Hi Francesco,(taking debian-edu-pkg-team @ Alioth into the discussion loop, as that would be the maintainer team for VeraCrypt in Debian)
On Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:
On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote: [...]1. Is VeraCrypt suitable for the non-free section of Debian?I am not sure: the TC-3.0 license is still fairly unclear (at least to my eyes), so I cannot really speculate on its possible implications...
Hmmm... ok. I think the ftpmasters would be glad about some guidance on why you see veracrypt (not the TC 3.0 license, see below) unfit for Debian non-free. I have already uploaded VeraCrypt to Debian NEW/non-free and it is waiting approval/rejection from an ftpmaster.
Also, it'd be interesting if the upstream people of VeraCrypt can apply any change(s) to the upstream sources, their VeraCrypt license or whatever, to make the software fit at least for Debian non-free.
. 2. I suppose VeraCrypt is not suitable for the main section of Debian as the TC-3.0 license is not DFSG-compliant. I suppose this has not changed for VeraCrypt, compared to TrueCrypt, right?Personally, I think this package should stay away from Debian main. As I said, I am not even sure it is safe to be distributed in the non-free archive.
Ok, I fully agree for the veracrypt license construct not being suitable for Debian main.
3. The new upstream maintainer also states that all novelties of the code are licensed under the Apache-2.0 license, but as long as any line from the original code sticks out, the licensing of the code is governed by the original Truecrypt 3.0 license, right?[...] Then I am not sure I understand why the debian/copyright file draft you sent states Files: * Copyright: 2003-2011, TrueCrypt Developers Association 2013-2014, IDRIX License: TC-3.0 or Ms-PL What's Ms-PL ? Shouldn't it be Apache-2.0 ? Moreover, "or" means dual-licensing, but I understand this to be a code-mixing case: I think "and" should be used instead. See https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ for more details.
Oh, I am sorry. With this mail, I have attached the latest debian/copyright file as I have it now after having it reworked two days ago. I should have sent an updated copy to debian-legal immediately. Sorry for that.
As it seems, the VeraCrypt upstream people have come up with a new license, the VeraCrypt license. See attached copyright file for details.
My proposed Debian package is also available online , you may want to grab the .dsc file and check the upstream files, as well.
Anyway, without looking at any further details, a question arises: why are you packaging veracrypt for the non-free archive? what does it offer that tcplay doesn't? See https://packages.debian.org/sid/tcplay https://tracker.debian.org/pkg/tcplay
I have checked tcplay and also zulucrypt-gui again. We provide veracrypt to teachers / students at school that come from the Windows realm mainly. For them, it is essential to recognize some pieces of software on our Linux environment that they have become so used to on their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an application. Teachers here in Germany have to encrypt all personal data that they carry around, so they need _one_ cross platform tool for that. I'd be happy to provide that piece of software to other people in Debian (Edu).
Working on the command line (tcplay) is not an option for the teachers, we support here. And personally, I just tried out zulucrypt-gui the second time and I could not get it running as non-root. This is probably possible, I did not spend much time on this, but honestly, I prefer a solution that works right away. Also ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt currently is.
Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: firstname.lastname@example.org, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
Description: Digitale PGP-Signatur