[gentoo-dev] TrueCrypt and it's lovely license

[gentoo-dev] TrueCrypt and it's lovely license

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All,
I just became aware of [1] today.

Several months ago, after a conversation with upstream and a couple
other devs, I decided to remove the RESTRICT="mirror fetch" parts.
Upstream didn't appear worried about the mirroring, but rather that they
wanted people to accept their license. So I left in RESTRICT="bindist"
and the ewarn about the license.

Given what I read on that bug today, would it be better if I went back
to RESTRICT="mirror fetch"? Or should I perhaps be doing something
entirely different? Perhaps make it so that the user has to add that
license to package.license?

@Trustees: Any thoughts? I didn't mean to step on any toes, I just
hadn't spotted that old bug until today.

Regards,

[1] https://bugs.gentoo.org/show_bug.cgi?id=241650
- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNtXUdAAoJEEsurZwMLhUxufYP/jfvjNCU27PG5cJzZ1z5Clmy
9C7c5xTYarWGt54/iyvpwOGt2OL1dRnKp9sKYelfJrvOzhna3zQbOcbfXyUCNcvS
amKvAle4CnLTNMGIDdRiTESNKYrmDf0ih1m+4iHQe84DbzPtwl4QhKHUrS7sSHHH
7phtwzXsD2/Z9/Ip8BQLuWtmCjc0klLMksg5U9YCEpJlQeZiBMkboc7O8fH/LHqe
TRQDZRkJhjV6XNBcR0HYZ+VJdtjMEu/Hpy3X8uDoyjnxV4+nBVRgQQ7ZjAqAlgDh
qX2Egg2U5b394+rK2gMe1nwA4mOZ6/eGs1vUrAfMwJf8C/EmwkFr7bFlaqTOIspm
Mq1w0ph8g4PAj8WTS7wL7eFu0Ajheprsn8487ny5ET7c2HCoaWgQThzjbigf+c/9
j2THMS4bvvhBkBk32wVFKASJAa3YIGCNUG8GyhW6Z5NZxIogqlhEaENKn+wlWe5f
ocWlR0IeX3K28prifDOIDpftqkpQCs0KgpaAJdDsizHHKWa1fn9Ul68FzR29wwZe
ks4eBhmMXy50QjoC0XiOppEYpu+MByeJOJpNntXMwpfXlqmjROzvyfchbTkB4ebo
1QJR4ZbDlm1eaWs9om1MHCBhoxEX7E8Q8cOrKkQhBGin2jU/5iwxarXTSk/+YDIh
hmH2ZZQk3eTWXBjNY6ET
=Zpb9
-----END PGP SIGNATURE-----

Re: [gentoo-dev] TrueCrypt and it's lovely license

[Rich Freeman]

On Mon, Apr 25, 2011 at 9:20 AM, Dane Smith <c1pher@gentoo.org> wrote:
> @Trustees: Any thoughts? I didn't mean to step on any toes, I just
> hadn't spotted that old bug until today.

So, speaking only for myself, my thinking is that there is enough
debate over the truecrypt license that I see no point in not just
playing it safe and restricting mirroring.  Restricting mirroring will
make Gentoo itself not a party to any redistribution (at least not a
direct party).  If we further restrict fetching you could argue that
we're getting ourselves out of the facilitation business as well (not
a legal theory I'm enamored with).

I'd like to propose that devs should not commit ebuilds that do not
have mirroring restrictions unless the license is in
@BINARY-REDISTRIBUTABLE.  Perhaps this should be a repoman check.
Whether something ends up in that group is more complicated, but
repoman doesn't need to worry about that.

Neither Debian nor Ubuntu redistribute TrueCrypt.  That at the very
least should give us concern with doing so.  Their license is also not
considered free by any of the usual bodies.

Sure, it is a little hassle for users, but not that much in the big
scheme of things - especially since other distros don't package it at
all.  Better to let any lawyers we retain focus on getting the
foundation in better order and not have them fighting over licenses.

