[License-review] For Approval: The Cryptographic Autonomy License

Bruce Perens bruce at perens.com
Thu May 9 04:37:51 UTC 2019


On Wed, May 8, 2019 at 8:07 PM VanL <van.lindberg at gmail.com> wrote:

> In order for Betty to have a duty vis a vis Anna, Anna needs to be a
> Recipient of the Work from Betty.
>

What if Anna performs the work? It seems to me that all participants in a
blockchain system would have to perform the work to at least one other
user. Since your language seems oriented toward a system with a system
operator who potentially hoards data, most users would probably be
performing the software to that system operator. Potentially this is your
customer.


> The CAL does not contain a concept of "Derived Data," so I am somewhat
> unsure how to respond to your #2.
>

The problem is that Anna's data exists in a modified form. It's been
digitally signed by Betty along with data added by Betty.

So, Anna gets a copy of the blockchain after Betty adds her block. She now
has a lawful interest in it, in terms of possession. But not in the key
that Betty used to sign it?

I am not yet seeing that your language regarding cryptographic keys and
user data is sufficiently selective. It just says "cryptographic keys" and
that they are the keys necessary to "process user data". Process can mean
many things, including applying a digital signature.

Note your definition of "Source Code":

o) “Source Code” means the form of the work preferred for making
modifications, including any comments, design documentation, help
materials, installation instructions, *cryptographic keys*, and any
information reasonably necessary to compile the Source Code into Object
Code *or Process User Data* using generated Object Code.

Emphasis mine. Perhaps modulated by a comma, the definition of source code
seems to include cryptographic keys used to process user data.


> This is mixing two different concepts.  The above concerns User Data,
this concerns source code.

It seems to me that the above is concerning both source code and user data.
To quote again:

*cryptographic keys*, and any information reasonably necessary to compile
the Source Code into Object Code *or Process User Data* using generated
Object Code.


I am still reading this as "cryptographic keys necessary to process user
data". If that is not what it says, perhaps splitting this into two
sentences is appropriate.

> If Betty has a code signing key necessary to execute the object code,
then that code signing key must be provided so that Anna can compile and
run the source code in other contexts.

But not process user data? The text arguably says yes, you are saying no.

    Thanks

    Bruce

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/license-review_lists.opensource.org/attachments/20190508/e6420e91/attachment-0001.html>


More information about the License-review mailing list