On Sat, 15 Sep 2012 12:35:09 -0500 Raphael Geissert wrote: > Hi everyone,
Hello Raphael, > > mejiko: thanks for pointing it out, I'm forwarding your report to our > debian-legal mailing list to seek their opinion. Thanks for asking. Please note that you may receive multiple and possibly different opinions from debian-legal regulars. I am one of them, but what follows is just my own personal opinion. > > On Saturday 15 September 2012 03:15:10 mejiko wrote: > [...] > > ca-certificates packeages included Cacert Root certificates. > > This certificates licensed under Cacert Root Distribution License (RDL). > [...] > > http://www.cacert.org/policy/RootDistributionLicense.php For future reference, here's a full quote of the license text, obtained with $ w3m -cols 72 -dump http://www.cacert.org/policy/RootDistributionLicense.php Name: RDL COD14 Status: DRAFT p20100710 RDL Status - DRAFT Editor: Mark Lipscombe ┌─────────────────────────────────────────────────────────────────────┐ │Root Distribution License │ │ │ │1. Terms │ │ │ │"CAcert Inc" means CAcert Incorporated, a non-profit association │ │incorporated in New South Wales, Australia. │ │"CAcert Community Agreement" means the agreement entered into by each│ │person wishing to RELY. │ │"Member" means a natural or legal person who has agreed to the CAcert│ │Community Agreement. │ │"Certificate" means any certificate or like device to which CAcert │ │Inc's digital signature has been affixed. │ │"CAcert Root Certificates" means any certificate issued by CAcert Inc│ │to itself for the purposes of signing further CAcert Roots or for │ │signing certificates of Members. │ │"RELY" means the human act in taking on a risk or liability on the │ │basis of the claim(s) bound within a certificate issued by CAcert. │ │"Embedded" means a certificate that is contained within a software │ │application or hardware system, when and only when, that software │ │application or system is distributed in binary form only. │ │ │ │2. Copyright │ │ │ │CAcert Root Certificates are Copyright CAcert Incorporated. All │ │rights reserved. │ │ │ │3. License │ │ │ │You may copy and distribute CAcert Root Certificates only in │ │accordance with this license. │ │ │ │CAcert Inc grants you a free, non-exclusive license to copy and │ │distribute CAcert Root Certificates in any medium, with or without │ │modification, provided that the following conditions are met: │ │ │ │ • Redistributions of Embedded CAcert Root Certificates must take │ │ reasonable steps to inform the recipient of the disclaimer in │ │ section 4 or reproduce this license and copyright notice in full │ │ in the documentation provided with the distribution. │ │ • Redistributions in all other forms must reproduce this license │ │ and copyright notice in full. │ │ │ │4. Disclaimer │ │ │ │THE CACERT ROOT CERTIFICATES ARE PROVIDED "AS IS" AND ANY EXPRESS OR │ │IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED │ │WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE │ │ARE DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY LAW. IN NO EVENT │ │SHALL CACERT INC, ITS MEMBERS, AGENTS, SUBSIDIARIES OR RELATED │ │PARTIES BE LIABLE TO THE LICENSEE OR ANY THIRD PARTY FOR ANY DIRECT, │ │INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES │ │(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR │ │SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) │ │HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, │ │STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING│ │IN ANY WAY OUT OF THE USE OF THESE CERTIFICATES, EVEN IF ADVISED OF │ │THE POSSIBILITY OF SUCH DAMAGE. IN ANY EVENT, CACERT'S LIABILITY │ │SHALL NOT EXCEED $1,000.00 AUSTRALIAN DOLLARS. │ │ │ │THIS LICENSE SPECIFICALLY DOES NOT PERMIT YOU TO RELY UPON ANY │ │CERTIFICATES ISSUED BY CACERT INC. IF YOU WISH TO RELY ON │ │CERTIFICATES ISSUED BY CACERT INC, YOU MUST ENTER INTO A SEPARATE │ │AGREEMENT WITH CACERT INC. │ │ │ │5. Statutory Rights │ │ │ │Nothing in this license affects any statutory rights that cannot be │ │waived or limited by contract. In the event that any provision of │ │this license is held to be invalid or unenforceable, the remaining │ │provisions of this license remain in full force and effect. │ └─────────────────────────────────────────────────────────────────────┘ Alternatives If you find the terms of the above Root Distribution License difficult or inadequate for your purposes, you may wish to: • Enter into the CAcert Community Agreement by registering as a Member. This is free. • Delete CAcert Root Certificates from your software. Your software documentation should give directions and assistance for this. These alternatives are outside the above Root Distribution License and do not incorporate. > > https://lists.cacert.org/wws/arc/cacert-policy/2012-02/msg00031.html > > https://fedoraproject.org/wiki/Licensing/CACert_Root_Distribution_License > > TL;RD; RDL looks non-free, Philipp Dunkel from CAcert says Debian is fine (to > distribute) because of the disclaimer re the certificates included in ca- > certificates, Fedora says it is non-free. Those two statements are not in contradiction with each other. The Debian Project may be in compliance with the license, while the license may include non-free restrictions. > > What do the others think about it? > > To me, it doesn't just seem to be a (re-)distribution issue. Rather, the > need for an additional agreement with CAcert. My own personal opinion is that the Debian package seems to comply with the license (since its description includes a warning that seems to satisfy the "reasonable steps" condition). However, I recommend including a verbatim copy of this license in the debian/copyright file (something which is anyway mandated by Debian Policy). On the other hand, the license seems to really include a non-free use restriction, because (as pointed out on the Fedora Wiki page you cited) it says: | THIS LICENSE SPECIFICALLY DOES NOT PERMIT YOU TO RELY UPON ANY | CERTIFICATES ISSUED BY CACERT INC. IF YOU WISH TO RELY ON | CERTIFICATES ISSUED BY CACERT INC, YOU MUST ENTER INTO A SEPARATE | AGREEMENT WITH CACERT INC. This, taking into account the definition of "RELY" in section 1, fails to grant permission to make some uses of the certificates (see DFSG#6). Finally, do I understand correctly that we are talking about a number of SSL certificates? I fail to see any significant creativity in the generation of SSL certificates, hence I wonder how CAcert may claim that some root certificates are copyrighted... But this is a question for lawyers (which I am not!). My suggestion is to persuade upstream to drop the use restriction from their license, or, even better, to switch to a well-known and widely-adopted Free Software license, such as the Expat/MIT license <http://www.jclark.com/xml/copying.txt> All this, assuming that a copyright license is actually needed... I hope this helps. Bye. -- http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt New GnuPG key, see the transition document! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpXojBXdNfa8.pgp
Description: PGP signature
