[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RIPEMD crytographic hash function

Andreas Rottmann wrote:

> [CC'ed debian-legal, they can probably give a more detailed and
> informed analysis of the proposed license]
Done, please forware appropriate information as needed.
> Antoon Bosselaers <bosselae@esat.kuleuven.be> writes:
>> Dear Sebastian,
>> The conditions of use you are quoting have been replaced for some
>> years now by the conditions listed below, see also
>> http://homes.esat.kuleuven.be/~cosicart/ps/AB-9601/.
>> Conditions for use of the RIPEMD-160 Software
>> The RIPEMD-160 software is freely available for use under the terms and
>> conditions described hereunder, which shall be deemed to be accepted
>> by any user of the software and applicable on any use of the software:
This is the bad clause.  It doesn't grant permission to copy, modify, or 
distribute, and it tries to restrict "use", which copyright licenses 
shouldn't do (patent licenses do, of course).  To be a proper license, it 
needs to look something like this:

"Permission is hereby granted to any person to use, sell, copy, modify, and 
distribute modified or unmodified copies of, the RIPEMD-160 software, 
provided that they agree to the following:"

It would be better if they used a standard license like BSD of course.
>> 1. K.U.Leuven Department of Electrical Engineering-ESAT/COSIC shall for
>> all
>>     purposes be considered the owner of the RIPEMD-160 software and of
>>     all copyright, trade secret, patent or other intellectual property
>>     rights therein.
This is a sort of attempt at a copyright statement, and doesn't belong in the 
license.  It has absolutely no legal benefit as far as I know; it's just 
noise.  Instead, the following should be just before the license:

The RIPEMD-160 software is copyright <year> K.U.Leuven Department of 
Electrical Engineering-ESAT/COSIC.

It is simply impossible to have trade secrets in a work you published, in any 
jurisdiction in the world, so I dropped mention of them.

By claiming that K.U.Leuven is the "owner of" all patent rights in the 
software, K.U.Leuven is doing something legally dangerous for itself, in the 
case that someone else owns a patent which is infringed by the RIPEMD 
software.  So I took out the patent reference, too.

If there are *actually* any patents applicable to the RIPEMD software which 
are *held by* K.U.Leuven, then Debian would want a correctly constructed 
patent license, which requires some care.  None of this is relevant unless 
they actually hold actual patents on the thing, so if they don't, it's worth 
avoiding.  If they actually hold actual patents, they should specify which 
ones may apply to this.

"Other intellectual property rights" are few and far between (the infamous 
European database right), and not worth mentioning unless you actually have 

>> 2. The RIPEMD-160 software is provided on an "as is" basis without
>> warranty of any sort, express or implied. K.U.Leuven makes no
>> representation that the use of the software will not infringe any
>> patent or proprietary right of third parties.

>> User will indemnify 
>> K.U.Leuven and hold K.U.Leuven harmless from any claims or
>> liabilities which may arise as a result of its use of the software.
As long as "its use" means "user's use" this is fine.  If it means "anyone's 
use", it's overbroad.

>> In no circumstances K.U.Leuven R&D will be held liable for any
>> deficiency, fault or other mishappening with regard to the use or
>> performance of the software.

>> 3. User agrees to give due credit to K.U.Leuven in scientific
>> publications
>>     or communications in relation with the use of the RIPEMD-160 software
>>     as follows: RIPEMD-160 software written by Antoon Bosselaers,
>>     available at http://www.esat.kuleuven.be/~cosicart/ps/AB-9601/.
Fine.  This is the one clause which isn't present in standard BSD.
It would be a reasonable addition.  However, it also isn't necessary.

It's better to say the following (separate from the license):

This license does not replace or supersede the normal rules of credit for 
scientific or academic publications.  If you use the RIPEMD-160 software in 
scientific work, it should be cited as follows:  RIPEMD-160 software written 
by Antoon Bosselaers, available at 

> I would recommend starting from a BSD-style license; your conditions
> look similiar in spirit (provided that the restriction of
> redistribution and modification is unintended):
> http://www.opensource.org/licenses/bsd-license.php
Yes, a good start.  I recommend
-- correct copyright statement
-- BSD license
-- separate statement (described above) requesting credit in scientific or 
academic publications

And if they actually have patents, come back to debian-legal.

Nathanael Nerode  <neroden@twcny.rr.com>

[Insert famous quote here]

Reply to: