On Sun, 30 Mar 2008 13:03:03 +0200 Patrick Matthäi wrote: > With TrueCrypt 5.x comes the new License version 2.4:
OK, let's try and analyze it, then... My usual disclaimers still apply: IANAL, TINLA, IANADD, TINASOTODP. > > > TrueCrypt License Version 2.4 > > > I. Definitions [...] > 4. "Your Product" means This Product modified by You, any work You > derive from (or base on) This Product, any work in which You include > This Product, or any respective part(s) thereof. This clause is unchanged. My concern was: does this mean that a mere aggregation (of the Product and other unrelated works) counts as "Your Product"? Does this broad definition interfere with DFSG#9? [...] > III. Terms and Conditions for Modification and Derivation of New Products [...] > a. The name of Your Product (or of Your modified version of This > Product) must not contain the name TrueCrypt (for example, the > following names are not allowed: TrueCrypt, TrueCrypt+, TrueCrypt > Professional, iTrueCrypt, etc.) nor any other names confusingly > similar to the name TrueCrypt (e.g., True-Crypt, True Crypt, > TruKrypt, etc.) This clause is substantially unchanged. I've argued several times in the past against this kind of broad restrictions. I think they go beyond what is permitted (as a compromise!) by DFSG#4. See, for instance: http://lists.debian.org/debian-legal/2007/11/msg00004.html http://lists.debian.org/debian-legal/2006/04/msg00181.html [...] > Logo(s) included in (or attached to) Your Product > (and in/to associated materials) must not incorporate and must not > be confusingly similar to any of the TrueCrypt logos (including the > non-textual logo consisting primarily of a key in stylized form) or > portion(s) thereof. All graphics contained in This Product (logos, > icons, etc.) must be removed from Your Product (or from Your modified > version of This Product) and from any associated materials. Not much progress here, either... If these graphics files are unmodifiable and undistributable in modified versions of the work, I think they are non-free and must be removed from a Debian package, as long as this package can otherwise be uploaded to the main archive (that is to say, as long as the other showstoppers are solved). > > b. The following phrases must be removed from Your Product and from any > associated materials, except the text of this License: "A TrueCrypt > Foundation Release", "Released by TrueCrypt Foundation", "This is a > TrueCrypt Foundation release." Like the above-mentioned Logos, these sentences deserve a similar treatment. > > c. Phrase "Based on TrueCrypt, freely available at > http://www.truecrypt.org/"; must be displayed by Your Product (if > technically feasible) and contained in its documentation. > Alternatively, if This Product or its portion You included in Your > Product constitutes only a minor portion of Your Product, phrase > "Portions of this product are based in part on TrueCrypt, freely > available at http://www.truecrypt.org/"; may be displayed instead. > In each of the cases mentioned above in this paragraph, > "http://www.truecrypt.org/"; must be a hyperlink (if technically > feasible) pointing to http://www.truecrypt.org/ and You may freely > choose the location within the user interface (if there is any) of > Your Product (e.g., an "About" window, etc.) and the way in which > Your Product will display the respective phrase. Again, I see no progress... This is obnoxious, because it imposes an exact phrase to be included in the modified work. I think it's even worse than GPLv3#5d: it is very close to fail DFSG#3, if not already failing. [...] > IV. Limitation of Liability, Disclaimer of Warranty, Indemnification [...] > 4. YOU SHALL INDEMNIFY, DEFEND AND HOLD ALL (CO)AUTHORS OF THIS PRODUCT, > THEIR AGENTS AND ASSOCIATES, AND APPLICABLE COPYRIGHT/TRADEMARK OWNERS, > HARMLESS FROM/AGAINST ANY LIABILITY, LOSS, EXPENSE, DAMAGES, CLAIMS OR > CAUSES OF ACTION, ARISING OUT OF YOUR USE, INABILITY TO USE, COPYING, > (RE)DISTRIBUTION, IMPORT AND/OR (RE)EXPORT OF THIS PRODUCT (OR PORTIONS > THEREOF) AND/OR YOUR BREACH OF ANY TERM OF THIS LICENSE. Warning! Substantially unchanged indemnification clause: is it