Re: TrueCrypt License 2.3
Wow, that's a lot of license text. There are multiple bits in these
licenses that I don't like.
> TrueCrypt License Version 2.3
> II. Terms and Conditions for Use, Reproduction, and Distribution
> 1. You [must] ensure that all the legal notices and
> documents (containing, e.g., the text of this License, references to
> this License, etc.) included with This Product are included with every
> copy of This Product that you make and distribute
This might be clutching at straws, but I don't like the requirement to
include verbatim all "legal notices". My reasoning is that "legal
notices" could be interpreted to imply notices about patents. In a
jurisdiction that does not allow software patents, I do not think people
should be forced to convey notices about patents that simply do not apply
I suppose this is why debian-legal likes to analyse the freeness of
software as opposed to licenses; my criticism certainly doesn't apply if
there are no such patent notices.
> III. Terms and Conditions for Modification and Derivation of New
> 1. [...]
> c. Phrase "Based on TrueCrypt, freely available at
> http://www.truecrypt.org/" must be displayed by Your Product (if
> technically feasible)
I think it's obnoxious to have to have to include this exact phrase in
the product (as opposed to just in the documentation, or merely requiring
any reasonable attribution). :( However, this is similar to what's
allowed in GPLv3. I certainly didn't like the clause in the GPLv3, and I
wasn't the only one, but I don't remember there being any consensus that
> and contained in its documentation.
> [...] In
> each of the cases mentioned above in this paragraph,
> "http://www.truecrypt.org/" must be a hyperlink (if technically
> feasible) pointing to http://www.truecrypt.org/
Obnoxious. It's generally technically feasible to implement the
hyperlink, but it can still be a hassle. For example, the GTK+ about box
lets you add a hyperlink easily, but only on its own and not in the
middle of arbitrary text.
> Your Product (and any associated materials, e.g., the documentation,
> the content of the official web site of Your Product, etc.) must not
> present any Internet address containing the domain name
> truecrypt.org (or any domain name that forwards to the domain name
> truecrypt.org) in a manner that suggests that it is where
> information about Your Product may be obtained or where bugs found
> in Your Product may be reported or where support for Your Product
> may be available or otherwise attempt to indicate that the domain
> name truecrypt.org is associated with Your Product.
It's fair enough that in the derived work you aren't allowed to
misrepresent truecrypt.org as the originator of the derived product.
However, there's the possibility that I link to a support website out of
my control that is subsequently forwarded to truecrypt.org.
> VI. General Terms
> 1. You may not use, modify, reproduce, derive from, (re)distribute, or
> sublicense This Product, or portion(s) thereof, except as expressly
> provided under this License. Any attempt (even if permitted by
> applicable law) otherwise to use, modify, reproduce, derive from,
> (re)distribute, or sublicense This Product, or portion(s) thereof,
> automatically and immediately terminates Your rights under this License.
This paragraph explicitly denies rights available under fair use or fair
dealing. Hopefully a non-op (?), but not good.
All the above was about the "TrueCrypt License version 2.3". The other
license I have trouble with is a short one.
> This is an independent implementation of the encryption algorithm:
> Twofish by Bruce Schneier and colleagues
> which is a candidate algorithm in the Advanced Encryption Standard
> programme of the US National Institute of Standards and Technology.
> Copyright in this implementation is held by Dr B R Gladman but I hereby
> give permission for its free direct or derivative use subject to
> acknowledgment of its origin and compliance with any conditions that the
> originators of the algorithm place on its exploitation.
I know the reference implementation for Twofish is in the public domain,
and it's not been patented. But what happens, hypothetically, if Bruce
Schneier were to publicly assert that people should not use the
algorithm, say for moral reasons. Or what if he said "people should not
use this algorithm [as it is no longer considered secure enough". Could
those situations not revoke my license to use this software?