Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-07-11 Thread Eriberto 
Thanks Mike. I will add a notice here[1].

[1] https://wiki.debian.org/Software%20that%20can't%20be%20packaged

Regards,

Eriberto

2016-07-10 15:15 GMT-03:00 Mike Gabriel :
> Control: close -1
> Control: tags -1 wontfix
>
> Hi Eriberto,
>
> On  So 10 Jul 2016 00:05:12 CEST, Eriberto Mota wrote:
>
>> Hi,
>>
>> What is the current status of this package?
>>
>> Regards,
>>
>> Eriberto
>
>
> Unfortunately, the ftp master team rejected the upload due to the dodgy
> license history of Veracrypt / Truecrypt:
>
> On  Fr 08 Jul 2016 02:00:09 CEST, Thorsten Alteholz wrote:
>
>> Hi Mike,
>>
>> unfortunately I have to reject your package.
>> According to [1] "(...)TrueCrypt seems to be reserving the right to sue
>> any licensee for copyright infringement, no matter whether they comply
>> with the conditions of the license or not. Based on this, our counsel
>> advised that above and beyond being non-free, software under this
>> license is not safe to use. (...)"
>>
>> So as Veracrypt is basically licensed with the TrueCrypt license, I think
>> it is better for Debian to not distribute such software, even in non-free.
>>
>>  Thorsten
>
>
> Thus closing this ITP and tagging as "won't fix". Unfortunately...
>
> Mike
>
>
> [1]
> https://lists.freedesktop.org/archives/distributions/2008-October/000276.html
>
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> mobile: +49 (1520) 1976 148
> landline: +49 (4354) 8390 139
>
> GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
> mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
>

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-07-10 Thread Mike Gabriel 

Control: close -1
Control: tags -1 wontfix

Hi Eriberto,

On  So 10 Jul 2016 00:05:12 CEST, Eriberto Mota wrote:


Hi,

What is the current status of this package?

Regards,

Eriberto


Unfortunately, the ftp master team rejected the upload due to the  
dodgy license history of Veracrypt / Truecrypt:


On  Fr 08 Jul 2016 02:00:09 CEST, Thorsten Alteholz wrote:


Hi Mike,

unfortunately I have to reject your package.
According to [1] "(...)TrueCrypt seems to be reserving the right to sue
any licensee for copyright infringement, no matter whether they comply
with the conditions of the license or not. Based on this, our counsel
advised that above and beyond being non-free, software under this
license is not safe to use. (...)"

So as Veracrypt is basically licensed with the TrueCrypt license, I think
it is better for Debian to not distribute such software, even in non-free.

 Thorsten


Thus closing this ITP and tagging as "won't fix". Unfortunately...

Mike


[1]  
https://lists.freedesktop.org/archives/distributions/2008-October/000276.html


--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpGrVtJb27GA.pgp
Description: Digitale PGP-Signatur

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-07-09 Thread Eriberto Mota 
Hi,

What is the current status of this package?

Regards,

Eriberto

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-19 Thread Mike Gabriel 

Hi Francesco,

On  Do 18 Feb 2016 23:36:48 CET, Francesco Poli wrote:


On Thu, 18 Feb 2016 05:02:37 + Mike Gabriel wrote:


On  Mi 17 Feb 2016 21:49:54 CET, Francesco Poli wrote:

[...]

> Please send the updated debian/copyright file...
>

Oh, I must have forgotten to attach that file. Here it comes.


Well, the so-called VeraCrypt License is just the TrueCrypt License
version 3.0 + the Apache License version 2.0.
Since both licenses apply, the situation is not really different from
the one we have discussed in the previous messages of this thread...

Bye.


Thanks for your time and expertise on this again. I really appreciate  
having such a skilled licensing export on the Debian project.


Let's see how the ftpmasters decide on my veracrypt upload, then.

Greets,
Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de


pgpYAuC9jCDi4.pgp
Description: Digitale PGP-Signatur

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-18 Thread Francesco Poli 
On Thu, 18 Feb 2016 05:02:37 + Mike Gabriel wrote:

> On  Mi 17 Feb 2016 21:49:54 CET, Francesco Poli wrote:
[...]
> > Please send the updated debian/copyright file...
> >
> 
> Oh, I must have forgotten to attach that file. Here it comes.

