[gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Daniel Black]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]


Recently this got produced as a draft license for parties distributing 
CAcert's root certificate(s) (like us).

https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html

This is still in draft hasn't been discussed in CAcert's policy group yet.

If you want to follow/contribute to this discussion look for a post to the 
policy list soon.
https://lists.cacert.org/wws/info/cacert-policy

I make no inferences good or bad about this. Mainly because I'm writing this 
with a headache.

Cheers,

Daniel

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 664 bytes --]

On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:
> Recently this got produced as a draft license for parties distributing 
> CAcert's root certificate(s) (like us).
> https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html
That's a pretty dense license. I can see why you had a headache.

I believe that in it's current form, we will have to make sure we have a
liability disclaimer to users for the license, but that should be about
it.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Richard Freeman]

On 12/13/2009 02:49 PM, Robin H. Johnson wrote:
> On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:
>> Recently this got produced as a draft license for parties distributing
>> CAcert's root certificate(s) (like us).
>> https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html
> That's a pretty dense license. I can see why you had a headache.
>
> I believe that in it's current form, we will have to make sure we have a
> liability disclaimer to users for the license, but that should be about
> it.
>

First, I am not a lawyer.

The 3PV license does require that the user be presented with:
http://www.cacert.org/policy/NRPDisclaimerAndLicence.php

I'm not sure that simply posting the link in an einfo would satisfy the 
requirements.  We might need to post the full text to qualify as having 
presented it to the user - not sure about that.  I don't see anything in 
there that requires interaction though (hitting a yes button or anything 
like that).

The license itself is fairly short - we only need to post the NRP and 
not the 3PV license.  The 3PV is a license for Gentoo to distribute 
content to users under the NRP.  Users who don't redistribute the key 
don't need to worry about it.

An option would be to RESTRICT=mirror their root key, and install it 
directly from their site, assuming they don't start messing with the 
URL.  Then we can just put the license in the ebuild like any other. 
Since we don't redistribute anything copyrighted, Gentoo itself doesn't 
enter into any license agreement.

Only issue with that is that it is often bundled with a bunch of others 
and I don't know that you can restrict only one URL in the ebuild.

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2591 bytes --]

On Mon, Dec 14, 2009 at 07:15:36AM -0500, Richard Freeman wrote:
> On 12/13/2009 02:49 PM, Robin H. Johnson wrote:
> >On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:
> >>Recently this got produced as a draft license for parties distributing
> >>CAcert's root certificate(s) (like us).
> >>https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html
> >That's a pretty dense license. I can see why you had a headache.
> >
> >I believe that in it's current form, we will have to make sure we have a
> >liability disclaimer to users for the license, but that should be about
> >it.
> >
> 
> First, I am not a lawyer.
> 
> The 3PV license does require that the user be presented with:
> http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
From 3PV:
=====
1.4  Vendor's Agreement with End-User
Vendor agrees
   1. to distribute both the NRP-DaL and this present agreement to end-user,
   2. to advise the end-user of the NRP-DaL appropriately. 
...
  2.  Disclaimer
  2.1 All Liability
  Vendor's relationship with end-users creates risks, liabilities and
  obligations due to the end-user's permitted USE of the certificates,
  and potentially through other activities such as inappropriate and
  non-permitted RELIANCE. 
=====

1.4.1 just means we get to install both licenses, similar to the other
@BINARY-REDISTRIBUTABLE discussion we had.

1.4.2 is interesting, in that a lot of users don't read elog/einfo at all. Thus
do they count as reasonable effort to the inform the user?

2.1 is where I had more concern. NRP contains this wonderful line:
"You may NOT RELY on any statements or claims made by the certificates
or implied in any way."

But...

> An option would be to RESTRICT=mirror their root key, and install it
> directly from their site, assuming they don't start messing with the
> URL.  Then we can just put the license in the ebuild like any other.
> Since we don't redistribute anything copyrighted, Gentoo itself
> doesn't enter into any license agreement.
This is entirely moot. The CACert materials in Gentoo come from Debian's
ca-certificates package. We do NOT independently supply them.
http://packages.debian.org/sid/ca-certificates

I think this might enable us to entirely sidestep a large part of the
discussion. Watch what Debian does, and see what related actions if any we need
to take.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Richard Freeman]

On 12/14/2009 03:10 PM, Robin H. Johnson wrote:
> 1.4  Vendor's Agreement with End-User
> Vendor agrees
>     1. to distribute both the NRP-DaL and this present agreement to end-user,

Ah, this was my mistake.  I read that as "to distribute both the NRP-DaL 
and present this agreement to [the] end-user,"  Funny how swapping the 
order of two words changes an adjective to a verb...  :)

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Daniel Black]

[-- Attachment #1: Type: Text/Plain, Size: 644 bytes --]

On Tuesday 15 December 2009 07:10:25 Robin H. Johnson wrote:
> 
> This is entirely moot. The CACert materials in Gentoo come from Debian's
> ca-certificates package. We do NOT independently supply them.
> http://packages.debian.org/sid/ca-certificates
> 
> I think this might enable us to entirely sidestep a large part of the
> discussion.

quite possible.

> Watch what Debian does, and see what related actions if any we
>  need to take.

