:
> David Gourdelier wrote:
> >I would like to know if crypt lib licence would allow it for being 
> >included in Debian as a Debian package. The licence is available at 
> >http://www.cs.auckland.ac.nz/~pgut001/cryptlib/download.html
> >
> >Thank you for your answer.
> Apparently, the license (text below) is a BSD-sans-advertising -like. 

Clause 3 appears to be a poorly-worded weak copyleft.  More below.

> More eyes, please:

Here have one of mine.  I don't really need depth perception anyway.  <g>

> Copyright 1992-2004 Peter Gutmann. All rights reserved.

This "All rights reserved" followed by a "go nuts" licence always seems to
jar with me.  Does anyone else have the same cognitive dissonance whenever
they read one of these?

> Redistribution and use in source and binary forms, with or without
> modification, are permitted provided that the following conditions are met:
> 1. Redistributions of source code must retain the above copyright notice, 
> this
>   list of conditions and the following disclaimer.

Mmm hmm.

> 2. Redistributions in binary form must reproduce the above copyright notice,
>   this list of conditions and the following disclaimer in the documentation
>   and/or other materials provided with the distribution.

OK.  Straight BSDish so far.

> 3. Redistributions in any form must be accompanied by information on how to
>   obtain complete source code for the cryptlib software and any accompanying
>   software that uses the cryptlib software.  The source code must either be
>   included in the distribution or be available for no more than the cost of
>   distribution, and must be freely redistributable under reasonable
>   conditions.  For an executable file, complete source code means the source
>   code for all modules it contains or uses.  It does not include source code
>   for modules or files that typically accompany the major components of the
>   operating system on which the executable file runs.

Must the information on how to obtain complete source code for the cryptlib
software be guaranteed accurate?  I mean, if I put the source on my website
for a while, then pull it down, by one interpretation I've complied with the
licence because it was valid when I wrote the information, but by another I
must provide the source code at the published location forever (or at least
until copyright runs out, which looks to be the same thing under the current
US regime, at least).

"and any accompanying software that uses the cryptlib software" feels a
little over-burdensome, but it's no worse (in my remaining eye) than the
equivalent GPL restriction.  "freely redistributable under reasonable
conditions" is *very* dangerous - major lawyerbomb (thanks for that term,
MJ!).  My idea of reasonable and the copyright holder's idea of reasonable
might be wildly different, and it's the copyright holder's opinion that
carries the most weight in law.  I'd seriously recommend asking Mr. Gutmann
to clarify his "reasonable conditions", preferably by amending the licence. 
"Under terms no more restrictive than those contained in this licence" would
be suitable, and make it a stronger copyleft (since you're guaranteed that
nobody can make the work less free).

Then we go deep into GPL territory.  "the source code for all modules [the
executable] contains or uses, [barring anything shipped with the OS]" is
useless from Debian's POV, because we either ship everything or nothing as
part of the OS, depending on which side of the "operating system" boundary
you think Debian sits.  Microsoft would love to have people extend the OS
definition deep into application space.  <grin>

Overall, this licence feels vaguely familiar to me - I think I've read that
particular copyleft clause before.  I don't remember using cryptlib, though,
so it's all a bit weird.

It appears that the author wants many of the protections of the GPL - down
to the OS exemption - without actually using the GPL.  My recommendation
would be to relicence under the GPL and be done with it - it is a widely
analysed licence whose effects are fairly well understood.

Aaaand the disclaimer appears normal, so I'll chop it because large
quantities of capitals are annoying.

- Matt

Reply to: