Re: TrueCrypt License 2.3

To: debian-legal@lists.debian.org
Subject: Re: TrueCrypt License 2.3
From: Iain Nicol <iain@thenicols.net>
Date: Sun, 13 Jan 2008 12:38:36 +0000 (UTC)
Message-id: <[🔎] pan.2008.01.13.12.38.30@thenicols.net>
References: <[🔎] fmb15f$saf$1@news.albasani.net> <[🔎] 20080112202757.f9f81474.frx@firenze.linux.it>

Hi,

Wow, that's a lot of license text. There are multiple bits in these 
licenses that I don't like.

> TrueCrypt License Version 2.3
> [...]
> II. Terms and Conditions for Use, Reproduction, and Distribution
> 
> 1. You [must] ensure that all the legal notices and
> documents (containing, e.g., the text of this License, references to
> this License, etc.) included with This Product are included with every
> copy of This Product that you make and distribute

This might be clutching at straws, but I don't like the requirement to 
include verbatim all "legal notices". My reasoning is that "legal 
notices" could be interpreted to imply notices about patents. In a 
jurisdiction that does not allow software patents, I do not think people 
should be forced to convey notices about patents that simply do not apply 
to them.

I suppose this is why debian-legal likes to analyse the freeness of 
software as opposed to licenses; my criticism certainly doesn't apply if 
there are no such patent notices.

> III. Terms and Conditions for Modification and Derivation of New
> Products
>
> 1. [...] 
>   
>     c. Phrase "Based on TrueCrypt, freely available at
>     http://www.truecrypt.org/"; must be displayed by Your Product (if
>     technically feasible)

I think it's obnoxious to have to have to include this exact phrase in 
the product (as opposed to just in the documentation, or merely requiring 
any reasonable attribution). :( However, this is similar to what's 
allowed in GPLv3. I certainly didn't like the clause in the GPLv3, and I 
wasn't the only one, but I don't remember there being any consensus that 
it's non-free.

>     and contained in its documentation.
>     [...] In
>     each of the cases mentioned above in this paragraph,
>     "http://www.truecrypt.org/"; must be a hyperlink (if technically
>     feasible) pointing to http://www.truecrypt.org/

Obnoxious. It's generally technically feasible to implement the 
hyperlink, but it can still be a hassle. For example, the GTK+ about box 
lets you add a hyperlink easily, but only on its own and not in the 
middle of arbitrary text.

>     Your Product (and any associated materials, e.g., the documentation,
>     the content of the official web site of Your Product, etc.) must not
>     present any Internet address containing the domain name
>     truecrypt.org (or any domain name that forwards to the domain name
>     truecrypt.org) in a manner that suggests that it is where
>     information about Your Product may be obtained or where bugs found
>     in Your Product may be reported or where support for Your Product
>     may be available or otherwise attempt to indicate that the domain
>     name truecrypt.org is associated with Your Product.

It's fair enough that in the derived work you aren't allowed to 
misrepresent truecrypt.org as the originator of the derived product. 
However, there's the possibility that I link to a support website out of 
my control that is subsequently forwarded to truecrypt.org.

> VI. General Terms
> 
> 1. You may not use, modify, reproduce, derive from, (re)distribute, or
> sublicense This Product, or portion(s) thereof, except as expressly
> provided under this License. Any attempt (even if permitted by
> applicable law) otherwise to use, modify, reproduce, derive from,
> (re)distribute, or sublicense This Product, or portion(s) thereof,
> automatically and immediately terminates Your rights under this License.

This paragraph explicitly denies rights available under fair use or fair 
dealing. Hopefully a non-op (?), but not good.

All the above was about the "TrueCrypt License version 2.3". The other 
license I have trouble with is a short one.
> ____________________________________________________________
> 
> This is an independent implementation of the encryption algorithm:
> 
>         Twofish by Bruce Schneier and colleagues
> 
> which is a candidate algorithm in the Advanced Encryption Standard
> programme of the US National Institute of Standards and Technology.
> 
> Copyright in this implementation is held by Dr B R Gladman but I hereby
> give permission for its free direct or derivative use subject to
> acknowledgment of its origin and compliance with any conditions that the
> originators of the algorithm place on its exploitation.

I know the reference implementation for Twofish is in the public domain, 
and it's not been patented. But what happens, hypothetically, if Bruce 
Schneier were to publicly assert that people should not use the 
algorithm, say for moral reasons. Or what if he said "people should not 
use this algorithm [as it is no longer considered secure enough". Could 
those situations not revoke my license to use this software?

IANAL.

Regards,
-- 
Iain Nicol

Reply to:

Follow-Ups:
- Re: TrueCrypt License 2.3
  - From: Måns Rullgård <mans@mansr.com>

References:
- TrueCrypt License 2.3
  - From: Patrick Matthäi <patrick.matthaei@web.de>
- Re: TrueCrypt License 2.3
  - From: Francesco Poli <frx@firenze.linux.it>

Prev by Date: Re: TrueCrypt License 2.3
Next by Date: Re: TrueCrypt License 2.3
Previous by thread: Re: TrueCrypt License 2.3
Next by thread: Re: TrueCrypt License 2.3
Index(es):
- Date
- Thread