[License-review] For Approval: The Cryptographic Autonomy License

VanL van.lindberg at gmail.com
Wed May 8 22:45:08 UTC 2019

Hi Pam,

Reading through your hypothetical, you seem to get the big picture correct,
but some of the details incorrect.

At a high level, would a website operator running a CAL-licensed storefront
application have to provide a copy of the store-running source code to you?
*Yes, they would. *
Would a website operator also need to offer you a copy of your User Data
(here your order information)? *Yes, they would.*

To specifics:

On Wed, May 8, 2019 at 5:01 PM Pamela Chestek <pamela at chesteklegal.com>

> Assume that the CAL is used for front-end software. A website uses the
> software for its website. Through a webform I order a gift that is for my
> daughter, who lives at a different address. It appears to me that, under
> the CAL:
> My daughter's name and address are "User Data," that is, they are data
> that is input to the Work and my daughter, a third party, has a Lawful
> Interest in the data.

This is not quite correct. The information about the order is User Data,
but it is *your* User Data, not your daughter's; your daughter is not a
Recipient. (Note that *you* would have the ability to ask for your order
data from the website.)

> The website has Publicly Performed, that is, it has made an interface
> available that is used for access to User Data, my daughter's name and
> address. As a result, this interaction means that under 2.2.1 and 2.2.2 the
> website has to provide me (the Recipient) with a copy of the source code.

Yes, they would need to provide you a copy of the source code. This is
similar (in practice) to how AGPL web apps work. Technically, the AGPL only
requires a link to download the source code of modified works, but compare
the as-applied licensing for various AGPL web apps:

   - Owncloud
<https://owncloud.com/owncloud-agplv3-owncloud-commercial-license/>: "How
does the AGPLv3 apply to those apps and any apps you write as extentions?
Very easily; every ownCloud app is treated as modified work because the
code from the ownCloud core is always running in parallel of any such

    - Processmaker
"Under the AGPL, you must release the complete source code for the
application that is built with ProcessMaker, even if that application is
running on a network server for SaaS or Cloud hosted purposes."  (Compare
Razuna <https://www.razuna.org/whatisrazuna/licensing>, who also use this

    - Artifex <https://artifex.com/licensing/>: "Bottom line, if you
distribute our software, or make the functionality of the software
available to users interacting with it remotely through a computer network,
you must share your source code."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20190508/ef9eb2a9/attachment.html>

More information about the License-review mailing list