acceptable? It smells as non-free... > > > > V. Trademarks > > This License does not grant permission to use trademarks associated with (or > applying to) This Product, except for fair use as defined by applicable > law and except for use expressly permitted or required by this License. > Any attempt otherwise to use trademarks associated with (or applying to) > This Product automatically and immediately terminates Your rights under > This License and may constitute trademark infringement (which may be > prosecuted). This seems even worse than in the previous license version: trademark infringement terminates the copyright license. I think that enforcing trademarks through copyright is wrongheaded. [...] > VI. General Terms [...] > 2. YOU MAY NOT USE, MODIFY, COPY, CREATE DERIVATIVE WORKS OF, > (RE)DISTRIBUTE, OR SUBLICENSE THIS PRODUCT, OR PORTION(S) THEREOF, > EXCEPT AS EXPRESSLY PROVIDED IN THIS LICENSE (EVEN IF APPLICABLE LAW > GIVES YOU MORE RIGHTS). ANY ATTEMPT (EVEN IF PERMITTED BY APPLICABLE > LAW) OTHERWISE TO USE, MODIFY, COPY, CREATE DERIVATIVE WORKS OF, > (RE)DISTRIBUTE, OR SUBLICENSE THIS PRODUCT, OR PORTION(S) THEREOF, > AUTOMATICALLY AND IMMEDIATELY TERMINATES YOUR RIGHTS UNDER THIS > LICENSE AND CAN CONSTITUTE COPYRIGHT INFRINGEMENT (WHICH MAY BE > PROSECUTED). This is a reworded phrasing of the non-free clause included in the previous license version. The reason why this clause is non-free was explained by Ken Arromdee in http://lists.debian.org/debian-legal/2008/01/msg00132.html [...] > 4. Subject to the terms of this License, You may allow a third party > to use Your copy of This Product (or a copy that you make and > distribute, or Your Product, or respective parts thereof) provided > that the third party explicitly accepts and agrees to be bound by all > terms of this License and the third party is not prohibited from using > This Product (or portions thereof) by this License (see, e.g., Section > VI.6) or by applicable law. However, You are not obligated to ensure > that the third party accepts (and agrees to be bound by all terms of) > this License if You distribute only the self-extracting package > (containing This Product) that does not allow the user to install > (nor extract) the files contained in the package until he or she > accepts and agrees to be bound by all terms of this License. Oh my goodness! This is getting worse and worse: a mandatory clickwrap-license clause, it seems. Free software does not restrict use, hence it does not require the potential user to accept the license in order to just *use* the package. [...] > 6. IF (IN RELEVANT CONTEXT) ANY PROVISION OF CHAPTER IV OF THIS LICENSE IS > UNENFORCEABLE, INVALID, OR PROHIBITED UNDER APPLICABLE LAW IN YOUR > JURISDICTION, YOU HAVE NO RIGHTS UNDER THIS LICENSE AND YOU MUST NOT > USE, COPY, > MODIFY, CREATE DERIVATIVE WORKS OF, NOR (RE)DISTRIBUTE THIS PRODUCT, NOR ANY > PORTION(S) THEREOF. This is a rather unusual severability clause... If something in a specific part (chapter IV) of the license is not OK, then, boom!, nuke the whole license and forget about it: you get no rights at all! This means that, unless we are reasonably sure that chapter IV is OK for each and every jurisdiction we care about, TrueCrypt could be legally undistributable in at least some places. It sounds like a real lawyerbomb. [...] > ____________________________________________________________ [...] The other licenses now seem to be OK. In summary, I think this work is still unsuitable for inclusion in Debian (main). It maybe could be distributed in non-free, but I would be happier if upstream were persuaded to re-license in a DFSG-free manner (even though comparing TrueCrypt License versions 2.3 and 2.4 shows a worrying trend to restrict more and more and going farther away from Free Software...). Please remember my disclaimers: IANAL, TINLA, IANADD, TINASOTODP. -- http://frx.netsons.org/progs/scripts/refresh-pubring.html New! Version 0.6 available! What? See for yourself! ..................................................... Francesco Poli . GnuPG key fpr == C979 F34B 27CE 5CD8 DC12 31B5 78F4 279B DD6D FCF4
pgpRWTeTgbqfs.pgp
Description: PGP signature
