
Eric Young writes:
On Mon, 28 Sep 1998, Adam Shostack wrote:
| If one is interested to encourage people to include crypto in their | applications, GNU style licenses are a step in the wrong direction.
I wholeheartedly agree. Theres a number of packages out there I'd love to be able to use in products I'm building. Code re-use, customers not having to worry about what libraries we're using, and convincing management to free some of the stuff we're doing, are all good arguments in favor. The contamination bits of the GPL utterly prevent us from doing this. BSD, PD, or Artistic licenses are far preferable.
:-) A certain person I work closely with likes to call it a virus. Once a package is infected by some GPL code, it takes over the whole package (according to the licence).
That concisely says what is wrong with GPL for the purposes of crypto deployment to head off government key grabbing attempts. It is a license virus. A license virus with this aim: to propogate the license allowing free access to source code, and (the killer for crypto deployment!!) propogating the provision that anyone has the ability to re-sell any source code based on GNU source code. The negative implications of GPL don't hit you until you are involved in actually trying to create some commercial software. Try it, and you quickly realise that all that GNU software is useless for the commercial people's purposes. Consider: GNU says that all of their source must be GNUed if any of the code you use is. So now they have a GNU license on their software, and the other provision of the license means that anyone is allowed to take the software they are selling and re-sell it! It is indeed no wonder that their lawyers have fits. (There is a difference between GNU and GNU Library. GNU library allows you to use a library without infecting your entire software. GNU library is sort of usable.) I used to be quite pro-GNU until I tried this exercise (writing commercial crypto software for software companies) and ended up re-writing huge tracts of stuff just to remove the GNU license virus. This extra expense, hassle, etc likely kills many commercial crypto projects, and the whole aim of the game is to encourage commercial people to add crypto to their software. This aim often conflicts with RMS/FSF's aims. I have from time to time proposed the idea of a `cypherpunks license' which embodies cypherpunk goals, as distinct from RMS's particular concept of `free source', noble tho' this aim is, it conflicts with the crypto deployment aim, which for many of us takes precedence. (GNU source is actually highly restricted source -- but it guarantess that you can get it, and stops other people preventing you from getting source for derived works). All stuff I have written (non-commercially) so far has been PD. (Actually I don't even dignify it with a `this is PD' note -- I personally have zip respect for copyright, patents, licenses). However, perhaps one could do one better than PD: restrict use to propogate cypherpunk goals. eg. - You may not use this code in software which provides government back doors. And perhaps, as a condition of the license the software should display some anti-GACK slogan :-), or a URL for a site with lots of documentation on key grabbing attempts, clipper I - IV, ECHELON, etc. And perhaps: - secret service agencies can not use this software / or must pay exorbitant license fees
I've seen some people in the GNU camp argue that the BSD type licence gets ugly because of all the 'includes code from xyz' type messages, but my experiance is that comercial people can overcome this, but not the GPL.
Agree, same experience here.
I changed from the GPL quite some time ago, primarily because I was getting sick of email from people wanting to use a library of mine but their legal people were going into spasms because of the full implications of the GPL.
I was saying to Werner in email that SSLeay is probably the most widely used crypto package in both commercial and non-commercial software. I suggested that if you had used GPL, the commercial use would have been greatly hindered. You backed this up above. btw. I consider this discussion is highly topical for coderpunks -- the license put on software hugely impacts it's value, and coderpunks was originally intended (by it's proposers) to provide a lower noise environment for cypherpunks interested in code. Of late it appears to me that coderpunks has almost lost interest in it's cypherpunk origins -- few to none of the comments relate to creating crypto code to further a political aim. `cypherpunks write code ...' for a reason, and I suspect some coderpunks have lost sight of that reason, or perhaps many have joined more recently and never had sight of it, crypto coding being just a job to them. In all it might seem even that coderpunks has had a negative impact on the amount of crypto coding happening -- it ciphoned off coders who had been active on cypherpunks into a low volume, apolitical mailing list where nothing much happens, and propsed projects quickly die. The role of the coderpunks retro-moderators, though well meaning of course, I think has not helped either, in that even questions about export (surely relevant for usefulness of code) are flagged as off-topic. Adam