Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

["Robin H. Johnson" <robbat2@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2591 bytes --]

On Mon, Dec 14, 2009 at 07:15:36AM -0500, Richard Freeman wrote:
> On 12/13/2009 02:49 PM, Robin H. Johnson wrote:
> >On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:
> >>Recently this got produced as a draft license for parties distributing
> >>CAcert's root certificate(s) (like us).
> >>https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html
> >That's a pretty dense license. I can see why you had a headache.
> >
> >I believe that in it's current form, we will have to make sure we have a
> >liability disclaimer to users for the license, but that should be about
> >it.
> >
> 
> First, I am not a lawyer.
> 
> The 3PV license does require that the user be presented with:
> http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
From 3PV:
=====
1.4  Vendor's Agreement with End-User
Vendor agrees
   1. to distribute both the NRP-DaL and this present agreement to end-user,
   2. to advise the end-user of the NRP-DaL appropriately. 
...
  2.  Disclaimer
  2.1 All Liability
  Vendor's relationship with end-users creates risks, liabilities and
  obligations due to the end-user's permitted USE of the certificates,
  and potentially through other activities such as inappropriate and
  non-permitted RELIANCE. 
=====

1.4.1 just means we get to install both licenses, similar to the other
@BINARY-REDISTRIBUTABLE discussion we had.

1.4.2 is interesting, in that a lot of users don't read elog/einfo at all. Thus
do they count as reasonable effort to the inform the user?

2.1 is where I had more concern. NRP contains this wonderful line:
"You may NOT RELY on any statements or claims made by the certificates
or implied in any way."

But...

> An option would be to RESTRICT=mirror their root key, and install it
> directly from their site, assuming they don't start messing with the
> URL.  Then we can just put the license in the ebuild like any other.
> Since we don't redistribute anything copyrighted, Gentoo itself
> doesn't enter into any license agreement.
This is entirely moot. The CACert materials in Gentoo come from Debian's
ca-certificates package. We do NOT independently supply them.
http://packages.debian.org/sid/ca-certificates

I think this might enable us to entirely sidestep a large part of the
discussion. Watch what Debian does, and see what related actions if any we need
to take.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]