[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: TrueCrypt License 2.3



On Sat, 12 Jan 2008 20:27:57 +0100 Francesco Poli wrote:

[...]
> The plain text version of the licence may be found at
> http://www.truecrypt.org/docs/License.txt
> and is pasted below in its entirety.

My comments follow.
As usual I would like to draw your attention on my disclaimers, that is
to say: IANAL, TINLA, IANADD, TINASOTODP.

[...]
> TrueCrypt License Version 2.3
> 
> 
> I. Definitions
[...]
> 4. "Your Product" means This Product modified by You, any work You derive from
> (or base on) This Product, any work in which You include This Product, or any
> respective part(s) thereof.

Does this mean that a mere aggregation (of the Product and other
unrelated works) counts as "Your Product"?
Does this broad definition interfere with DFSG#9?

[...]
> III. Terms and Conditions for Modification and Derivation of New Products
[...]
>     a. The name of Your Product (or of Your modified version of This Product)
>     must not contain the name TrueCrypt (for example, the following names are
>     not allowed: TrueCrypt, TrueCrypt+, TrueCrypt Professional, iTrueCrypt,
>     etc.) nor any of its variations that can be easily confused with the name
>     TrueCrypt (e.g., True-Crypt, True Crypt, TrueKrypt, TruCrypt, etc.)

I've argued several times in the past against this kind of broad
restrictions.  I think they go beyond what is permitted (as a
compromise!) by DFSG#4.

See, for instance:
http://lists.debian.org/debian-legal/2007/11/msg00004.html
http://lists.debian.org/debian-legal/2006/04/msg00181.html

[...]
>     All graphics files showing any TrueCrypt logo (including the non-textual
>     logo consisting primarily of a key in stylized form) must be removed from
>     Your Product (or from Your modified version of This Product) and from any
>     associated materials. Logo(s) included in (or attached to) Your Product
>     (or in/to associated materials) must not incorporate and must not be
>     confusingly similar to any of the TrueCrypt logos or portion(s) thereof.

If these graphics files are unmodifiable and undistributable in
modified versions of the work, I think they are non-free and must be
removed from a Debian package, as long as this package can otherwise be
uploaded to the main archive (that is to say, as long as the other
showstoppers are solved).

> 
>     b. The following phrases must be removed from Your Product and from any
>     associated materials:
>     "A TrueCrypt Foundation Release"
>     "Released by TrueCrypt Foundation"
>     "This is a TrueCrypt Foundation release."

Like the above-mentioned Logos, these sentences deserve a similar
treatment.

> 
>     c. Phrase "Based on TrueCrypt, freely available at
>     http://www.truecrypt.org/"; must be displayed by Your Product (if
>     technically feasible) and contained in its documentation. Alternatively, if
>     This Product or its portion You included in Your Product comprises only a
>     minor portion of Your Product, phrase "Portions of this product are based
>     in part on TrueCrypt, freely available at http://www.truecrypt.org/"; may be
>     displayed instead. In each of the cases mentioned above in this paragraph,
>     "http://www.truecrypt.org/"; must be a hyperlink (if technically feasible)
>     pointing to http://www.truecrypt.org/ and you may freely choose the
>     location within the user interface (if there is any) of Your Product (e.g.,
>     an "About" window, etc.) and the way in which Your Product will display the
>     respective phrase.

This is obnoxious, because it imposes an exact phrase to be included in
the modified work.  I think it's even worse than GPLv3#5d: it is very
close to fail DFSG#3, if not already failing.

[...]
> IV. Disclaimer of Warranties and Liabilities; Indemnification
[...]
> 4. You shall indemnify, defend and hold all (co)authors of This Product, their
> agents and associates, and applicable copyright/trademark owners, harmless
> from/against any liability, loss, expense, damages, claims or causes of action,
> arising out of Your use, inability to use, reproduction, (re)distribution,
> import and/or (re)export of This Product (or portions thereof) and/or Your
> breach of any term of this License.

Warning!  Indemnification clause: is it acceptable?  It smells as
non-free...

[...]
> VI. General Terms
> 
> 1. You may not use, modify, reproduce, derive from, (re)distribute, or
> sublicense This Product, or portion(s) thereof, except as expressly provided
> under this License. Any attempt (even if permitted by applicable law) otherwise
> to use, modify, reproduce, derive from, (re)distribute, or sublicense This
> Product, or portion(s) thereof, automatically and immediately terminates Your
> rights under this License.

This is non-free, as explained by Ken Arromdee in
http://lists.debian.org/debian-legal/2008/01/msg00132.html

[...]
> ____________________________________________________________
> 
> This is an independent implementation of the encryption algorithm:
> 
>         Twofish by Bruce Schneier and colleagues
> 
> which is a candidate algorithm in the Advanced Encryption Standard
> programme of the US National Institute of Standards and Technology.
> 
> Copyright in this implementation is held by Dr B R Gladman but I

This is very unclear: who is the "I" speaking here?
If it's Dr B R Gladman speaking, why does he speak in third person a
few words before?  If it's not Dr B R Gladman speaking, how can he/she
give permissions, when the copyright is held by Dr B R Gladman?

> hereby give permission for its free direct or derivative use subject
> to acknowledgment of its origin

Where's the permission to copy and distribute verbatim and modified
versions?  Without this explicit permission, I think this "license"
fails DFSG#1 or DFSG#3.

> and compliance with any conditions
> that the originators of the algorithm place on its exploitation.

Which conditions?
Where are they listed?
I cannot tell whether they are DFSG-compliant conditions, until I see
them!

> 
> My thanks to Doug Whiting and Niels Ferguson for comments that led
> to improvements in this implementation.
> 
> Dr Brian Gladman (gladman@seven77.demon.co.uk) 14th January 1999
> ____________________________________________________________



In summary, I think this work is not suitable for inclusion in Debian
(main).  It maybe could be distributed in non-free, but I would be
happier if upstream were persuaded to re-license in a DFSG-free manner.


-- 
 http://frx.netsons.org/progs/scripts/refresh-pubring.html
 New! Version 0.6 available! What? See for yourself!
..................................................... Francesco Poli .
 GnuPG key fpr == C979 F34B 27CE 5CD8 DC12  31B5 78F4 279B DD6D FCF4

Attachment: pgp86iXg51Nme.pgp
Description: PGP signature


Reply to: