[License-discuss] 3-clause BSD with additional clause forbidding key disclosure

Wed Feb 4 14:37:56 UTC 2015

On Wed, Feb 4, 2015 at 3:20 PM, Cinly Ooi <cinly.ooi at gmail.com> wrote:
> I would probably refactor the code so the authentication key (or routine)
> goes into a separate file (authentication file) and distribute that file
> under a different license. Everything except that will go open source and
> instruction to users to replace the authentication file.
>
> You decide how much you want to open source. Convention says that you should
> at least provide enough to be useful. Open source never requires you to
> disclose your private key so is my reading that you will satisfy the
> convention that you provide enough information (such as API documentation)
> to allow others to substitute and implement their own authentication
> key/method in place of yours. Putting authentication details in a a separate
> file and license it separately is an easy mean to achieve this.
>
> Besides, separating them makes it easier to prevent accidental disclosure of
> your private keys.

Thanks for the suggestion.

The issue here is one of trust from stakeholders that do not have
enough familiarity with the open source movement. The code is already
separated in a way that isolates the Private Key, but there have been
instances of these keys leaking into the public domain in the past,
and the persons in charge want to avoid that happening again. This is
unfortunately out of my control so my goal here is to try and find a
middle-ground solution that allows us to open source a bunch of code
for the benefit of everybody, users and company alike.
That is why they insisted in modifying the 3-Clause BSD to include an
explicit ban of the Private Key redistribution, and what I am trying
to find out with these emails is whether that additional clause would
be in contradiction with the Open Source Definition. While I
understand that this is not the ideal solution, it is the only one
that so far has a certain likelihood of succeeding in establishing an
agreement between stakeholders and open source advocates within the
company.
If that additional clause turns out to be incompatible with the OSS
standards, then we will go back to the drawing board and start
negotiating a different solution.

Zluty

>
>
> Best Regards,
> Cinly
>
> *****
> I do not read footer and will not be bounded by them. If they are legally
> enforceable then this one always triumph yours.
>
> On 4 February 2015 at 12:11, Gervase Markham <gerv at mozilla.org> wrote:
>>
>> On 03/02/15 17:21, Zluty Sysel wrote:
>> > I have a set of source files that I would like to open source using a
>> > standard 3-Clause BSD but my company would not like that a certain set
>> > of Private Keys used for authentication be disclosed along with the
>> > code.
>>
>> You don't need to write a new license for this. Merely provide the
>> Private Key to your customers under a license other than the BSD license
>> - e.g. an agreement which has a confidentiality clause prohibiting
>> disclosure.
>>
>> Gerv
>>
>> _______________________________________________
>> License-discuss mailing list
>> License-discuss at opensource.org
>> http://projects.opensource.org/cgi-bin/mailman/listinfo/license-discuss
>
>
>
> _______________________________________________
> License-discuss mailing list
> License-discuss at opensource.org
> http://projects.opensource.org/cgi-bin/mailman/listinfo/license-discuss
>