[License-review] For approval: The Cryptographic Autonomy License (Beta 4)

McCoy Smith mccoy at lexpan.law
Thu Feb 13 18:22:04 UTC 2020

>>-----Original Message-----
>>From: License-review <license-review-bounces at lists.opensource.org> On Behalf Of Christopher Lemmer Webber
>>Sent: Thursday, February 13, 2020 9:06 AM
>>To: License submissions for OSI review <license-review at lists.opensource.org>
>>Subject: Re: [License-review] For approval: The Cryptographic Autonomy License (Beta 4)

>>Pamela Chestek writes:

>>> Hi Chris,
>>> I'm still in the dark. Can you explain what OSD is not met and where you find that in the license? If it's a meta-OSD problem, like forced disclosure of data that is not yours to have, can you explain it in 
>>> layperson's terms?

>>In layperson's terms, the concerns are roughly the following:

>> - Is there a possibility of forced disclosure of private data, in terms of user data or keys, in terms of a wider source distribution requirement or via the introduction of the user/recipient data (and
>>cryptographic material) disclosure for equivalent use?

>> - I think that requirements for documentation and configuration information for "use" is a bit too broad; I think "execute" is a better term.  This one is an easy fix.

FWIW, GPLv3 has requirements to disclose keys, and configuration information for "execution":

“Installation Information” for a User Product means any methods, procedures, *authorization keys,* or *other information required to install and execute modified versions of a covered work* in that User Product from a modified version of its Corresponding Source.

>From a precedent standpoint, "execute" might be better (given GPLv3 is OSI approved and uses that term), although I'm not sure what other "uses" there are for software other than execution.  It's an interesting semantic/definitional question.

More information about the License-review mailing list