[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

Ian Kelling ian at iankelling.org
Thu Feb 13 05:16:31 UTC 2020

Josh Berkus <josh at berkus.org> writes:

> On 1/7/20 11:00 AM, Pamela Chestek wrote:
>> The discussion is still active so it will not be considered at the next
>> Board meeting, which is this Friday. The soonest would be the February
>> Board meeting.
> So, it's been a month since there's been any discussion about the CAL.
> Pamela, can we take a poll of how people feel about the license?
> Pass/Reject/MoreDiscussionNeeded?

Sorry to chime in at this late stage, I haven't read all the messages,
but I did search for some relevant terms and didn't find much. I'm
mostly a developer and sysadmin with an interest in licenses.

I'd say Reject/MoreDiscussionNeeded

The user data provision is my main concern.

What is providing a service? For example,
https://lists.opensource.org/mailman/listinfo/, is gnu mailman. Is it
providing me a service?
would say that its a "communication service" and maybe a "repository of
information" that I'm contributing to, and it is not providing me a
service that I could do on my own computer. In this case, the data
provision would only restrict the freedom of the server operator, not
give me any freedom.

This license talks about "equivalent context chosen by the recipient."
If I can choose that talking to myself on gnu mailman is equivalent, it
seems like it would make gnu mailman a service. If so, my user data
would probably include my user preferences for this list. Those are
output from the program into a database on the server, they are also
output from the program to an html page when I log in at
https://lists.opensource.org/mailman/listinfo/license-discuss_lists.opensource.org. Would
that html output be considered a "commonly used electronic form"?  Now,
say there was a bug in gnu mailman, the html page with the user data
doesn't work for 1 in 1000 users. Now OSI is out of compliance and they
have to stop providing the service? That seems backfiring of that
provision, because then the other 9999 users can't get their data at all
anymore. The rationale document says the user data requirement would not
be a significant burden in comparison to other licenses, how was that
concluded? Bugs are very common, it seems like its mandating bug free
code, which is a much much bigger burden, so much that it seems to
conflict with the freedom to modify and run (even if you are providing a

In the rationale document Pamela posted, it said user data requirement
was "consistent" with gplv3 anti-tivoization. That seems like a huge
stretch. Installation information is part of gplv2 and really just part
of the complete and corresponding source. User data is fundamentally

Ian Kelling

More information about the License-review mailing list