Well, the so-called VeraCrypt License is just the TrueCrypt License
version 3.0 + the Apache License version 2.0.
Since both licenses apply, the situation is not really different from
the one we have discussed in the previous messages of this thread...

Bye.

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpjbytBnrWMf.pgp
Description: PGP signature

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-17 Thread Mike Gabriel 

Hi Francesco,

On  Mi 17 Feb 2016 21:49:54 CET, Francesco Poli wrote:

On Wed, 17 Feb  
2016https://github.com/mhogomchungu/zuluCrypt/releases/download/4.8.0/zuluCrypt-4.8.0-debian-8-Jessie.tar.xz 11:39:00 + Mike Gabriel  
wrote:



On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:



Oh, I am sorry. With this mail, I have attached the latest
debian/copyright file as I have it now after having it reworked two
days ago. I should have sent an updated copy to debian-legal
immediately. Sorry for that.


Mmmmh, I cannot see any attachment. Was it forgotten or lost somehow?



As it seems, the VeraCrypt upstream people have come up with a new
license, the VeraCrypt license. See attached copyright file for details.


Please send the updated debian/copyright file...



Oh, I must have forgotten to attach that file. Here it comes.


And personally, I just tried out
zulucrypt-gui the second time and I could not get it running as
non-root. This is probably possible, I did not spend much time on
this, but honestly, I prefer a solution that works right away. Also
ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt
currently is.


Mmmmh, I see.


OT here, but for completing info on zuluCrypt:

I just learned from the zuluCrypt upstream maintainer, that  
zuluCrypt-gui will work as non-root user if zuluCrypt-cli and  
zuluMount-cli are installed setuid root, it is just that the Debian  
maintainers of zulucrypt-gui do not set those permissions in their  
packaging. (Though, personally, I agree on not having more setuid root  
executables on a Debian system than absolutely necessary).


Also zuluCrypt offers binary built .deb packages of their code on  
their homepage [1] without shipping a source package alongside. They  
install those mentioned executables as setuid root. So here we have a  
binary blob with no directly referenced source, doing filesystem  
crypto _and_ obtaining root privileges. Sigh...


[1] http://mhogomchungu.github.io/zuluCrypt/

Greets,
Mike


--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: veracrypt
Source: http://sourceforge.net/projects/truecrypt/

Files: *
Copyright: 2003-2011, TrueCrypt Developers Association
   2013-2015, IDRIX
License: VC

Files:  src/Common/Apidrvr.h
src/Common/Cache.*
src/Common/Cmdline.*
src/Common/Combo.*
src/Common/Crc.*
src/Common/Crypto.*
src/Common/Dlgcode.*
src/Common/Endian.*
src/Common/Fat.*
src/Common/Format.*
src/Common/Password.*
src/Common/Pkcs5.*
src/Common/Progress.*
src/Common/Random.*
src/Common/Tcdefs.h
src/Common/Tests.*
src/Common/Volumes.*
src/Core/FatFormatter.cpp
src/Driver/Ntdriver.*
src/Driver/Ntvol.*
src/Format/Tcformat.*
src/Mount/Mount.*
src/Setup/Dir.*
src/Setup/Setup.*
src/Setup/Wizard.*
Copyright: 1998-2000, Paul Le Roux
License: E4M

Files:  src/Common/GfMul.c
src/Common/GfMul.h
src/Crypto/Aescrypt.c
src/Crypto/Aes.h
src/Crypto/Aeskey.c
src/Crypto/Aesopt.h
src/Crypto/AesSmall.c
src/Crypto/AesSmall.h
src/Crypto/AesSmall_x86.asm
src/Crypto/Aestab.c
src/Crypto/Aestab.h
src/Crypto/Aes_x64.asm
src/Crypto/Aes_x86.asm
src/Crypto/Sha2.c
src/Crypto/Sha2.h
src/Crypto/Twofish.c
Copyright: 1998-2007, Brian Gladman, Worcester, UK
License: BSD-3-Clause

Files: src/Boot/Windows/Decompressor.c
Copyright: 2002-2004, Mark Adler
License: zlib

Files: debian/*
Copyright: 2013-2015, Unit 193 
   2016, Mike Gabriel 
License: BSD-3-Clause

