[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

VanL van.lindberg at gmail.com
Fri Dec 6 15:48:41 UTC 2019


Hi Nigel,

On Fri, Dec 6, 2019 at 8:52 AM Nigel T <nigel.2048 at gmail.com> wrote:

> 3.2.a seems to imply to me that there is no patent grant when the work is
> used as part of a combination or modification.
>

This is known as a combination carveout. Patent claims are covered for what
is provided to you. If you modify the software in some way so that it
infringes a patent *solely because of your modification or combination*,
then your actions are not specifically licensed.

The rationale is clear: The licensor is only responsible for what they
provide to other people, not those peoples' subsequent actions. Otherwise
someone could include a single line from someone's software ("#include
<stdio.h>") and claim that all the patents owned by that person were
licensed.



> IANAL but this strikes me as a license I wouldn't touch with someone
> else's 10 foot pole.
>

I would imagine that the CAL would not be for everyone.


>
> The new version also does not appear to address the issue that if CAL
> licensed software does not meet the requirements of 4.2 then the burden of
> meeting 4.2 falls on the user even if they had made no changes to the
> software.
>

The CAL does not mandate a particular software architecture. Presumably, as
with any other copyleft license, anyone wanting to use CAL-licensed
software will consider whether they are willing to comply with the terms.


> A strict reading could imply that 4.2 would require that the user of the
> software provide clients with their plain text password.  Does it?  If not,
> why not?
>

As a *general* rule, this is incorrect. Nothing in the CAL requires a party
to engage in poor software design so as to keep a plaintext password
available, nor does anything in the CAL require or suggest that a licensee
should decrypt the user's password. More broadly, I would hope that the
user's plain text password would not be "available to [the licensee]", but
no one can anticipate all the ways in which people will create software.


> The user of the software is the service provider and it strikes me as this
> license is a potential minefield for any user other than the original
> authors.  What does "fully use an independent copy" or "substantially
> identical use of the work" mean in the contexts of the license?
>

The easiest way to think about this is by analogy to the GPL3's
anti-Tivoization and "complete corresponding source" provisions, If a
particular piece of data is needed for the software to function in the same
way in a self-hosted situation, then it must be provided.

To guide your thoughts here, think about the "desert island test." There is
a desert island, with two people, Alice and Bob, and helpfully, two
identical computer systems. Alice provides your genealogical service to
Bob, her only customer, on the first computer. After a while, Bob becomes
dissatisfied, and wants to be able to run the software himself.

Alice must provide to Bob the software itself, together with anything
needed to use all the functions in the software. Alice must also provide
Bob a copy of Bob's information, so that when Bob loads the information
into his new copy of the software on his own computer, it has the
information he expects, and the functionality associated with organizing or
analyzing his information is also available.

There is one big caveat, though: Alice only needs to turn over information
that Bob has some preexisting right to. If Alice also held her own
information in the software, Alice doesn't need to turn over her own
information to Bob.


>
> Take this in the context of something like a genealogy service.  The user
> data includes my account information (data I provided), profile (data I
> provided), my family tree (data I provided)...
>

Yes, Alice would provide Bob all this information.


> ... my DNA information (data generated for me) and potential DNA matches
> (data generated for me) and links to historical data and public records
> (data generated for me).
>

This example is underspecified, so this part cannot be answered given the
information provided. If this information is solely based on the processing
of Bob's information, then Alice would need to provide it. If this is based
upon other information owned by Alice, then there is no requirement to
provide information owned by Alice.

Thanks,
Van
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20191206/40eff52f/attachment-0001.html>


More information about the License-review mailing list