Re: [firstname.lastname@example.org: Veracrypt license - how to change it]
On Wed, Aug 07, 2019 at 12:23:37PM +0200, Mihai Moldovan wrote:
> * On 8/7/19 9:31 AM, Zenaan Harkness wrote:
> > In the interests of having Veracrypt be distributable by Debian,
> > all Veracrypt code must be licensed accordingly.
> > This can be done by public notice (see below).
> Re-licensing can be a difficult, lengthy process and - as far as
> I've seen in the one case I observed and took part in (mpv's core
> re-licensing, which started in 2015 and is more or less done at the
> current time, but still not completely finished) - doesn't work the
> way you'd like to have it.
Oh yes, as far as I've seen in the MAME case, yes it does.
> > Doing so would be somewhat similar to how the MAME community caused
> > their source code license to be changed from "problematic for Debian/
> > the FSF etc" into something distributable by Debian etc (I think they
> > went to GPL).
> Skimming over articles, this situation looks different. The MAME
> project didn't just inherit/fork code from another developer team,
> but was always headed by the MAME development team itself, with
> changing personnel. Crucially, the project lead that initiated the
> license change has already been head for 3 years at the time, so I
> figure he'd be part of the project to some degree/contributing to
> it for an even longer time already.
As have the Veracrypt devs - they've been developing it for YEARS
> If anything, this example shows that re-licensing can be pretty
> easy IFF you control most code and contributors can be easily
> reached (they obviously have contacted contributors individually as
> well, not just issued this "public notice"), but even that process
> is dodgy as best, as it wasn't carried out in the public, as far as
> I can tell. There was no way to observe it.
Your anecdote is appreciated.
There are other anecdotes.
And the question is what -can- work, and should we attempt to do that.
> > Here's what the Veracrypt community would need to do:
> > - make a public announcement that they will, after DURATION say 1
> > year, change the license to all outstanding source code inherited
> > from TrueCrypt, to be Apache/GPL/whatever
> ... and effectively ignore the original authors's copyright and original license.
Only if those original authors say nothing - either they are not
contactable, or they choose to remain anonymous and not contactable
which is effectively the same thing.
I was probably unclear in my original email - to the extent that they
-are- in fact contactable, they certainly ought be contacted.
> > - include in the announcement that any party objecting must contact
> > the developers at BLAH (email list address, or list of developer
> > email addresses)
> That's not the way this stuff works. You have to assume objection
> UNTIL given permission. I wonder if that would be a fitting
> metaphor: a burglar justifying his actions by giving the sleeping
> original occupants an ample amount of time, say, 10 minutes, to
> answer the question if they'd be okay with him taking valuables.
> Since they haven't responded, he assumed that it's fine to proceed.
> More tongue-in-cheek, naturally, but still somewhat fitting.
I think I addressed this, but anyway, what you are saying is not
legally sound - duty of care, public notice, and tacit consent, are
actual legal, and legally binding concepts, whether or not you like
> > The announcement needs to be published and made generally publicly
> > available - e.g. at Slashdot, LWN, on the Veracrypt home page, etc.
> Ugh, I didn't yet know I have to check these outlets regularly. Now
> I'm terrified of having missed a lot of legal announcements for any
> project I ever contributed to!
As long as your contact details are included with your contributions,
then anyone giving such public notice, perhaps in a rarely visited
corner of the web so as to not be noticed, and failing to properly
attempt to contact you using the means of contact you have provided,
would be seen by the community, and by the courts, as acting in bad
faith (basically, failing to act pursuant to our duty of care to one
On this basis, you have no need to live in terror - so go forth and
be confident, and not afraid, that your copyright 'rights' shall in
general be protected in this current modern Western world.
> > Legally, this does a few things:
> > - gives general public Notice (legal concept), that something will
> > be done in the future, thus satisfying the general duty of care to
> > the public that something will be done which may affect the
> > interests of the public
> I don't think this concept can be applied in this case. It might be
> a fine in order to inform a mostly anonymous, but concerned mass,
> but the situation is different here.
> For instance, informing affected parties about upcoming communal
> changes via public announcements/notices in the town hall
> (including about their legal right to oppose the changes) is fine
> if the affected parties can not be easily identified.
Which is the case with Truecrypt.
> Even if the administration had an up-to-date list of residents,
> other affected parties might exist that are not registered at that
> place, but, e.g. commuting.
Come on! We're not talking putting up a poster at the New York town
hall or some bullshit - this is about giving notice in a few
prominent and relatively "attended by programmers and tech geeks"
> On the other hand, this is not an acceptable procedure in legal
> proceedings that involve a set of known parties.
> In this case, they must be notified explicitly.
We must do what must be done.
But I think you misunderstand - or perhaps you are not familiar with
the Truecrypt/ Veracrypt case - the old Truecrypt developers were
intentionally relatively anonymous, and at this time uncontactable
(IDK the exact reasons now, but that's the case).
