Why GNU GPL is bad for crypto deployment
Someone asked me in email why I said on coderpunks & cypherpunks:
If one is interested to encourage people to include crypto in their applications, GNU style licenses are a step in the wrong direction.
And as I wrote a longish explanation, I thought I'd share it: Here is problem: say that our goal is to maximise deployment of software with crypto built in, especially commercial software. So people write libraries, and software say like Eric Young's SSLeay, or Werner Koch's GNUGP (OpenPGP implementation). Some of these people then use GNU license because that is the friendly net ethos of the way to do it. (And in general I agree, but there is a conflict here...) So now the license on the libraries or software that they've written (specifically to encourage commercial companies to add crypto) are evaluated by the prospective companies lawyers. The lawyer observes that, GNU license says: 1) thou shalt adopt the GNU license for your whole source tree, if there is one line of GNU derived code in it. (or words to effect). And he goes ... hmmm ... so what else does GNU license say if we put our source under GNU license. It also says: 2) source shall be available for shipping and handling fee only (or words to effect) and he grumbles, and maybe causes the project to be scrapped, if the company has ideas on keeping source code secret (though we all know this is not a good idea especially for crypto code, such companies exist, these the parameters we are mostly working within). so if the project is still ok by the lawyer, he examines the license some more, and it says: 3) it shall be allowed for anyone to take and re-distribute any GNU software charging what they like. (or words to effect) And he goes (floating point exception... core dumped!) Because it means that his companies software can be legally copied and re-sold with no financial benefit to his company. Which is why companies won't touch GNU license stuff with a barge pole. Note that there are two licenses promoted by FSF: the GPL (GNU General Public License) and the GNU LGPL (GNU Library General Public License). The GNU LGPL is as I commented in an earlier post just about usable for commercial purposes, because it does not infect the source tree using the code with the LGPL (or GPL) because it allows specifically for providing only the code for the library and not the rest of the code, and does not demand that the rest of the code use the same license. However Werner is using GPL for G10 aka GNUPG (at least as of g10-0.0.0 which is the version I have). So the plea is, if you are going to use GNU, at least use GLPL and NOT GPL. Well, it's your code, and you wrote it, so it's your choice: my comments are based on the assumption that the author is more interested in crypto deployment than in the GNU license virus as a means of promoting the availability of source code. Adam
On Tue, Sep 29, 1998 at 12:36:45AM +0100, Adam Back wrote:
Which is why companies won't touch GNU license stuff with a barge pole.
[....]
Well, it's your code, and you wrote it, so it's your choice: my comments are based on the assumption that the author is more interested in crypto deployment than in the GNU license virus as a means of promoting the availability of source code.
I have to partially object here: If code is to be used commercially, lawyers can ask the copyright holders for a different license, and they may quite well succeed even if the original distribution was under GPL. tlr -- Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/ 2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1
On Tue, 29 Sep 1998, Adam Back wrote:
Here is problem: say that our goal is to maximise deployment of software with crypto built in, especially commercial software.
I think your argument is only valid if you replace "commercial" with "proprietary" and replace "especially" with "only in the case of."
Well, it's your code, and you wrote it, so it's your choice: my comments are based on the assumption that the author is more interested in crypto deployment than in the GNU license virus as a means of promoting the availability of source code.
Free software is not about simply providing the source code as a programmer's convenience, but it ensures that each user has freedom. And free sofware always leads to the development of _more_ free software (case in point: GNU C++, which was built off gcc and developed by a consortium that usually releases non-free software. I expect the same kind of synergies to occur with GPG and other crypto-related free projects). If your goal is to maximize the amount of *non-free* software that contains built-in crypto, then the GNU GPL is not the license to use, because it does not pander to corporations and other large organizations who benefit by restricting information to individuals. If you release your crypto code as public domain, those companies who sell binaries of non-free, proprietary software will eagerly use your code in their products. But they (or the govt, or anyone else) are not obligated to release the source of any improvements or modifications made to your code. You might think, "This trade-off is okay, since my original code is still available. But I want the best of both words -- I want GNU people to use my code, but I also want Microfoo to adapt it, too." The prospect of Microfoo possibly using your code might tempt you -- this might get your code in more places right now, but it will not benefit to the free software community (depending on your license terms, the code may well be unuseable, or only useable until a replacement is written), and the users of Microfoo's verion will be deprived of their freedoms to distribute or adapt your code. So it might not help your long-term goal of maximum crypto deployment. Furthermore, if the code were to be released under a "cypherpunks license" as described -- which added additional restrictions to the use of the code -- it would not be useable at all on free operating systems. (This is why PGP had to be rewritten from scratch.) I would suggest that the GNU GPL, which protects the freedom of all individuals who use the software, and ensures that the information always remains free, may be as "cypherpunk" as a software license can get, if the idea is to keep the information free. If you want to publish code that individuals are be free to run, copy, distribute, study, adapt and improve, write free software that can be used on free operating systems. If you work on and improve this free software, the body of free software will increase and the currently-in-use non-free software will head closer to 100% obsolescence. By writing free code, you will catalyze this process and ensure that free systems contain your code. You might not have your crypto code on as many systems tomorrow as you would have if you had been tempted by the thought of proprietary use of your code, but for the long term, it seems that the best way to ensure that strong crypto be available everywhere for all individuals is to make that crypto code free, without exception -- and the best way to do that is to copyleft it. For a list of current FSF crypto-related projects, please see <http://www.gnu.org/prep/tasks.html#SEC8>.
participants (3)
-
Adam Back -
Michael Stutz -
Thomas Roessler