[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Henrik Ingo henrik.ingo at avoinelama.fi
Sat Dec 7 00:29:57 UTC 2019


Nigel,

Let's not get carried away here. If a plain text password isn't stored by
the system, then there is obviously no obligation to produce a copy. This
would be the case also for any other data not stored by the system.

Henrik

On Fri, 6 Dec 2019, 23:39 Nigel T, <nigel.2048 at gmail.com> wrote:

> Again, where in the license text does it delineate what is required to be
> meet 4.2?  I can return an encrypted password to the user but the plain
> text was provided by the user at some point.  I have either not returned
> all the data given to me by the user or have obfuscated it using a
> cryptographic means.
>
> Bob has preexisting rights to US census data records because it is public
> information.  Alice has spent time and money cataloging that information so
> it could be found in a name search.  The service provides linkage from
> people in his tree to the historical US census data.  What needs to be
> provided?
>
> Answers that states with "as a general rule" or "your example is
> underspecified" means Alice has to spend lots of effort to make sure that
> the software complies with 4.2 even if she has made zero changes to that
> software.
>
> In the context of your company that means any would be competitor is at a
> huge disadvantage in using any of your offerings because at any point it
> could be determined that they are in non-compliance with 4.2 and only have
> 60 days to fix it or cease operations.  It doesn't matter at all to you if
> you are compliant.  You don't need a license.
>
> On Fri, Dec 6, 2019 at 10:49 AM VanL <van.lindberg at gmail.com> wrote:
>
>> Hi Nigel,
>>
>> On Fri, Dec 6, 2019 at 8:52 AM Nigel T <nigel.2048 at gmail.com> wrote:
>>
>>> 3.2.a seems to imply to me that there is no patent grant when the work
>>> is used as part of a combination or modification.
>>>
>>
>> This is known as a combination carveout. Patent claims are covered for
>> what is provided to you. If you modify the software in some way so that it
>> infringes a patent *solely because of your modification or combination*,
>> then your actions are not specifically licensed.
>>
>> The rationale is clear: The licensor is only responsible for what they
>> provide to other people, not those peoples' subsequent actions. Otherwise
>> someone could include a single line from someone's software ("#include
>> <stdio.h>") and claim that all the patents owned by that person were
>> licensed.
>>
>>
>>
>>> IANAL but this strikes me as a license I wouldn't touch with someone
>>> else's 10 foot pole.
>>>
>>
>> I would imagine that the CAL would not be for everyone.
>>
>>
>>>
>>> The new version also does not appear to address the issue that if CAL
>>> licensed software does not meet the requirements of 4.2 then the burden of
>>> meeting 4.2 falls on the user even if they had made no changes to the
>>> software.
>>>
>>
>> The CAL does not mandate a particular software architecture. Presumably,
>> as with any other copyleft license, anyone wanting to use CAL-licensed
>> software will consider whether they are willing to comply with the terms.
>>
>>
>>> A strict reading could imply that 4.2 would require that the user of the
>>> software provide clients with their plain text password.  Does it?  If not,
>>> why not?
>>>
>>
>> As a *general* rule, this is incorrect. Nothing in the CAL requires a
>> party to engage in poor software design so as to keep a plaintext password
>> available, nor does anything in the CAL require or suggest that a licensee
>> should decrypt the user's password. More broadly, I would hope that the
>> user's plain text password would not be "available to [the licensee]", but
>> no one can anticipate all the ways in which people will create software.
>>
>>
>>> The user of the software is the service provider and it strikes me as
>>> this license is a potential minefield for any user other than the original
>>> authors.  What does "fully use an independent copy" or "substantially
>>> identical use of the work" mean in the contexts of the license?
>>>
>>
>> The easiest way to think about this is by analogy to the GPL3's
>> anti-Tivoization and "complete corresponding source" provisions, If a
>> particular piece of data is needed for the software to function in the same
>> way in a self-hosted situation, then it must be provided.
>>
>> To guide your thoughts here, think about the "desert island test." There
>> is a desert island, with two people, Alice and Bob, and helpfully, two
>> identical computer systems. Alice provides your genealogical service to
>> Bob, her only customer, on the first computer. After a while, Bob becomes
>> dissatisfied, and wants to be able to run the software himself.
>>
>> Alice must provide to Bob the software itself, together with anything
>> needed to use all the functions in the software. Alice must also provide
>> Bob a copy of Bob's information, so that when Bob loads the information
>> into his new copy of the software on his own computer, it has the
>> information he expects, and the functionality associated with organizing or
>> analyzing his information is also available.
>>
>> There is one big caveat, though: Alice only needs to turn over
>> information that Bob has some preexisting right to. If Alice also held her
>> own information in the software, Alice doesn't need to turn over her own
>> information to Bob.
>>
>>
>>>
>>> Take this in the context of something like a genealogy service.  The
>>> user data includes my account information (data I provided), profile (data
>>> I provided), my family tree (data I provided)...
>>>
>>
>> Yes, Alice would provide Bob all this information.
>>
>>
>>> ... my DNA information (data generated for me) and potential DNA matches
>>> (data generated for me) and links to historical data and public records
>>> (data generated for me).
>>>
>>
>> This example is underspecified, so this part cannot be answered given the
>> information provided. If this information is solely based on the processing
>> of Bob's information, then Alice would need to provide it. If this is based
>> upon other information owned by Alice, then there is no requirement to
>> provide information owned by Alice.
>>
>> Thanks,
>> Van
>>
>> _______________________________________________
>> License-review mailing list
>> License-review at lists.opensource.org
>>
>> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>>
> _______________________________________________
> License-review mailing list
> License-review at lists.opensource.org
>
> http://lists.opensource.org/mailman/listinfo/license-review_lists.opensource.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20191207/5c335272/attachment.html>


More information about the License-review mailing list