On Sat, 15 Sep 2012 12:35:09 -0500 Raphael Geissert wrote:
> Hi everyone,
Hello Raphael,
>
> mejiko: thanks for pointing it out, I'm forwarding your report to our
> debian-legal mailing list to seek their opinion.
Thanks for asking.
Please note that you may receive multiple and possibly different
opinions from debian-legal regulars. I am one of them, but what follows
is just my own personal opinion.
>
> On Saturday 15 September 2012 03:15:10 mejiko wrote:
> [...]
> > ca-certificates packeages included Cacert Root certificates.
> > This certificates licensed under Cacert Root Distribution License (RDL).
> [...]
> > http://www.cacert.org/policy/RootDistributionLicense.php
For future reference, here's a full quote of the license text, obtained
with
$ w3m -cols 72 -dump
http://www.cacert.org/policy/RootDistributionLicense.php
Name: RDL COD14
Status: DRAFT p20100710 RDL Status - DRAFT
Editor: Mark Lipscombe
┌─────────────────────────────────────────────────────────────────────┐
│Root Distribution License │
│ │
│1. Terms │
│ │
│"CAcert Inc" means CAcert Incorporated, a non-profit association │
│incorporated in New South Wales, Australia. │
│"CAcert Community Agreement" means the agreement entered into by each│
│person wishing to RELY. │
│"Member" means a natural or legal person who has agreed to the CAcert│
│Community Agreement. │
│"Certificate" means any certificate or like device to which CAcert │
│Inc's digital signature has been affixed. │
│"CAcert Root Certificates" means any certificate issued by CAcert Inc│
│to itself for the purposes of signing further CAcert Roots or for │
│signing certificates of Members. │
│"RELY" means the human act in taking on a risk or liability on the │
│basis of the claim(s) bound within a certificate issued by CAcert. │
│"Embedded" means a certificate that is contained within a software │
│application or hardware system, when and only when, that software │
│application or system is distributed in binary form only. │
│ │
│2. Copyright │
│ │
│CAcert Root Certificates are Copyright CAcert Incorporated. All │
│rights reserved. │
│ │
│3. License │
│ │
│You may copy and distribute CAcert Root Certificates only in │
│accordance with this license. │
│ │
│CAcert Inc grants you a free, non-exclusive license to copy and │
│distribute CAcert Root Certificates in any medium, with or without │
│modification, provided that the following conditions are met: │
│ │
│ • Redistributions of Embedded CAcert Root Certificates must take │
│ reasonable steps to inform the recipient of the disclaimer in │
│ section 4 or reproduce this license and copyright notice in full │
│ in the documentation provided with the distribution. │
│ • Redistributions in all other forms must reproduce this license │
│ and copyright notice in full. │
│ │
│4. Disclaimer │
│ │
│THE CACERT ROOT CERTIFICATES ARE PROVIDED "AS IS" AND ANY EXPRESS OR │
│IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED │
│WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE │
│ARE DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY LAW. IN NO EVENT │
│SHALL CACERT INC, ITS MEMBERS, AGENTS, SUBSIDIARIES OR RELATED │
│PARTIES BE LIABLE TO THE LICENSEE OR ANY THIRD PARTY FOR ANY DIRECT, │
│INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES │
│(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR │
│SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) │
│HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, │
│STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING│
│IN ANY WAY OUT OF THE USE OF THESE CERTIFICATES, EVEN IF ADVISED OF │
│THE POSSIBILITY OF SUCH DAMAGE. IN ANY EVENT, CACERT'S LIABILITY │
│SHALL NOT EXCEED $1,000.00 AUSTRALIAN DOLLARS. │
│ │
│THIS LICENSE SPECIFICALLY DOES NOT PERMIT YOU TO RELY UPON ANY │
│CERTIFICATES ISSUED BY CACERT INC. IF YOU WISH TO RELY ON │
│CERTIFICATES ISSUED BY CACERT INC, YOU MUST ENTER INTO A SEPARATE │
│AGREEMENT WITH CACERT INC. │
│ │
│5. Statutory Rights │
│ │
│Nothing in this license affects any statutory rights that cannot be │
│waived or limited by contract. In the event that any provision of │
│this license is held to be invalid or unenforceable, the remaining │
│provisions of this license remain in full force and effect. │
└─────────────────────────────────────────────────────────────────────┘
Alternatives
If you find the terms of the above Root Distribution License difficult
or inadequate for your purposes, you may wish to:
• Enter into the CAcert Community Agreement by registering as a
Member. This is free.
• Delete CAcert Root Certificates from your software. Your software
documentation should give directions and assistance for this.
These alternatives are outside the above Root Distribution License and
do not incorporate.
> > https://lists.cacert.org/wws/arc/cacert-policy/2012-02/msg00031.html
> > https://fedoraproject.org/wiki/Licensing/CACert_Root_Distribution_License
>
> TL;RD; RDL looks non-free, Philipp Dunkel from CAcert says Debian is fine (to
> distribute) because of the disclaimer re the certificates included in ca-
> certificates, Fedora says it is non-free.
Those two statements are not in contradiction with each other.
The Debian Project may be in compliance with the license, while the
license may include non-free restrictions.
>
> What do the others think about it?
>
> To me, it doesn't just seem to be a (re-)distribution issue. Rather, the
> need for an additional agreement with CAcert.
My own personal opinion is that the Debian package seems to comply with
the license (since its description includes a warning that seems to
satisfy the "reasonable steps" condition).
However, I recommend including a verbatim copy of this license in the
debian/copyright file (something which is anyway mandated by Debian
Policy).
On the other hand, the license seems to really include a non-free use
restriction, because (as pointed out on the Fedora Wiki page you cited)
it says:
| THIS LICENSE SPECIFICALLY DOES NOT PERMIT YOU TO RELY UPON ANY
| CERTIFICATES ISSUED BY CACERT INC. IF YOU WISH TO RELY ON
| CERTIFICATES ISSUED BY CACERT INC, YOU MUST ENTER INTO A SEPARATE
| AGREEMENT WITH CACERT INC.
This, taking into account the definition of "RELY" in section 1, fails
to grant permission to make some uses of the certificates (see DFSG#6).
Finally, do I understand correctly that we are talking about a number
of SSL certificates?
I fail to see any significant creativity in the generation of SSL
certificates, hence I wonder how CAcert may claim that some root
certificates are copyrighted...
But this is a question for lawyers (which I am not!).
My suggestion is to persuade upstream to drop the use restriction from
their license, or, even better, to switch to a well-known and
widely-adopted Free Software license, such as the Expat/MIT license
<http://www.jclark.com/xml/copying.txt>
All this, assuming that a copyright license is actually needed...
I hope this helps.
Bye.
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
Attachment:
pgpJ3AyxvZsCh.pgp
Description: PGP signature