On Thu, 2018-06-28 at 11:53 -0400, Tom Callaway wrote:

Teasing this apart:

1, The "NTP" license is just the MIT license, which is why we do not have "NTP" in our Good License list.

2. That file (pkcs11) is not under the NTP variant of the MIT

license. It could be argued that it is a variant of the NTP variant of the MIT license... but that road leads to madness, and since the SPDX model frowns upon the ideas of variants... The wording is unique enough to merit adding it as a new license for the list, so I have done so, calling it "RSA".

So just swap "RSA" for NTP in that OpenJDK license list.

Should we now ensure that every package containing a pkcs11.h (assuming it's derived from the RSA one, which most are) now has "RSA" in its licence list?

On Thu, 2018-06-28 at 12:01 -0400, Tom Callaway wrote:

On 06/28/2018 11:57 AM, David Woodhouse wrote:

...

On Thu, 2018-06-28 at 11:53 -0400, Tom Callaway wrote:

...

Teasing this apart:

1, The "NTP" license is just the MIT license, which is why we do not have "NTP" in our Good License list.

2. That file (pkcs11) is not under the NTP variant of the MIT

license. It could be argued that it is a variant of the NTP variant of the MIT license... but that road leads to madness, and since the SPDX model frowns upon the ideas of variants... The wording is unique enough to merit adding it as a new license for the list, so I have done so, calling it "RSA".

So just swap "RSA" for NTP in that OpenJDK license list.

Should we now ensure that every package containing a pkcs11.h (assuming it's derived from the RSA one, which most are) now has "RSA" in its licence list?

That would be helpful, yes.

Just to clarify: the odds of me personally filing those bugs before I completely forget about this conversation are extremely slim.

+nmav :)

On 06/28/2018 05:53 PM, Tom Callaway wrote:

On 06/27/2018 01:09 PM, Severin Gehwolf wrote:

...

Hi,

I'm reviewing OpenJDK and licensecheck pointed me at:

http://hg.openjdk.java.net/jdk/jdk/file/cf09f0b56efd/src/jdk.crypto.cryptoki...

to be NTP. Is "NTP" this license? https://opensource.org/licenses/NTP

If that's the case, why isn't it listed in the "Good Licenses" list here? https://fedoraproject.org/wiki/Licensing:Main?rd=Licensing#Good_Licenses

What's the license of the above file?

Teasing this apart:

1, The "NTP" license is just the MIT license, which is why we do not have "NTP" in our Good License list.

2. That file (pkcs11) is not under the NTP variant of the MIT license.

It could be argued that it is a variant of the NTP variant of the MIT license... but that road leads to madness, and since the SPDX model frowns upon the ideas of variants... The wording is unique enough to merit adding it as a new license for the list, so I have done so, calling it "RSA".

So just swap "RSA" for NTP in that OpenJDK license list.

I believe the declaration of this license as GPL-compatible is inconsistent with this:

https://fedoraproject.org/wiki/Licensing:FAQ#What_about_the_RSA_license_on_t...

The license text in the RFC is this:

“ License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.

License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software. ”

In the header file, it reads:

“ License to copy and use this software is granted provided that it is identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing this software.

License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki)" in all material mentioning or referencing the derived work.

RSA Security Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. ”

RSA's waiver mentioned in the FAQ only applies to the MD implementations, not other code that has been published under this license.

Thanks, Florian

On Mon, 2018-07-02 at 11:06 -0400, Tom Callaway wrote:

On 06/28/2018 01:47 PM, Florian Weimer wrote:

...

I believe the declaration of this license as GPL-compatible is inconsistent with this:

You're correct. The "RSA" license in that copy of pkcs11.h [1] is possibly GPL-incompatible. I'm going to remove the assertion from the Fedora licensing list that it is compatible and leave it as unclear.

However, it looks like RSA handed pkcs11 over to OASIS in 2012, and OASIS released new versions of those headers in 2016.

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/include/pkcs...

Those headers are not under the RSA license, they're under a different license:

Distributed under the terms of the OASIS IPR Policy,   [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT   ANY IMPLIED OR EXPRESS WARRANTY; there is no warranty of   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT   of the rights of others.

Which is clear as mud, but I believe this is the license:

Copyright © OASIS Open 2016. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned   to them in the OASIS Intellectual Property Rights Policy (the "OASIS   IPR Policy"). The full Policy may be found at the OASIS website:   [http://www.oasis-open.org/policies-guidelines/ipr]

This document and translations of it may be copied and furnished to   others, and derivative works that comment on or otherwise explain it   or assist in its implementation may be prepared, copied, published,   and distributed, in whole or in part, without restriction of any kind,   provided that the above copyright notice and this section are included   on all such copies and derivative works. However, this document itself   may not be modified in any way, including by removing the copyright   notice or references to OASIS, except as needed for the purpose of   developing any document or deliverable produced by an OASIS Technical   Committee (in which case the rules applicable to copyrights, as set   forth in the OASIS IPR Policy, must be followed) or as required to   translate it into languages other than English.

