1998-09-28 - propose: `cypherpunks license’ (Re: Wanted: Twofish source code)

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: eay@cryptsoft.com
Message Hash: e723d7e406bf2a0230a52b85d72e3ce8e6df9145407e68088800458c5fe3d0d0
Message ID: <199809281845.TAA18662@server.eternity.org>
Reply To: <Pine.GSO.3.96.980929021733.29055D-100000@pandora.cryptsoft.com>
UTC Datetime: 1998-09-28 06:06:07 UTC
Raw Date: Mon, 28 Sep 1998 14:06:07 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Mon, 28 Sep 1998 14:06:07 +0800
To: eay@cryptsoft.com
Subject: propose: `cypherpunks license' (Re: Wanted: Twofish source code)
In-Reply-To: <Pine.GSO.3.96.980929021733.29055D-100000@pandora.cryptsoft.com>
Message-ID: <199809281845.TAA18662@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain

Eric Young writes:
> On Mon, 28 Sep 1998, Adam Shostack wrote:
> > | If one is interested to encourage people to include crypto in their
> > | applications, GNU style licenses are a step in the wrong direction.
> > 
> > I wholeheartedly agree.  Theres a number of packages out there I'd
> > love to be able to use in products I'm building.  Code re-use,
> > customers not having to worry about what libraries we're using, and
> > convincing management to free some of the stuff we're doing, are all
> > good arguments in favor.  The contamination bits of the GPL utterly
> > prevent us from doing this.  BSD, PD, or Artistic licenses are far
> > preferable.
> :-) A certain person I work closely with likes to call it a virus.
> Once a package is infected by some GPL code, it takes over the whole package
> (according to the licence).

That concisely says what is wrong with GPL for the purposes of crypto
deployment to head off government key grabbing attempts.  It is a
license virus.  A license virus with this aim: to propogate the
license allowing free access to source code, and (the killer for
crypto deployment!!) propogating the provision that anyone has the
ability to re-sell any source code based on GNU source code.

The negative implications of GPL don't hit you until you are involved
in actually trying to create some commercial software.  Try it, and
you quickly realise that all that GNU software is useless for the
commercial people's purposes.

Consider: GNU says that all of their source must be GNUed if any of
the code you use is.  So now they have a GNU license on their
software, and the other provision of the license means that anyone is
allowed to take the software they are selling and re-sell it!  It is
indeed no wonder that their lawyers have fits.

(There is a difference between GNU and GNU Library.  GNU library allows
you to use a library without infecting your entire software.  GNU
library is sort of usable.)

I used to be quite pro-GNU until I tried this exercise (writing
commercial crypto software for software companies) and ended up
re-writing huge tracts of stuff just to remove the GNU license virus.
This extra expense, hassle, etc likely kills many commercial crypto
projects, and the whole aim of the game is to encourage commercial
people to add crypto to their software.  This aim often conflicts with
RMS/FSF's aims.

I have from time to time proposed the idea of a `cypherpunks license'
which embodies cypherpunk goals, as distinct from RMS's particular
concept of `free source', noble tho' this aim is, it conflicts with
the crypto deployment aim, which for many of us takes precedence. (GNU
source is actually highly restricted source -- but it guarantess that
you can get it, and stops other people preventing you from getting
source for derived works).

All stuff I have written (non-commercially) so far has been PD.
(Actually I don't even dignify it with a `this is PD' note -- I
personally have zip respect for copyright, patents, licenses).

However, perhaps one could do one better than PD: restrict use to
propogate cypherpunk goals.  eg. 

- You may not use this code in software which provides government back

And perhaps, as a condition of the license the software should display
some anti-GACK slogan :-), or a URL for a site with lots of
documentation on key grabbing attempts, clipper I - IV, ECHELON, etc.

And perhaps:

- secret service agencies can not use this software / or must pay
exorbitant license fees

> I've seen some people in the GNU camp argue that the BSD type licence gets
> ugly because of all the 'includes code from xyz' type messages, but my
> experiance is that comercial people can overcome this, but not the GPL.

Agree, same experience here.

> I changed from the GPL quite some time ago, primarily because I was
> getting sick of email from people wanting to use a library of mine
> but their legal people were going into spasms because of the full
> implications of the GPL.

I was saying to Werner in email that SSLeay is probably the most
widely used crypto package in both commercial and non-commercial
software.  I suggested that if you had used GPL, the commercial use
would have been greatly hindered.  You backed this up above.

btw. I consider this discussion is highly topical for coderpunks --
the license put on software hugely impacts it's value, and coderpunks
was originally intended (by it's proposers) to provide a lower noise
environment for cypherpunks interested in code.  

Of late it appears to me that coderpunks has almost lost interest in
it's cypherpunk origins -- few to none of the comments relate to
creating crypto code to further a political aim.  `cypherpunks write
code ...' for a reason, and I suspect some coderpunks have lost sight
of that reason, or perhaps many have joined more recently and never
had sight of it, crypto coding being just a job to them.

In all it might seem even that coderpunks has had a negative impact on
the amount of crypto coding happening -- it ciphoned off coders who
had been active on cypherpunks into a low volume, apolitical mailing
list where nothing much happens, and propsed projects quickly die.

The role of the coderpunks retro-moderators, though well meaning of
course, I think has not helped either, in that even questions about
export (surely relevant for usefulness of code) are flagged as