[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CAcert Licensing and Inclusion in Debian main


On Tue, Apr 01, 2014 at 09:58:33PM -0500, Michael Shuler wrote:
> I have reopened #687693, as I believe that I was in error by
> ignoring the CAcert Root Distribution License. I closed that bug in
> order to maintain status quo, but have continued to feel that I was
> wrong in doing so, based on several points in the Social Contract. I
> am seeking a legal determination on whether the CAcert RDL follows
> the DFSG or is non-free.

> Additional questions about CAcert's inclusion in ca-certificates
> were raised in #718434. As a result of those questions and history,
> Ubuntu removed CAcert's root certificates from ca-certificates and
> nss in LP: #1258286. Prompted by Ubuntu's removal, my understanding
> that that redistribution did not follow DFSG, and the other issues
> presented, I removed the CAcert root certificates from
> ca-certificates. #741561 is seeking a possible re-introduction of
> CAcert's roots in Debian and would require proper judgement on
> licensing, prior to proceeding.

> I am familiar with the premise that SSL certificates may be seen as
> un-copyrightable, however, CAcert has (I assume with legal advice)
> intentionally burdened their root certificates with a license which
> claims copyright, as well as, by several opinions, verbiage that
> makes it non-free.

> I strongly believe that ignoring the CAcert RDL, in order to
> maintain status quo, is not the ethical thing to do for Debian, and
> I would enjoy some legal guidance. Thanks for your time.

> https://bugs.debian.org/687693
> http://www.cacert.org/policy/RootDistributionLicense.php
> https://bugs.debian.org/718434
> https://bugs.debian.org/741561

Facts are not copyrightable.  Period.  Stupid, unenforceable, scaremongering
license texts attached to factual data (of which an SSL certificate is a
veritable mathematical definition) should be ignored.

If there's a reason to include the certificate in question in Debian, you
should feel free to do so, ignoring any license claims.  If it is not
copyrightable, then you are not bound by any purported license - and
therefore it cannot fail the DFSG.

This is entirely separate from the question of whether they should be
included in the ca-certificates package, or enabled by default.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to: