Re: RIPEMD crytographic hash function
Andreas Rottmann wrote:
> [CC'ed debian-legal, they can probably give a more detailed and
> informed analysis of the proposed license]
Done, please forware appropriate information as needed.
> Antoon Bosselaers <firstname.lastname@example.org> writes:
>> Dear Sebastian,
>> The conditions of use you are quoting have been replaced for some
>> years now by the conditions listed below, see also
>> Conditions for use of the RIPEMD-160 Software
>> The RIPEMD-160 software is freely available for use under the terms and
>> conditions described hereunder, which shall be deemed to be accepted
>> by any user of the software and applicable on any use of the software:
This is the bad clause. It doesn't grant permission to copy, modify, or
distribute, and it tries to restrict "use", which copyright licenses
shouldn't do (patent licenses do, of course). To be a proper license, it
needs to look something like this:
"Permission is hereby granted to any person to use, sell, copy, modify, and
distribute modified or unmodified copies of, the RIPEMD-160 software,
provided that they agree to the following:"
It would be better if they used a standard license like BSD of course.
>> 1. K.U.Leuven Department of Electrical Engineering-ESAT/COSIC shall for
>> purposes be considered the owner of the RIPEMD-160 software and of
>> all copyright, trade secret, patent or other intellectual property
>> rights therein.
This is a sort of attempt at a copyright statement, and doesn't belong in the
license. It has absolutely no legal benefit as far as I know; it's just
noise. Instead, the following should be just before the license:
The RIPEMD-160 software is copyright <year> K.U.Leuven Department of
It is simply impossible to have trade secrets in a work you published, in any
jurisdiction in the world, so I dropped mention of them.
By claiming that K.U.Leuven is the "owner of" all patent rights in the
software, K.U.Leuven is doing something legally dangerous for itself, in the
case that someone else owns a patent which is infringed by the RIPEMD
software. So I took out the patent reference, too.
If there are *actually* any patents applicable to the RIPEMD software which
are *held by* K.U.Leuven, then Debian would want a correctly constructed
patent license, which requires some care. None of this is relevant unless
they actually hold actual patents on the thing, so if they don't, it's worth
avoiding. If they actually hold actual patents, they should specify which
ones may apply to this.
"Other intellectual property rights" are few and far between (the infamous
European database right), and not worth mentioning unless you actually have
>> 2. The RIPEMD-160 software is provided on an "as is" basis without
>> warranty of any sort, express or implied. K.U.Leuven makes no
>> representation that the use of the software will not infringe any
>> patent or proprietary right of third parties.
>> User will indemnify
>> K.U.Leuven and hold K.U.Leuven harmless from any claims or
>> liabilities which may arise as a result of its use of the software.
As long as "its use" means "user's use" this is fine. If it means "anyone's
use", it's overbroad.
>> In no circumstances K.U.Leuven R&D will be held liable for any
>> deficiency, fault or other mishappening with regard to the use or
>> performance of the software.
>> 3. User agrees to give due credit to K.U.Leuven in scientific
>> or communications in relation with the use of the RIPEMD-160 software
>> as follows: RIPEMD-160 software written by Antoon Bosselaers,
>> available at http://www.esat.kuleuven.be/~cosicart/ps/AB-9601/.
Fine. This is the one clause which isn't present in standard BSD.
It would be a reasonable addition. However, it also isn't necessary.
It's better to say the following (separate from the license):
This license does not replace or supersede the normal rules of credit for
scientific or academic publications. If you use the RIPEMD-160 software in
scientific work, it should be cited as follows: RIPEMD-160 software written
by Antoon Bosselaers, available at
> I would recommend starting from a BSD-style license; your conditions
> look similiar in spirit (provided that the restriction of
> redistribution and modification is unintended):
Yes, a good start. I recommend
-- correct copyright statement
-- BSD license
-- separate statement (described above) requesting credit in scientific or
And if they actually have patents, come back to debian-legal.
Nathanael Nerode <email@example.com>
[Insert famous quote here]