[License-discuss] 3-clause BSD with additional clause forbidding key disclosure

Thu Feb 5 17:33:40 UTC 2015

On Wednesday 4. February 2015 15.37, Zluty Sysel wrote:
> The issue here is one of trust from stakeholders that do not have
> enough familiarity with the open source movement. 

They do not need to know the technical issues. Microsofts shareholders do not know how Microsoft distributes any secrets like keys, they just need to trust that Microsoft keep secret what neets to be secret.

> The code is already separated in a way that isolates the Private Key

How are they separated?
I think a little info on how you currently do it might give better understanding among those who give advice on this list.

> there have been
> instances of these keys leaking into the public domain in the past,
> and the persons in charge want to avoid that happening again. This is
> unfortunately out of my control so my goal here is to try and find a
> middle-ground solution that allows us to open source a bunch of code
> for the benefit of everybody, users and company alike.
> That is why they insisted in modifying the 3-Clause BSD to include an
> explicit ban of the Private Key redistribution, 

As I see it, there is no middle ground. Either it is open source or it is not.
Shipping something with a requirement that parts of the distributed software cannot be distributed makes it proprietary, and many distributions will refuse to include it as a result.

But this rises another question: Will those keys be distributed with the downloadable source code?
If not, I don't see the need to modify the license. Then you just need to have an EULA forbidding it, that needs to be accepted by those wanting to purchase a key.

If you do not ship the key with the software (e.g. if one can't obtain the key by simply downloading the source tarball) then you dont need to modify the license.

> and what I am trying
> to find out with these emails is whether that additional clause would
> be in contradiction with the Open Source Definition.

As I see it, it does contradict the Open Source Definition.

> If that additional clause turns out to be incompatible with the OSS
> standards, then we will go back to the drawing board and start
> negotiating a different solution.

The suggestion from a few of us is to license the key separate from the rest of the software.
I don't see any other way to do it if you want to make the software Open Source.

-- 
Johnny A. Solbu
web site,   http://www.solbu.net
PGP key ID: 0xFA687324
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.opensource.org/pipermail/license-discuss_lists.opensource.org/attachments/20150205/98ab697f/attachment.sig>