Rich

Re: [gentoo-dev] TrueCrypt and it's lovely license

[Dane Smith]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/25/2011 09:55 AM, Rich Freeman wrote:
> On Mon, Apr 25, 2011 at 9:20 AM, Dane Smith <c1pher@gentoo.org> wrote:
>> @Trustees: Any thoughts? I didn't mean to step on any toes, I just
>> hadn't spotted that old bug until today.
> 
> So, speaking only for myself, my thinking is that there is enough
> debate over the truecrypt license that I see no point in not just
> playing it safe and restricting mirroring.  Restricting mirroring will
> make Gentoo itself not a party to any redistribution (at least not a
> direct party).  If we further restrict fetching you could argue that
> we're getting ourselves out of the facilitation business as well (not
> a legal theory I'm enamored with).
> 
> I'd like to propose that devs should not commit ebuilds that do not
> have mirroring restrictions unless the license is in
> @BINARY-REDISTRIBUTABLE.  Perhaps this should be a repoman check.
> Whether something ends up in that group is more complicated, but
> repoman doesn't need to worry about that.
> 
> Neither Debian nor Ubuntu redistribute TrueCrypt.  That at the very
> least should give us concern with doing so.  Their license is also not
> considered free by any of the usual bodies.
> 
> Sure, it is a little hassle for users, but not that much in the big
> scheme of things - especially since other distros don't package it at
> all.  Better to let any lawyers we retain focus on getting the
> foundation in better order and not have them fighting over licenses.
> 
> Rich
> 

These are all good enough reasons for me. Re-Restricted mirror and fetch
in CVS. Thanks =)

- -- 
Dane Smith (c1pher)
Gentoo Linux Developer -- QA / Crypto / Sunrise / x86
RSA Key: http://pgp.mit.edu:11371/pks/lookup?search=0x0C2E1531&op=index
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNtYFaAAoJEEsurZwMLhUxRpYP/0+HhQLjdy9jA9WGr9rHxwyU
lH4l1+EZLjYt4/9e7Qfiprln9kX/f/bMLQrExlLv7cgwimKOlDXIeg0SNdHGFc26
01WGyEXUy+6cVrIxrp4CwVrYUC/6idGf6NrQ3UdEM7pStvFWzQE1z7UGNSzeAHK5
OktqXEERY/gYgzT/yzMusyXF9w+Pn9eRmRrDE2tIFbFDboG1eWTojl6xkSGBZIxT
/dfN3zpiGwgLsMeuvFZTLNpC4DthgfL+YakdOxKtnLYfSg5Hw6GmA9vO35pfDYJX
mocu7t67FqSz03A626CvuwzL5dyreUwfGtQZXTqndMSZX34ufgXXjVR0JnJIZQop
k01/5d0jGHmwI4+n37pQM3MnyuX8biNCTnoUez1dqoh/LTeFr3BFAqBGas2IYHHa
+UG22OoZL0JY4gP3dof83moFpI5k33dY+cZX2cnufiqKsboJy6oDjsFcrseLtKpG
aOKn56yMUUksIh0ef/P2ZtJ0CYO7W2L1zFU5Wb7E9BREy1Q1blW7WQC10ENjzzKs
exIuGi+jI7uRGb90xOiV/a86I3LC0pOeOVEFhxOizUWNEjD0plihAvEjmxYgdYm6
yA/vYbQaYiIPuR+1URnTyB52w/QBcf2EMUlStmE10w755VDn2FilqZk5hkYLQ/0J
Jd+JEl7OmfSvnUkkQ5tE
=emar
-----END PGP SIGNATURE-----

Re: [gentoo-dev] TrueCrypt and it's lovely license

[Ulrich Mueller]

>>>>> On Mon, 25 Apr 2011, Dane Smith wrote:

> These are all good enough reasons for me. Re-Restricted mirror and
> fetch in CVS.

Maybe the description should be updated too. "Free open-source disk
encryption software" is misleading, when it's neither free software
nor fulfills the open source definition.

Ulrich

Re: [gentoo-dev] TrueCrypt and it's lovely license

[Angelo Arrifano]

On Seg, 2011-04-25 at 17:39 +0200, Ulrich Mueller wrote:
> >>>>> On Mon, 25 Apr 2011, Dane Smith wrote:
> 
> > These are all good enough reasons for me. Re-Restricted mirror and
> > fetch in CVS.
> 
> Maybe the description should be updated too. "Free open-source disk
> encryption software" is misleading, when it's neither free software
> nor fulfills the open source definition.
> 
> Ulrich
> 

What about enumerating some alternatives (dm-crypt+luks etc ..) in post
install? Sometimes people are not aware of them and when they do, it is
too late because no one in their sane mind (except me maybe) will
migrate all the data again into another encryption format.

- Angelo
-- 
Angelo Arrifano (miknix)
Developer / GPE maintainer
http://www.gentoo.org/~miknix
http://miknix.homelinux.com