License: VC
 VeraCrypt License
 .
 Software distributed under this license is distributed on an "AS IS"
 BASIS WITHOUT WARRANTIES OF ANY KIND. THE AUTHORS AND DISTRIBUTORS OF
 THE SOFTWARE DISCLAIM ANY LIABILITY. ANYONE WHO USES, COPIES, MODIFIES,
 OR (RE)DISTRIBUTES ANY PART OF THE SOFTWARE IS, BY SUCH ACTION(S),
 ACCEPTING AND AGREEING TO BE BOUND BY ALL TERMS AND CONDITIONS OF THIS
 LICENSE. IF YOU DO NOT ACCEPT THEM, DO NOT USE, COPY, MODIFY, NOR
 (RE)DISTRIBUTE THE SOFTWARE, NOR ANY PART(S) THEREOF.
 .
 VeraCrypt is governed by the TrueCrypt License version 3.0, a verbatim
 copy of this version of the TrueCrypt License can be found below.
 .
 Modifications and additions to the original source code (contained in
 this file)  and all other portions of this file are Copyright (c)
 2013-2015 IDRIX and are governed by the Apache License 2.0 the full text
 of which is contained in the file License.txt included in

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-17 Thread Francesco Poli 
On Wed, 17 Feb 2016 11:39:00 + Mike Gabriel wrote:

[...]
> (taking debian-edu-pkg-team @ Alioth into the discussion loop, as that  
> would be the maintainer team for VeraCrypt in Debian)

OK, fine.

> 
> On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:
> 
> > On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:
> >
> > [...]
> >>  1.
> >>  Is VeraCrypt suitable for the non-free section of Debian?
> >
> > I am not sure: the TC-3.0 license is still fairly unclear (at least
> > to my eyes), so I cannot really speculate on its possible
> > implications...
> 
> Hmmm... ok. I think the ftpmasters would be glad about some guidance  
> on why you see veracrypt (not the TC 3.0 license, see below) unfit for  
> Debian non-free. I have already uploaded VeraCrypt to Debian  
> NEW/non-free and it is waiting approval/rejection from an ftpmaster.

I didn't say that veracrypt is clearly unfit for the non-free archive.

I said that the TC-3.0 license is unclear, and that I am consequently
not sure about the possibility to distribute a package including code
under such a license (even in the non-free archive).

I hope I clarified what I meant.

> 
> Also, it'd be interesting if the upstream people of VeraCrypt can  
> apply any change(s) to the upstream sources, their VeraCrypt license  
> or whatever, to make the software fit at least for Debian non-free.

If VeraCrypt upstream developers (IDRIX, I suppose) are in good terms
with the copyright holders for the Truecrypt version they forked from
(TrueCrypt Developers Association, I suppose) and can persuade them to
agree to a re-licensing of the code-base, the outcome could be
definitely interesting.
Everything re-licensed under the terms of the 3-clause-BSD license
would be a huge win for everyone, since it would mean the possibility
to upload veracrypt to Debian main (assuming no other showstopper comes
up).

[...]
> >>  3.
> >>  The new upstream maintainer also states that all novelties of the code
> >>  are licensed under the Apache-2.0 license, but as long as any line from
> >>  the original code sticks out, the licensing of the code is governed by
> >>  the original Truecrypt 3.0 license, right?
> > [...]
> >
> > Then I am not sure I understand why the debian/copyright file draft
> > you sent states
> >   Files: *
> >   Copyright: 2003-2011, TrueCrypt Developers Association
> >  2013-2014, IDRIX
> >   License: TC-3.0 or Ms-PL
> >
> > What's Ms-PL ? Shouldn't it be Apache-2.0 ?
> > Moreover, "or" means dual-licensing, but I understand this to be a
> > code-mixing case: I think "and" should be used instead.
> >
> > See
> > https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
> > for more details.
> 
> Oh, I am sorry. With this mail, I have attached the latest  
> debian/copyright file as I have it now after having it reworked two  
> days ago. I should have sent an updated copy to debian-legal  
> immediately. Sorry for that.

Mmmmh, I cannot see any attachment. Was it forgotten or lost somehow?

> 
> As it seems, the VeraCrypt upstream people have come up with a new  
> license, the VeraCrypt license. See attached copyright file for details.

Please send the updated debian/copyright file...