The issue I think is merely that those who -can- be contacted agree
that the TC license is problematic, but that a proper history of who
wrote what code is not known, and so the copyright is sort of a
collective copyright, and certain of the programmers of that code are
no longer contactable, and thus the conclusion "it's all too hard
we're stuck with this problematic license forever".
It's that conclusion which is the only problematic bit, and which is
handled with the legal construct summarized as "public notice".
> This case is more alike the latter one.
> > - parties who remain silent, are thereafter (after time period
> > DURATION) "taken to have tacitly consented"
> During the mpv re-licensing, code written/modified by unreachable
> contributors was marked as not re-licensable and to be rewritten,
> which sounds like a much saner approach.
Sounds like a daft approach.
MPV folks created more work for themselves ENTIRELY unnecessarily so
- or perhaps they simply were not aware of the construct of public
notice and the consequent tacit consent -created- by that public
Oh, that reminds me - another classic, widely used and therefore
"presumably well known" form of public notice and consequent tacit
consent, is the "land development notice" which you see particularly
frequently in big cities, but also in the burbs by small developers
or even by home owner-builders.
The public notice is in all jurisdictions I am aware of in Australia
(at the state, as well as the local council jurisdictions), a
requirement in the various statute laws - which also specify the
minimum time durations that such public notice MUST be given, PRIOR
to the commencement of the building or development works...
The public thereby is given notice, and once the required time period
has elapsed, the tacit consent of the public and the neighbours to
the property to be developed, is gained, and development/ building
may proceed on the basis of that -tacit- consent.
With the public put on notice, objections may also be filed with the
local/city council, to the development, then, again prior to
building works starting, those objections must be handled - and the
council (or state government) has usually documented, sometimes in
statute law, processes for the handling of such complaints.
This is perhaps a reasonable analogy.
> > The above is legally sufficient to make such a change, and the MAME
> > community is at least one example where this legal technique of
> > Public Notice has been used effectively.
> Again, I consider MAME's license change shady at best.
OK. Your consideration is entirely different to mine - the MAME crew
spent considerable -years- doing everything they could to contact
everyone relevant, rewriting that which was objected to, and giving
ample public notice of their intentions; in summary they:
- handled themselves in dignity
- abundantly handled their duty of care to the broader MAME
community as well as the various copyright holders
- effectively created the legal entitlement, sanction, and tacit
consent for the remainder, to relicense MAME using a proper FLOSS
Bloody well done!
And done in dignity, and honourably!
Any assertion that they acted dishonourably better be backed up with
facts or it's nothing but a dishonourable and libelious smear.
> A contributor with considerable changes objecting to the change
> (even retrospectively, for instance because the whole "public
> notice" thing didn't reach him) might easily pull the project into
> interesting legal issues.
It might. Or it might not. And the process the MAME folks followed
may well provide them ample legal footing for a strong defence to any
such legal action/ claim - I believe this to be the case in fact.
> Having no public record likely doesn't help the case, neither.
Or it might help their case too - IDK.
But if someone wishes to bring a claim against "the MAME community",
they better be the ones bringing a clear and unambiguous record, and
I have no doubt it will be handled both graciously and with dignity,
and to the ultimate satisfaction of all concerned, as this is in
keeping with the history of the MAME crew and how they handled their
relicensing to date.
> > If an objection -is- raised, and if the person objecting is an
> > actual copyright holder of certain Truecrypt code, then that
> > particular code can thereafter be rewritten. Other than this,
> > objections are unlikely to be legally substantive and may well be
> > able to be ignored. Notwithstanding, all objections should be
> > responded to as to what position is being taken in relation to
> > that objection (this is part of the duty of care to the general
> > public/ others in our community).
> Careful, I very much misinterpreted that paragraph at first. My
> original reply would have said "Wait, I may misunderstand this
> paragraph, but it sounds like you're saying that code affected by
> direct objections *CAN*, but needs not, be rewritten later on and
> that any objections would have no legal binding whatsoever anyway
> and can be ignored?"
<chagrin> Thanks, you're right - my wording was unclear. Thanks for
pointing this out to anyone - it's very good to clarify such
> I assume that what you actually meant is that objections by
> non-contributors have no legal binding and can be ignored, which is
> true, but also a tautologism.
Yes, and the point is that the legal construct of public notice is
that by giving public notice, you give (a best effort at least) to
provide every opportunity for those who might want to object, to so
object (and to contact people who might want to object).
In this way, we satisfy our duty of care to objectors - and in
particular, to anyone who might have a (legally) valid objection,
which is the thing you want to handle.
> The suggested approach sounds HIGHLY questionable to me. I
> personally fully support the intention, but strictly oppose the
Anyway, ATEOTD, my intention was to somehow make contact with the
Veracrypt developers - their intention and their will (at the moment)
are the only wills which matter in this instance at this point in
On the other hand, if they don't pick up this public notice + tacit
consent ball and run with it, literally anyone who chooses, can do so ...
Good luck ;)