I did email the debian maintainer too. no response yet. They have interactive 
builds though and I guess we do too now. Will be a royal pain if every 
CA/software did the same thing.


[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Richard Freeman]

On 12/15/2009 01:46 AM, Daniel Black wrote:
> I did email the debian maintainer too. no response yet. They have interactive
> builds though and I guess we do too now. Will be a royal pain if every
> CA/software did the same thing.
>

The last thing gentoo needs is interactive builds.  XFree86 was forked 
over something less annoying than that (advertising clause)...

I'd rather put a disclaimer in the handbook that when you install gentoo 
you bear the consequences of anything you do with it: if you're in a 
jurisdiction where software licenses are binding on those who use 
software then be sure to set ACCEPT_LICENSE accordingly, and all users 
should monitor the outputs of their builds for important notices.

On that note, perhaps the default make.conf should send ELOGs to 
root@localhost or something?  People can disable it if they don't like 
it, but I don't think we want our default to be that important notices 
are lost.

If legal experts feel that the only thing that will work would be an 
interactive build, then we should:

1.  Have the build by default terminate with an error that it requires 
some kind of acknowledgment.  Ideally have the package manager detect 
this condition at --pretend time.
2.  Have the user set this acknowledgment using an environment variable 
in make.conf (perhaps a setting for these purposes), or a local use 
flag, or some other one-time non-interactive mechanism.
3.  Have the build notice this and proceed normally (so the actual build 
and future upgrades are non-interactive).

4.  Ensure that this package is NOT required by anything in system, or 
installed by default by any major popular package (so maybe we have 
ca-certificates, and ca-certificates-annoying or something).

We definitely don't want the gentoo experience to be one of typing 
emerge world and then having to check back on it every three minutes to 
see what the latest prompt is.

I'm generally in favor of including CACert by default, but if they're 
going to shoot themselves in the foot over licensing then that is their 
loss.  I already have to install it manually for chromium (a real pita, 
btw).  I can't see the council voting to allow interactive builds for a 
certificate, and I really don't see why CACert is pushing this either...

Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Daniel Black]

[-- Attachment #1: Type: Text/Plain, Size: 2105 bytes --]

On Tuesday 15 December 2009 23:19:22 Richard Freeman wrote:
> On 12/15/2009 01:46 AM, Daniel Black wrote:
> > I did email the debian maintainer too. no response yet. They have
> > interactive builds though and I guess we do too now. Will be a royal pain
> > if every CA/software did the same thing.
> 
> The last thing gentoo needs is interactive builds. 
agree.
 
> I'd rather put a disclaimer in the handbook that when you install gentoo
> you bear the consequences of anything you do with it: if you're in a
> jurisdiction where software licenses are binding on those who use
> software then be sure to set ACCEPT_LICENSE accordingly, and all users
> should monitor the outputs of their builds for important notices.
sounds reasonable.

> If legal experts feel that the only thing that will work would be an
> interactive build, then we should:
I'm not sure it is. Its very early days of this license.

after reading this license without (or significantly less of) a headache i'm 
thinking 1.4 2) "to advice the end-user of the NRP-DaL" refers to advising the 
user that the license exists rather the text of it. Gentoo maintainers could 
simple add the NRP-DaL to the LICENSE of the ebuild.  Portage 2.2's requiring 
the user add acceptable licenses to ACCEPT_LICENSE is probably sufficient.

> I'm generally in favor of including CACert by default, but if they're
> going to shoot themselves in the foot over licensing then that is their
> loss.
they aren't trying to they just don't know our issues. I did ask for wider 
consultation and to be wary of clauses incompatible with distributors normal 
operations.

> .. and I really don't see why CACert is pushing this either...

Clearing up a legal loop to allow distribution in a way that communicates the 
NRP-DaL to the end-user. Their own page http://www.cacert.org/index.php?id=3 
doesn't mention NRP-DaL either so as you can see, their are just progressing 
with a few little bumps and inconsistencies like everyone else.

https://lists.cacert.org/wws/arc/cacert-board/2009-12/msg00080.html


Daniel

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-dev] Re: CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

[Daniel Black]

[-- Attachment #1: Type: Text/Plain, Size: 1105 bytes --]

On Sunday 13 December 2009 22:44:05 Daniel Black wrote:
> Recently this got produced as a draft license for parties distributing
> CAcert's root certificate(s) (like us).
> 
> https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.h
> tml
> 
> This is still in draft hasn't been discussed in CAcert's policy group yet.
> 
> If you want to follow/contribute to this discussion look for a post to the
> policy list soon.
> https://lists.cacert.org/wws/info/cacert-policy
> 
> I make no inferences good or bad about this. Mainly because I'm writing
> this with a headache.
> 
> Cheers,
> 
> Daniel

Recently Sasha from Fedora has proposed CAcert's root distribution license as 
CC-ND. This avoids many complications of the draft proposal above.

By joining the list you can vote for it.

the proposal:
https://lists.cacert.org/wws/arc/cacert-policy/2010-06/msg00151.html

Once registered on this site there is a "send to (your email)" link on the top 
right to preserve threading.

ref: http://spreitzer.name/set-the-cacert-root-certificates-free

Daniel

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]