On Mon, Dec 14, 2009 at 07:15:36AM -0500, Richard Freeman wrote: > On 12/13/2009 02:49 PM, Robin H. Johnson wrote: > >On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote: > >>Recently this got produced as a draft license for parties distributing > >>CAcert's root certificate(s) (like us). > >>https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html > >That's a pretty dense license. I can see why you had a headache. > > > >I believe that in it's current form, we will have to make sure we have a > >liability disclaimer to users for the license, but that should be about > >it. > > > > First, I am not a lawyer. > > The 3PV license does require that the user be presented with: > http://www.cacert.org/policy/NRPDisclaimerAndLicence.php From 3PV: ===== 1.4 Vendor's Agreement with End-User Vendor agrees 1. to distribute both the NRP-DaL and this present agreement to end-user, 2. to advise the end-user of the NRP-DaL appropriately. ... 2. Disclaimer 2.1 All Liability Vendor's relationship with end-users creates risks, liabilities and obligations due to the end-user's permitted USE of the certificates, and potentially through other activities such as inappropriate and non-permitted RELIANCE. ===== 1.4.1 just means we get to install both licenses, similar to the other @BINARY-REDISTRIBUTABLE discussion we had. 1.4.2 is interesting, in that a lot of users don't read elog/einfo at all. Thus do they count as reasonable effort to the inform the user? 2.1 is where I had more concern. NRP contains this wonderful line: "You may NOT RELY on any statements or claims made by the certificates or implied in any way." But... > An option would be to RESTRICT=mirror their root key, and install it > directly from their site, assuming they don't start messing with the > URL. Then we can just put the license in the ebuild like any other. > Since we don't redistribute anything copyrighted, Gentoo itself > doesn't enter into any license agreement. This is entirely moot. The CACert materials in Gentoo come from Debian's ca-certificates package. We do NOT independently supply them. http://packages.debian.org/sid/ca-certificates I think this might enable us to entirely sidestep a large part of the discussion. Watch what Debian does, and see what related actions if any we need to take. -- Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85