[...]
> > Anyway, without looking at any further details, a question arises:
> > why are you packaging veracrypt for the non-free archive? what does
> > it offer that tcplay doesn't?
> >
> > See
> > https://packages.debian.org/sid/tcplay
> > https://tracker.debian.org/pkg/tcplay
> 
> I have checked tcplay and also zulucrypt-gui again. We provide  
> veracrypt to teachers / students at school that come from the Windows  
> realm mainly. For them, it is essential to recognize some pieces of  
> software on our Linux environment that they have become so used to on  
> their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an  
> application. Teachers here in Germany have to encrypt all personal  
> data that they carry around, so they need _one_ cross platform tool  
> for that. I'd be happy to provide that piece of software to other  
> people in Debian (Edu).
> 
> Working on the command line (tcplay) is not an option for the  
> teachers, we support here.

Then I hope someone will develop a GUI front-end for tcplay, if it is so
important for at least one category of users...

> And personally, I just tried out  
> zulucrypt-gui the second time and I could not get it running as  
> non-root. This is probably possible, I did not spend much time on  
> this, but honestly, I prefer a solution that works right away. Also  
> ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
> currently is.

Mmmmh, I see.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgpZH9zK7itgB.pgp
Description: PGP signature

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-17 Thread Mike Gabriel 

Hi again,

On  Mi 17 Feb 2016 12:39:00 CET, Mike Gabriel wrote:

I have checked tcplay and also zulucrypt-gui again. We provide  
veracrypt to teachers / students at school that come from the  
Windows realm mainly. For them, it is essential to recognize some  
pieces of software on our Linux environment that they have become so  
used to on their Windows machines. VeraCrypt (for formerly  
TrueCrypt) is such an application. Teachers here in Germany have to  
encrypt all personal data that they carry around, so they need _one_  
cross platform tool for that. I'd be happy to provide that piece of  
software to other people in Debian (Edu).


Working on the command line (tcplay) is not an option for the  
teachers, we support here. And personally, I just tried out  
zulucrypt-gui the second time and I could not get it running as  
non-root. This is probably possible, I did not spend much time on  
this, but honestly, I prefer a solution that works right away. Also  
ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
currently is.


just a short follow up, why I want to see VeraCrypt installable from Debian:

The current upstream maintainers offer binary blobs of VeraCrypt for  
installation on Linux, also Debian.


With the binary builds, I see the issue that no exact sources of the  
builds are available. The builds probably have been derived from the  
upstream Git or source release tarballs, but who knows.


Mike
--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de


pgptkfIS8b4LP.pgp
Description: Digitale PGP-Signatur

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-17 Thread Mike Gabriel 

Hi Francesco,
(taking debian-edu-pkg-team @ Alioth into the discussion loop, as that  
would be the maintainer team for VeraCrypt in Debian)


On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:


On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:

[...]

 1.
 Is VeraCrypt suitable for the non-free section of Debian?


I am not sure: the TC-3.0 license is still fairly unclear (at least
to my eyes), so I cannot really speculate on its possible
implications...


Hmmm... ok. I think the ftpmasters would be glad about some guidance  
on why you see veracrypt (not the TC 3.0 license, see below) unfit for  
Debian non-free. I have already uploaded VeraCrypt to Debian  
NEW/non-free and it is waiting approval/rejection from an ftpmaster.


Also, it'd be interesting if the upstream people of VeraCrypt can  
apply any change(s) to the upstream sources, their VeraCrypt license  
or whatever, to make the software fit at least for Debian non-free.



 .
 2.
 I suppose VeraCrypt is not suitable for the main section of Debian
 as the TC-3.0 license is not DFSG-compliant. I suppose
 this has not changed for VeraCrypt, compared to TrueCrypt, right?


Personally, I think this package should stay away from Debian main.
As I said, I am not even sure it is safe to be distributed in the
non-free archive.


Ok, I fully agree for the veracrypt license construct not being  
suitable for Debian main.

  .

 3.
 The new upstream maintainer also states that all novelties of the code
 are licensed under the Apache-2.0 license, but as long as any line from
 the original code sticks out, the licensing of the code is governed by
 the original Truecrypt 3.0 license, right?

[...]

Then I am not sure I understand why the debian/copyright file draft
you sent states
  Files: *
  Copyright: 2003-2011, TrueCrypt Developers Association
 2013-2014, IDRIX
  License: TC-3.0 or Ms-PL

What's Ms-PL ? Shouldn't it be Apache-2.0 ?
Moreover, "or" means dual-licensing, but I understand this to be a
code-mixing case: I think "and" should be used instead.

See
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
for more details.


Oh, I am sorry. With this mail, I have attached the latest  
debian/copyright file as I have it now after having it reworked two  
days ago. I should have sent an updated copy to debian-legal  
immediately. Sorry for that.