The limited permissions granted above are perpetual and will not be   revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an   "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE   INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY   IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR   PURPOSE. OASIS AND ITS MEMBERS WILL NOT BE LIABLE FOR ANY DIRECT,   INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF   THIS DOCUMENT OR ANY PART THEREOF.

---

That OASIS license is non-free, because it has restrictions on modification. Which means that using these newer files is not an option.

Assuming that the pkcs11 headers (under the old RSA license) are GPL-incompatible, due to the "advertising" clause, and that this is a problem, the potential resolutions I can see are:

1. Since OASIS was given the copyright to the pkcs11 headers from RSA,

they could waive the "advertising" clause in the old headers, which would make them clearly GPL-compatible.

2. OASIS could modify their IPR to make it clear that software released

by OASIS is not subject to the restrictions on modification that their standards documents are. (My gut is that this is unlikely.)

3. The OASIS PKCS 11 Technical Committee could re-release the headers

(any version) under a known Open Source license. See: https://www.oasis-open.org/resources/open-repositories/licenses

I've CC'd Robert Relyea here, as he is listed as a chair of that committee. Robert, if you can assist us here, it would be greatly appreciated.

There is another implementation at e.g. https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h

I don't know how clean a reimplementation that is, from the copyright point of view. It says:

/* This file is a modified implementation of the PKCS #11 standard by    OASIS group.  It is mostly a drop-in replacement, with the    following change: ...

I believe it came from libp11. It was introduced there in a commit entitled "replace rsa header files with rewrite": https://github.com/OpenSC/libp11/commit/af542d4bb621af2fe3ae6fdd20479ad04473...

... which would tend to suggest that it was intended to be a cleanly- licensed reimplementation.

Hi!

I just wanted to ask similar question as you had. I maintain bind package and it uses pkcs11 headers. I recognized those files right away, because bind uses recent version of OASIS headers. It is required for bind-pkcs11 package, important part of freeipa project. Removing it is not an option.

Are similar interfaces for standard hardware interaction released under less restrictive license?

If it is not GPL compatible, is it compatible with ISC license or MPL v2.0 license? Headers used by bind 9.9 have RSA license header. bind 9.11 distributes more recent OASIS headers [1].

I think possible workaround might be to use p11-kit headers with CRYPTOKI_COMPAT mode. It seems to define the same constants with BSD license.

1. https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/isc/include/pkcs11... 2. https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h

On 07/02/2018 05:06 PM, Tom Callaway wrote:

On 06/28/2018 01:47 PM, Florian Weimer wrote:

...

I believe the declaration of this license as GPL-compatible is inconsistent with this:

You're correct. The "RSA" license in that copy of pkcs11.h [1] is possibly GPL-incompatible. I'm going to remove the assertion from the Fedora licensing list that it is compatible and leave it as unclear.

However, it looks like RSA handed pkcs11 over to OASIS in 2012, and OASIS released new versions of those headers in 2016.

http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/errata01/os/include/pkcs...

Those headers are not under the RSA license, they're under a different license:

Distributed under the terms of the OASIS IPR Policy, [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.

Which is clear as mud, but I believe this is the license:

Copyright © OASIS Open 2016. All Rights Reserved.

All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website: [http://www.oasis-open.org/policies-guidelines/ipr]

This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published, and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this section are included on all such copies and derivative works. However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, except as needed for the purpose of developing any document or deliverable produced by an OASIS Technical Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must be followed) or as required to translate it into languages other than English.

The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns.

This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. OASIS AND ITS MEMBERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THIS DOCUMENT OR ANY PART THEREOF.

---

That OASIS license is non-free, because it has restrictions on modification. Which means that using these newer files is not an option.

Assuming that the pkcs11 headers (under the old RSA license) are GPL-incompatible, due to the "advertising" clause, and that this is a problem, the potential resolutions I can see are:

1. Since OASIS was given the copyright to the pkcs11 headers from RSA,

they could waive the "advertising" clause in the old headers, which would make them clearly GPL-compatible.

2. OASIS could modify their IPR to make it clear that software released

by OASIS is not subject to the restrictions on modification that their standards documents are. (My gut is that this is unlikely.)

3. The OASIS PKCS 11 Technical Committee could re-release the headers

(any version) under a known Open Source license. See: https://www.oasis-open.org/resources/open-repositories/licenses

I've CC'd Robert Relyea here, as he is listed as a chair of that committee. Robert, if you can assist us here, it would be greatly appreciated.

~tom

1: http://hg.openjdk.java.net/jdk/jdk/file/cf09f0b56efd/src/jdk.crypto.cryptoki... _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/...