On Tue, Mar 10, 2020 at 1:27 PM Jack Lloyd <j...@randombit.net> wrote: > On Mon, Mar 02, 2020 at 10:09:32PM -0700, Sean Whitton wrote: > > > In short, OASIS Open is a DFSG compliant license or not? > > > > Thanks. It looks like the license which does not permit modification > > applies to the specification, so the specification is not DFSG-free. > > > > As for pkcs11.h, I can't see any statement that it is under any license > > at all, never mind a DFSG-free license. > > > > So the bug severity would seem to be correct. Meanwhile I've found the official GitHub repository hosting the work of PKCS 11 [1]. Its README.md [2] states: "Content in this repository is intended to be part of the PKCS 11 TC's permanent record of activity, visible and freely available for all to use, subject to applicable OASIS policies, as presented in the repository LICENSE file." Its CONTRIBUTING.md [3] adds: "Subject to applicable licensing rules, the repository content may be re-used freely, including the creation and publication of derivative works." In my reading this complies with DFSG. It's free to redistribute, source code is available and allows publication of derived works. It doesn't discriminate any persons, groups or fields of use. It doesn't restrict other software even. But of course, I would like to hear your opinion Sean and probably from Jack.
> I'm concerned though that the alternative of using the p11-kit headers seems > much worse, because it is blindingly obvious that the p11-kit versions are a > derivative of the OASIS headers. Unless somehow the developers happened to > choose the same names, bitmasks, and struct layouts by chance? As it is we > [Botan upstream] are not violating the OASIS license, but as far as I can tell > p11-kit headers *are*, by removing OASIS copyright and license, and also > violating the license, due to modifying the headers. I do confirm this. The OASIS work is separated to three files and p11-kit is amended those to one file it seems. As such, their cryptoki version numbers are the same as well [4][5]. Some typedefs definied an other way, see CK_BYTE and CK_CHAR for example [6][7]: OASIS define the former as 'unsigned char' and the latter as the same as the former - while p11-kit defines these individually to 'unsigned char'. Please note that _some_ (small number) of their constants are differ [8][9]. Regards, Laszlo/GCS [1] https://github.com/oasis-tcs/pkcs11 [2] https://github.com/oasis-tcs/pkcs11/blob/master/README.md [3] https://github.com/oasis-tcs/pkcs11/blob/master/CONTRIBUTING.md [4] https://github.com/oasis-tcs/pkcs11/blob/master/published/2-40-errata-1/pkcs11t.h#L20 [5] https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h#L64 [6] https://github.com/oasis-tcs/pkcs11/blob/master/published/2-40-errata-1/pkcs11t.h#L37 [7] https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h#L1552 [8] https://github.com/oasis-tcs/pkcs11/blob/master/published/2-40-errata-1/pkcs11t.h#L1151 [9] https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h#L1529