As it seems, the VeraCrypt upstream people have come up with a new  
license, the VeraCrypt license. See attached copyright file for details.


My proposed Debian package is also available online [1], you may want  
to grab the .dsc file and check the upstream files, as well.


[1] http://packages.sunweavers.net/debian/pool/non-free/v/veracrypt/


Anyway, without looking at any further details, a question arises:
why are you packaging veracrypt for the non-free archive? what does
it offer that tcplay doesn't?

See
https://packages.debian.org/sid/tcplay
https://tracker.debian.org/pkg/tcplay


I have checked tcplay and also zulucrypt-gui again. We provide  
veracrypt to teachers / students at school that come from the Windows  
realm mainly. For them, it is essential to recognize some pieces of  
software on our Linux environment that they have become so used to on  
their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an  
application. Teachers here in Germany have to encrypt all personal  
data that they carry around, so they need _one_ cross platform tool  
for that. I'd be happy to provide that piece of software to other  
people in Debian (Edu).


Working on the command line (tcplay) is not an option for the  
teachers, we support here. And personally, I just tried out  
zulucrypt-gui the second time and I could not get it running as  
non-root. This is probably possible, I did not spend much time on  
this, but honestly, I prefer a solution that works right away. Also  
ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
currently is.


Greets,
Mike




--

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de


pgpJVjP1Cgyo_.pgp
Description: Digitale PGP-Signatur

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-16 Thread Francesco Poli 
On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:

[...]
>  1.
>  Is VeraCrypt suitable for the non-free section of Debian?

I am not sure: the TC-3.0 license is still fairly unclear (at least
to my eyes), so I cannot really speculate on its possible
implications...

>  .
>  2.
>  I suppose VeraCrypt is not suitable for the main section of Debian
>  as the TC-3.0 license is not DFSG-compliant. I suppose
>  this has not changed for VeraCrypt, compared to TrueCrypt, right?

Personally, I think this package should stay away from Debian main.
As I said, I am not even sure it is safe to be distributed in the
non-free archive.

>  .
>  3.
>  The new upstream maintainer also states that all novelties of the code
>  are licensed under the Apache-2.0 license, but as long as any line from
>  the original code sticks out, the licensing of the code is governed by
>  the original Truecrypt 3.0 license, right?
[...]

Then I am not sure I understand why the debian/copyright file draft
you sent states

  Files: *
  Copyright: 2003-2011, TrueCrypt Developers Association
 2013-2014, IDRIX
  License: TC-3.0 or Ms-PL

What's Ms-PL ? Shouldn't it be Apache-2.0 ?
Moreover, "or" means dual-licensing, but I understand this to be a
code-mixing case: I think "and" should be used instead.

See
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
for more details.


Anyway, without looking at any further details, a question arises:
why are you packaging veracrypt for the non-free archive? what does
it offer that tcplay doesn't?

See
https://packages.debian.org/sid/tcplay
https://tracker.debian.org/pkg/tcplay

I hope this helps a little.
Bye.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
. Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE


pgp9irrr9xyGm.pgp
Description: PGP signature

Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

2016-02-10 Thread Mike Gabriel 
Package: wnpp
Severity: wishlist
Owner: Mike Gabriel 

* Package name: veracrypt
  Version : 1.16
  Upstream Author : Mounir IDRASSI
* URL : https://launchpad.net/veracrypt
* License : TC-3.0 or Ms-PL, E4M, BSD-3-clause, zlib
  Programming Lang: C++
  Description : Cross-platform on-the-fly encryption

 VeraCrypt provides cross-platform on-the-fly encryption for Linux, MacOS X and
 Windows. It can encrypt filesystems stored either within a file or on disk
 partitions. Supported encryption algorithms include AES, Serpent and Twofish.
 The current version uses the XTS mode of disk encryption. In addition,
 VeraCrypt supports "hidden volumes" - unidentifiable volumes present in the
 free-space of a VeraCrypt volume.
 .
 Veracrypt has been forked from Truecrypt 7.1a and I am aware of previous 
discussion
 about the non-free character of the license. [1]
 .
 With this ITP, I have also CC:ed the debian-legal mailing list. Question
 at experts from the debian-legal mailing list:
 .
 TL;DR; I would like to bring VeraCrypt into the non-free part of the Debian 
repo to offer
 VeraCrypt to people in need of easy and GUI based encryption, suitable for 
cross-platform
 usage. Does the current license situation allow that?
 .
 Details / Questions:
 .
 1.
 Is VeraCrypt suitable for the non-free section of Debian?
 .
 2.
 I suppose VeraCrypt is not suitable for the main section of Debian
 as the TC-3.0 license is not DFSG-compliant. I suppose
 this has not changed for VeraCrypt, compared to TrueCrypt, right?
 .
 3.
 The new upstream maintainer also states that all novelties of the code
 are licensed under the Apache-2.0 license, but as long as any line from
 the original code sticks out, the licensing of the code is governed by
 the original Truecrypt 3.0 license, right?

