From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1NKHX3-0005AZ-D5 for garchives@archives.gentoo.org; Mon, 14 Dec 2009 20:28:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 111B6E0F2D for ; Mon, 14 Dec 2009 20:28:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2E057E0DD5 for ; Mon, 14 Dec 2009 20:10:29 +0000 (UTC) Received: from mail.isohunt.com (b01.ext.isohunt.com [208.71.112.51]) by smtp.gentoo.org (Postfix) with ESMTP id 8681966A22 for ; Mon, 14 Dec 2009 20:10:28 +0000 (UTC) Received: (qmail 5756 invoked from network); 14 Dec 2009 20:10:27 -0000 Received: from tsi-static.orbis-terrarum.net (HELO grubbs.orbis-terrarum.net) (76.10.188.108) by mail.isohunt.com (qpsmtpd/0.33-dev on beta01) with (CAMELLIA256-SHA encrypted) ESMTPS; Mon, 14 Dec 2009 20:10:27 +0000 Received: (qmail 6674 invoked by uid 10000); 14 Dec 2009 20:10:25 -0000 Date: Mon, 14 Dec 2009 20:10:25 +0000 From: "Robin H. Johnson" To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] CAcert certificate distribution license to third parties (i.e. distributors like gentoo) Message-ID: References: <200912132244.09435.dragonheart@gentoo.org> <4B262C68.9030402@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="aM3YZ0Iwxop3KEKx" Content-Disposition: inline In-Reply-To: <4B262C68.9030402@gentoo.org> User-Agent: Mutt/1.5.20 (2009-06-14) X-Archives-Salt: 7c7c9d3f-3c1f-4d49-96e6-56720ccdf01a X-Archives-Hash: 5c63eee3845a8a4a49aae2814a2b4ac2 --aM3YZ0Iwxop3KEKx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 14, 2009 at 07:15:36AM -0500, Richard Freeman wrote: > On 12/13/2009 02:49 PM, Robin H. Johnson wrote: > >On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote: > >>Recently this got produced as a draft license for parties distributing > >>CAcert's root certificate(s) (like us). > >>https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicen= ce.html > >That's a pretty dense license. I can see why you had a headache. > > > >I believe that in it's current form, we will have to make sure we have a > >liability disclaimer to users for the license, but that should be about > >it. > > >=20 > First, I am not a lawyer. >=20 > The 3PV license does require that the user be presented with: > http://www.cacert.org/policy/NRPDisclaimerAndLicence.php =46rom 3PV: =3D=3D=3D=3D=3D 1.4 Vendor's Agreement with End-User Vendor agrees 1. to distribute both the NRP-DaL and this present agreement to end-user, 2. to advise the end-user of the NRP-DaL appropriately.=20 =2E.. 2. Disclaimer 2.1 All Liability Vendor's relationship with end-users creates risks, liabilities and obligations due to the end-user's permitted USE of the certificates, and potentially through other activities such as inappropriate and non-permitted RELIANCE.=20 =3D=3D=3D=3D=3D 1.4.1 just means we get to install both licenses, similar to the other @BINARY-REDISTRIBUTABLE discussion we had. 1.4.2 is interesting, in that a lot of users don't read elog/einfo at all. = Thus do they count as reasonable effort to the inform the user? 2.1 is where I had more concern. NRP contains this wonderful line: "You may NOT RELY on any statements or claims made by the certificates or implied in any way." But... > An option would be to RESTRICT=3Dmirror their root key, and install it > directly from their site, assuming they don't start messing with the > URL. Then we can just put the license in the ebuild like any other. > Since we don't redistribute anything copyrighted, Gentoo itself > doesn't enter into any license agreement. This is entirely moot. The CACert materials in Gentoo come from Debian's ca-certificates package. We do NOT independently supply them. http://packages.debian.org/sid/ca-certificates I think this might enable us to entirely sidestep a large part of the discussion. Watch what Debian does, and see what related actions if any we = need to take. --=20 Robin Hugh Johnson Gentoo Linux: Developer, Trustee & Infrastructure Lead E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 --aM3YZ0Iwxop3KEKx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (GNU/Linux) Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iEYEARECAAYFAksmm7EACgkQPpIsIjIzwiyQKwCfU9b3uB1vvKXUWFgbz6NLD/qi TjQAnjjxwYcyYK3tNE62xDkaG2dc08rN =9H1X -----END PGP SIGNATURE----- --aM3YZ0Iwxop3KEKx--