FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 12-13-2009, 10:44 AM
Daniel Black
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

Recently this got produced as a draft license for parties distributing
CAcert's root certificate(s) (like us).

https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html

This is still in draft hasn't been discussed in CAcert's policy group yet.

If you want to follow/contribute to this discussion look for a post to the
policy list soon.
https://lists.cacert.org/wws/info/cacert-policy

I make no inferences good or bad about this. Mainly because I'm writing this
with a headache.

Cheers,

Daniel
 
Old 12-13-2009, 06:49 PM
"Robin H. Johnson"
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:
> Recently this got produced as a draft license for parties distributing
> CAcert's root certificate(s) (like us).
> https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html
That's a pretty dense license. I can see why you had a headache.

I believe that in it's current form, we will have to make sure we have a
liability disclaimer to users for the license, but that should be about
it.

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
 
Old 12-14-2009, 11:15 AM
Richard Freeman
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On 12/13/2009 02:49 PM, Robin H. Johnson wrote:

On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:

Recently this got produced as a draft license for parties distributing
CAcert's root certificate(s) (like us).
https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html

That's a pretty dense license. I can see why you had a headache.

I believe that in it's current form, we will have to make sure we have a
liability disclaimer to users for the license, but that should be about
it.



First, I am not a lawyer.

The 3PV license does require that the user be presented with:
http://www.cacert.org/policy/NRPDisclaimerAndLicence.php

I'm not sure that simply posting the link in an einfo would satisfy the
requirements. We might need to post the full text to qualify as having
presented it to the user - not sure about that. I don't see anything in
there that requires interaction though (hitting a yes button or anything
like that).


The license itself is fairly short - we only need to post the NRP and
not the 3PV license. The 3PV is a license for Gentoo to distribute
content to users under the NRP. Users who don't redistribute the key
don't need to worry about it.


An option would be to RESTRICT=mirror their root key, and install it
directly from their site, assuming they don't start messing with the
URL. Then we can just put the license in the ebuild like any other.
Since we don't redistribute anything copyrighted, Gentoo itself doesn't
enter into any license agreement.


Only issue with that is that it is often bundled with a bunch of others
and I don't know that you can restrict only one URL in the ebuild.
 
Old 12-14-2009, 07:10 PM
"Robin H. Johnson"
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On Mon, Dec 14, 2009 at 07:15:36AM -0500, Richard Freeman wrote:
> On 12/13/2009 02:49 PM, Robin H. Johnson wrote:
> >On Sun, Dec 13, 2009 at 10:44:05PM +1100, Daniel Black wrote:
> >>Recently this got produced as a draft license for parties distributing
> >>CAcert's root certificate(s) (like us).
> >>https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.html
> >That's a pretty dense license. I can see why you had a headache.
> >
> >I believe that in it's current form, we will have to make sure we have a
> >liability disclaimer to users for the license, but that should be about
> >it.
> >
>
> First, I am not a lawyer.
>
> The 3PV license does require that the user be presented with:
> http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
From 3PV:
=====
1.4 Vendor's Agreement with End-User
Vendor agrees
1. to distribute both the NRP-DaL and this present agreement to end-user,
2. to advise the end-user of the NRP-DaL appropriately.
...
2. Disclaimer
2.1 All Liability
Vendor's relationship with end-users creates risks, liabilities and
obligations due to the end-user's permitted USE of the certificates,
and potentially through other activities such as inappropriate and
non-permitted RELIANCE.
=====

1.4.1 just means we get to install both licenses, similar to the other
@BINARY-REDISTRIBUTABLE discussion we had.

1.4.2 is interesting, in that a lot of users don't read elog/einfo at all. Thus
do they count as reasonable effort to the inform the user?

2.1 is where I had more concern. NRP contains this wonderful line:
"You may NOT RELY on any statements or claims made by the certificates
or implied in any way."

But...

> An option would be to RESTRICT=mirror their root key, and install it
> directly from their site, assuming they don't start messing with the
> URL. Then we can just put the license in the ebuild like any other.
> Since we don't redistribute anything copyrighted, Gentoo itself
> doesn't enter into any license agreement.
This is entirely moot. The CACert materials in Gentoo come from Debian's
ca-certificates package. We do NOT independently supply them.
http://packages.debian.org/sid/ca-certificates

I think this might enable us to entirely sidestep a large part of the
discussion. Watch what Debian does, and see what related actions if any we need
to take.

--
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail : robbat2@gentoo.org
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
 
Old 12-15-2009, 12:44 AM
Richard Freeman
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On 12/14/2009 03:10 PM, Robin H. Johnson wrote:

1.4 Vendor's Agreement with End-User
Vendor agrees
1. to distribute both the NRP-DaL and this present agreement to end-user,


Ah, this was my mistake. I read that as "to distribute both the NRP-DaL
and present this agreement to [the] end-user," Funny how swapping the
order of two words changes an adjective to a verb...
 
Old 12-15-2009, 05:46 AM
Daniel Black
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On Tuesday 15 December 2009 07:10:25 Robin H. Johnson wrote:
>
> This is entirely moot. The CACert materials in Gentoo come from Debian's
> ca-certificates package. We do NOT independently supply them.
> http://packages.debian.org/sid/ca-certificates
>
> I think this might enable us to entirely sidestep a large part of the
> discussion.

quite possible.

> Watch what Debian does, and see what related actions if any we
> need to take.

I did email the debian maintainer too. no response yet. They have interactive
builds though and I guess we do too now. Will be a royal pain if every
CA/software did the same thing.
 
Old 12-15-2009, 11:19 AM
Richard Freeman
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On 12/15/2009 01:46 AM, Daniel Black wrote:

I did email the debian maintainer too. no response yet. They have interactive
builds though and I guess we do too now. Will be a royal pain if every
CA/software did the same thing.



The last thing gentoo needs is interactive builds. XFree86 was forked
over something less annoying than that (advertising clause)...


I'd rather put a disclaimer in the handbook that when you install gentoo
you bear the consequences of anything you do with it: if you're in a
jurisdiction where software licenses are binding on those who use
software then be sure to set ACCEPT_LICENSE accordingly, and all users
should monitor the outputs of their builds for important notices.


On that note, perhaps the default make.conf should send ELOGs to
root@localhost or something? People can disable it if they don't like
it, but I don't think we want our default to be that important notices
are lost.


If legal experts feel that the only thing that will work would be an
interactive build, then we should:


1. Have the build by default terminate with an error that it requires
some kind of acknowledgment. Ideally have the package manager detect
this condition at --pretend time.
2. Have the user set this acknowledgment using an environment variable
in make.conf (perhaps a setting for these purposes), or a local use
flag, or some other one-time non-interactive mechanism.
3. Have the build notice this and proceed normally (so the actual build
and future upgrades are non-interactive).


4. Ensure that this package is NOT required by anything in system, or
installed by default by any major popular package (so maybe we have
ca-certificates, and ca-certificates-annoying or something).


We definitely don't want the gentoo experience to be one of typing
emerge world and then having to check back on it every three minutes to
see what the latest prompt is.


I'm generally in favor of including CACert by default, but if they're
going to shoot themselves in the foot over licensing then that is their
loss. I already have to install it manually for chromium (a real pita,
btw). I can't see the council voting to allow interactive builds for a
certificate, and I really don't see why CACert is pushing this either...
 
Old 12-16-2009, 11:26 AM
Daniel Black
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On Tuesday 15 December 2009 23:19:22 Richard Freeman wrote:
> On 12/15/2009 01:46 AM, Daniel Black wrote:
> > I did email the debian maintainer too. no response yet. They have
> > interactive builds though and I guess we do too now. Will be a royal pain
> > if every CA/software did the same thing.
>
> The last thing gentoo needs is interactive builds.
agree.

> I'd rather put a disclaimer in the handbook that when you install gentoo
> you bear the consequences of anything you do with it: if you're in a
> jurisdiction where software licenses are binding on those who use
> software then be sure to set ACCEPT_LICENSE accordingly, and all users
> should monitor the outputs of their builds for important notices.
sounds reasonable.

> If legal experts feel that the only thing that will work would be an
> interactive build, then we should:
I'm not sure it is. Its very early days of this license.

after reading this license without (or significantly less of) a headache i'm
thinking 1.4 2) "to advice the end-user of the NRP-DaL" refers to advising the
user that the license exists rather the text of it. Gentoo maintainers could
simple add the NRP-DaL to the LICENSE of the ebuild. Portage 2.2's requiring
the user add acceptable licenses to ACCEPT_LICENSE is probably sufficient.

> I'm generally in favor of including CACert by default, but if they're
> going to shoot themselves in the foot over licensing then that is their
> loss.
they aren't trying to they just don't know our issues. I did ask for wider
consultation and to be wary of clauses incompatible with distributors normal
operations.

> .. and I really don't see why CACert is pushing this either...

Clearing up a legal loop to allow distribution in a way that communicates the
NRP-DaL to the end-user. Their own page http://www.cacert.org/index.php?id=3
doesn't mention NRP-DaL either so as you can see, their are just progressing
with a few little bumps and inconsistencies like everyone else.

https://lists.cacert.org/wws/arc/cacert-board/2009-12/msg00080.html


Daniel
 
Old 06-27-2010, 01:02 AM
Daniel Black
 
Default CAcert certificate distribution license to third parties (i.e. distributors like gentoo)

On Sunday 13 December 2009 22:44:05 Daniel Black wrote:
> Recently this got produced as a draft license for parties distributing
> CAcert's root certificate(s) (like us).
>
> https://svn.cacert.org/CAcert/Policies/Agreements/3PVDisclaimerAndLicence.h
> tml
>
> This is still in draft hasn't been discussed in CAcert's policy group yet.
>
> If you want to follow/contribute to this discussion look for a post to the
> policy list soon.
> https://lists.cacert.org/wws/info/cacert-policy
>
> I make no inferences good or bad about this. Mainly because I'm writing
> this with a headache.
>
> Cheers,
>
> Daniel

Recently Sasha from Fedora has proposed CAcert's root distribution license as
CC-ND. This avoids many complications of the draft proposal above.

By joining the list you can vote for it.

the proposal:
https://lists.cacert.org/wws/arc/cacert-policy/2010-06/msg00151.html

Once registered on this site there is a "send to (your email)" link on the top
right to preserve threading.

ref: http://spreitzer.name/set-the-cacert-root-certificates-free

Daniel
 

Thread Tools




All times are GMT. The time now is 01:15 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org