 [1] https://bugs.debian.org/364034

Example of the new license headers in VeraCrypt:

"""
/*
 Derived from source code of TrueCrypt 7.1a, which is
 Copyright (c) 2008-2012 TrueCrypt Developers Association and which is governed
 by the TrueCrypt License 3.0.

 Modifications and additions to the original source code (contained in this 
file) 
 and all other portions of this file are Copyright (c) 2013-2015 IDRIX
 and are governed by the Apache License 2.0 the full text of which is
 contained in the file License.txt included in VeraCrypt binary and source
 code distribution packages.
*/
"""

If acceptable, the veracrypt package will be maintained under the umbrella of 
the
Debian Edu Packaging Team.
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: veracrypt
Source: http://sourceforge.net/projects/truecrypt/

Files: *
Copyright: 2003-2011, TrueCrypt Developers Association
   2013-2014, IDRIX
License: TC-3.0 or Ms-PL

Files:  src/Common/Apidrvr.h
src/Common/Cache.*
src/Common/Cmdline.*
src/Common/Combo.*
src/Common/Crc.*
src/Common/Crypto.*
src/Common/Dlgcode.*
src/Common/Endian.*
src/Common/Fat.*
src/Common/Format.*
src/Common/Password.*
src/Common/Pkcs5.*
src/Common/Progress.*
src/Common/Random.*
src/Common/Tcdefs.h
src/Common/Tests.*
src/Common/Volumes.*
src/Core/FatFormatter.cpp
src/Driver/Ntdriver.*
src/Driver/Ntvol.*
src/Format/Tcformat.*
src/Mount/Mount.*
src/Setup/Dir.*
src/Setup/Setup.*
src/Setup/Wizard.*
Copyright: 1998-2000, Paul Le Roux
License: E4M

Files:  src/Common/GfMul.c
src/Common/GfMul.h
src/Crypto/Aescrypt.c
src/Crypto/Aes.h
src/Crypto/Aeskey.c
src/Crypto/Aesopt.h
src/Crypto/AesSmall.c
src/Crypto/AesSmall.h
src/Crypto/AesSmall_x86.asm
src/Crypto/Aestab.c
src/Crypto/Aestab.h
src/Crypto/Aes_x64.asm
src/Crypto/Aes_x86.asm
src/Crypto/Sha2.c
src/Crypto/Sha2.h
src/Crypto/Twofish.c
Copyright: 1998-2007, Brian Gladman, Worcester, UK
License: BSD-3-Clause

Files: src/Boot/Windows/Decompressor.c
Copyright: 2002-2004, Mark Adler
License: zlib

Files: debian/*
Copyright: 2013-2015, Unit 193 
License: BSD-3-Clause



License: TC-3.0
 TrueCrypt License Version 3.0
 .
 Software distributed under this license is distributed on an "AS
 IS" BASIS WITHOUT WARRANTIES OF ANY KIND. THE AUTHORS AND
 DISTRIBUTORS OF THE SOFTWARE DISCLAIM ANY LIABILITY. ANYONE WHO
 USES, COPIES, MODIFIES, OR (RE)DISTRIBUTES ANY PART OF THE
 SOFTWARE IS, BY SUCH ACTION(S), ACCEPTING AND AGREEING TO BE
 BOUND BY ALL TERMS AND CONDITIONS OF THIS LICENSE. IF YOU DO NOT
 ACCEPT THEM, DO NOT USE, COPY, MODIFY, NOR (RE)DISTRIBUTE THE
 SOFTWARE, NOR ANY PART(S) THEREOF.
 .
 I. Definitions
 .
 1. "This Product" means the work (including, but not limited to,
 source code, graphics, texts, and accompanying files) made
 available under and