[License-discuss] For Discussion: Cryptographic Autonomy License (CAL) Beta 2

Roger Fujii rmf at lookhere.com
Thu Aug 15 03:55:26 UTC 2019

On 8/14/2019 8:26 PM, VanL wrote:
> Hi Roger,
> Thanks for taking the time to comment.
> I'd disagree with this characterization:
> On Wed, Aug 14, 2019, 6:31 PM Roger Fujii <rmf at lookhere.com 
> <mailto:rmf at lookhere.com>> wrote:
>     Even more fundamentally than that is that this section does
>     something that no open source license does (that I'm aware of
>     anyway), which is to create an obligation just by running an
>     /unmodified/ program.
> A person can run the unmodified program (and even a modified one) 
> without having any obligations as long.as <http://long.as> they run it 
> for themselves, for their private purposes.
> This even applies to businesses, who can run CAL-licensed software for 
> the benefit of their employees and dedicated contractors.
> The obligations of the CAL only apply when there is a "Recipient" - a 
> non-Affiliate third party who receives part or all of the Work from you.
> That is a form of distribution - even if it is partial - and that is 
> the trigger for CAL's conditions.
But there is NO such constraint for 4.2.1.   It says (bold mine):
*Throughout any period in which You exercise *any* of the permissions 
granted to You under this License *

***So, let's concoct an example. I have an authentication db which has 
username/passwords. I have another separate db that has all sorts of 
data on the username. To get a username/password, the user submits a 
request to staff, the staff uses a unmodified CAL licensed standalone 
program that populates the username/password in the authentication db, 
and the user gets the authentication info texted/IMed/emailed to them. 
Since this is a concocted example, I'll say that this standalone program 
is the only CAL licensed part in the system. Given the wording (since 
nothing is constraining "User Data" and you have to use some permission 
to execute the CAL binary), any one logging in can request their user 
data (including the data on the separate db server, that never touched 
CAL) even if the user logging in never executed a single line of CAL code. *

*The problem is that data and code live in separate spaces. Code lives 
when it is executed. Data lives by its mere existence. You /might/ get 
around this by adding 2 exceptions: so 4.2.1 does not apply if a) you 
use unmodified source, or b) modified source with modifications 
released. So one can either have released the source OR you have to 
release the user data - this would be no different than something that 
is dual licensed. Dunno if other people will agree though.*

*Roger Fujii *


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20190814/3b171982/attachment.html>

More information about the License-discuss mailing list