[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Hi Francesco,
(taking debian-edu-pkg-team @ Alioth into the discussion loop, as that would be the maintainer team for VeraCrypt in Debian)

On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:

On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:

 Is VeraCrypt suitable for the non-free section of Debian?

I am not sure: the TC-3.0 license is still fairly unclear (at least
to my eyes), so I cannot really speculate on its possible

Hmmm... ok. I think the ftpmasters would be glad about some guidance on why you see veracrypt (not the TC 3.0 license, see below) unfit for Debian non-free. I have already uploaded VeraCrypt to Debian NEW/non-free and it is waiting approval/rejection from an ftpmaster.

Also, it'd be interesting if the upstream people of VeraCrypt can apply any change(s) to the upstream sources, their VeraCrypt license or whatever, to make the software fit at least for Debian non-free.

 I suppose VeraCrypt is not suitable for the main section of Debian
 as the TC-3.0 license is not DFSG-compliant. I suppose
 this has not changed for VeraCrypt, compared to TrueCrypt, right?

Personally, I think this package should stay away from Debian main.
As I said, I am not even sure it is safe to be distributed in the
non-free archive.

Ok, I fully agree for the veracrypt license construct not being suitable for Debian main.
 The new upstream maintainer also states that all novelties of the code
 are licensed under the Apache-2.0 license, but as long as any line from
 the original code sticks out, the licensing of the code is governed by
 the original Truecrypt 3.0 license, right?

Then I am not sure I understand why the debian/copyright file draft
you sent states
  Files: *
  Copyright: 2003-2011, TrueCrypt Developers Association
             2013-2014, IDRIX
  License: TC-3.0 or Ms-PL

What's Ms-PL ? Shouldn't it be Apache-2.0 ?
Moreover, "or" means dual-licensing, but I understand this to be a
code-mixing case: I think "and" should be used instead.

for more details.

Oh, I am sorry. With this mail, I have attached the latest debian/copyright file as I have it now after having it reworked two days ago. I should have sent an updated copy to debian-legal immediately. Sorry for that.

As it seems, the VeraCrypt upstream people have come up with a new license, the VeraCrypt license. See attached copyright file for details.

My proposed Debian package is also available online [1], you may want to grab the .dsc file and check the upstream files, as well.

[1] http://packages.sunweavers.net/debian/pool/non-free/v/veracrypt/

Anyway, without looking at any further details, a question arises:
why are you packaging veracrypt for the non-free archive? what does
it offer that tcplay doesn't?


I have checked tcplay and also zulucrypt-gui again. We provide veracrypt to teachers / students at school that come from the Windows realm mainly. For them, it is essential to recognize some pieces of software on our Linux environment that they have become so used to on their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an application. Teachers here in Germany have to encrypt all personal data that they carry around, so they need _one_ cross platform tool for that. I'd be happy to provide that piece of software to other people in Debian (Edu).

Working on the command line (tcplay) is not an option for the teachers, we support here. And personally, I just tried out zulucrypt-gui the second time and I could not get it running as non-root. This is probably possible, I did not spend much time on this, but honestly, I prefer a solution that works right away. Also ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt currently is.



mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de


Attachment: pgpn5QeAj0Scm.pgp
Description: Digitale PGP-Signatur

Reply to: