Bug#952951: botan: Replace PKCS11 headers provided by OASIS
On Thu, Apr 23, 2020 at 4:24 PM Sean Whitton wrote: > On Thu 23 Apr 2020 at 01:09PM +03, Adrian Bunk wrote: > > So what is the way forward you suggest? > > Asking someone (who?) for advice? > > RC bug also against p11-kit? > > ...??? > > Well, didn't the bug submitter suggest an alternative header, which is > DFSG-free? I'm afraid I don't know the details of this package; I just > tried to assess the freeness of a particular file as this was requested. While pkcs11.h in p11-kit [1] said to be licensed as "permissive-like-automake-output", it's a clear derivation of the OASIS one. It's even noted that "This file is a modified implementation of the PKCS #11 standard by OASIS group". That means if the OASIS implementation is non-free, then I don't see how it's re-licensed (where the permission given for that) to be free software. Regards, Laszlo/GCS [1] https://sources.debian.org/src/p11-kit/0.23.20-1/common/pkcs11.h/
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
Hello, On Thu 23 Apr 2020 at 01:09PM +03, Adrian Bunk wrote: > On Tue, Mar 24, 2020 at 09:30:55PM -0700, Sean Whitton wrote: >> On Tue 10 Mar 2020 at 06:32PM +01, László Böszörményi (GCS) wrote: >> >> > Its CONTRIBUTING.md [3] adds: "Subject to applicable licensing rules, >> > the repository content may be re-used freely, including the creation >> > and publication of derivative works." >> > In my reading this complies with DFSG. It's free to redistribute, >> > source code is available and allows publication of derived works. It >> > doesn't discriminate any persons, groups or fields of use. It doesn't >> > restrict other software even. >> > But of course, I would like to hear your opinion Sean and probably from >> > Jack. >> >> Based on what I've seen so far it is not clear to me that it's >> DFSG-free. The various files you reference contain links to various >> policies, which might supercede the text you quote from CONTRIBUTING.md >> (as "applicable licensing rules"). > > So what is the way forward you suggest? > Asking someone (who?) for advice? > RC bug also against p11-kit? > ...??? Well, didn't the bug submitter suggest an alternative header, which is DFSG-free? I'm afraid I don't know the details of this package; I just tried to assess the freeness of a particular file as this was requested. -- Sean Whitton signature.asc Description: PGP signature
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
On Thu, Apr 23, 2020 at 01:09:42PM +0300, Adrian Bunk wrote: > So what is the way forward you suggest? > Asking someone (who?) for advice? > RC bug also against p11-kit? > ...??? It might be worth contacting OASIS on this issue, not sure. Maybe they would be willing to relicense or clarify licensing. I do think the current state of affairs is not great on any side and IMO p11-kit is surely also implicated. As to the Botan specific bug, possibly best course of action in near term is to simply remove the PKCS11 support, this can be done either at build time with flag --disable-modules=pkcs11 or at the source level by simply rm -rf src/lib/prov/pkcs11 then building as usual. I will look into some way for at build time to specify using some externally provided set of PKCS11 headers (from p11-kit or whatever) instead of the OASIS versions, but in best of circumstances that wouldn't be available until next release, in July. Jack
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
On Tue, Mar 24, 2020 at 09:30:55PM -0700, Sean Whitton wrote: > On Tue 10 Mar 2020 at 06:32PM +01, László Böszörményi (GCS) wrote: > > > Its CONTRIBUTING.md [3] adds: "Subject to applicable licensing rules, > > the repository content may be re-used freely, including the creation > > and publication of derivative works." > > In my reading this complies with DFSG. It's free to redistribute, > > source code is available and allows publication of derived works. It > > doesn't discriminate any persons, groups or fields of use. It doesn't > > restrict other software even. > > But of course, I would like to hear your opinion Sean and probably from > > Jack. > > Based on what I've seen so far it is not clear to me that it's > DFSG-free. The various files you reference contain links to various > policies, which might supercede the text you quote from CONTRIBUTING.md > (as "applicable licensing rules"). So what is the way forward you suggest? Asking someone (who?) for advice? RC bug also against p11-kit? ...??? > Sean Whitton cu Adrian
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
Hello, On Tue 10 Mar 2020 at 06:32PM +01, László Böszörményi (GCS) wrote: > Its CONTRIBUTING.md [3] adds: "Subject to applicable licensing rules, > the repository content may be re-used freely, including the creation > and publication of derivative works." > In my reading this complies with DFSG. It's free to redistribute, > source code is available and allows publication of derived works. It > doesn't discriminate any persons, groups or fields of use. It doesn't > restrict other software even. > But of course, I would like to hear your opinion Sean and probably from Jack. Based on what I've seen so far it is not clear to me that it's DFSG-free. The various files you reference contain links to various policies, which might supercede the text you quote from CONTRIBUTING.md (as "applicable licensing rules"). -- Sean Whitton signature.asc Description: PGP signature
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
On Tue, Mar 10, 2020 at 1:27 PM Jack Lloyd wrote: > On Mon, Mar 02, 2020 at 10:09:32PM -0700, Sean Whitton wrote: > > > In short, OASIS Open is a DFSG compliant license or not? > > > > Thanks. It looks like the license which does not permit modification > > applies to the specification, so the specification is not DFSG-free. > > > > As for pkcs11.h, I can't see any statement that it is under any license > > at all, never mind a DFSG-free license. > > > > So the bug severity would seem to be correct. Meanwhile I've found the official GitHub repository hosting the work of PKCS 11 [1]. Its README.md [2] states: "Content in this repository is intended to be part of the PKCS 11 TC's permanent record of activity, visible and freely available for all to use, subject to applicable OASIS policies, as presented in the repository LICENSE file." Its CONTRIBUTING.md [3] adds: "Subject to applicable licensing rules, the repository content may be re-used freely, including the creation and publication of derivative works." In my reading this complies with DFSG. It's free to redistribute, source code is available and allows publication of derived works. It doesn't discriminate any persons, groups or fields of use. It doesn't restrict other software even. But of course, I would like to hear your opinion Sean and probably from Jack. > I'm concerned though that the alternative of using the p11-kit headers seems > much worse, because it is blindingly obvious that the p11-kit versions are a > derivative of the OASIS headers. Unless somehow the developers happened to > choose the same names, bitmasks, and struct layouts by chance? As it is we > [Botan upstream] are not violating the OASIS license, but as far as I can tell > p11-kit headers *are*, by removing OASIS copyright and license, and also > violating the license, due to modifying the headers. I do confirm this. The OASIS work is separated to three files and p11-kit is amended those to one file it seems. As such, their cryptoki version numbers are the same as well [4][5]. Some typedefs definied an other way, see CK_BYTE and CK_CHAR for example [6][7]: OASIS define the former as 'unsigned char' and the latter as the same as the former - while p11-kit defines these individually to 'unsigned char'. Please note that _some_ (small number) of their constants are differ [8][9]. Regards, Laszlo/GCS [1] https://github.com/oasis-tcs/pkcs11 [2] https://github.com/oasis-tcs/pkcs11/blob/master/README.md [3] https://github.com/oasis-tcs/pkcs11/blob/master/CONTRIBUTING.md [4] https://github.com/oasis-tcs/pkcs11/blob/master/published/2-40-errata-1/pkcs11t.h#L20 [5] https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h#L64 [6] https://github.com/oasis-tcs/pkcs11/blob/master/published/2-40-errata-1/pkcs11t.h#L37 [7] https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h#L1552 [8] https://github.com/oasis-tcs/pkcs11/blob/master/published/2-40-errata-1/pkcs11t.h#L1151 [9] https://github.com/p11-glue/p11-kit/blob/master/common/pkcs11.h#L1529
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
On Mon, Mar 02, 2020 at 10:09:32PM -0700, Sean Whitton wrote: > > In short, OASIS Open is a DFSG compliant license or not? > > Thanks. It looks like the license which does not permit modification > applies to the specification, so the specification is not DFSG-free. > > As for pkcs11.h, I can't see any statement that it is under any license > at all, never mind a DFSG-free license. > > So the bug severity would seem to be correct. I'm concerned though that the alternative of using the p11-kit headers seems much worse, because it is blindingly obvious that the p11-kit versions are a derivative of the OASIS headers. Unless somehow the developers happened to choose the same names, bitmasks, and struct layouts by chance? As it is we [Botan upstream] are not violating the OASIS license, but as far as I can tell p11-kit headers *are*, by removing OASIS copyright and license, and also violating the license, due to modifying the headers. Jack
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
Hello László, On Mon 02 Mar 2020 at 10:41PM +01, László Böszörményi (GCS) wrote: > On Mon, Mar 2, 2020 at 7:54 PM Sean Whitton wrote: >> On Mon 02 Mar 2020 at 06:39PM +01, László Böszörményi (GCS) wrote: >> > On Mon, Mar 2, 2020 at 10:27 AM Alvin Chen wrote: >> >> https://sources.debian.org/src/botan/2.12.1-2/src/lib/prov/pkcs11/pkcs11.h/ >> > It's up to Jack, who develops Botan. I'm still not sure this text >> > snippet makes the code non-modifiable. But let me ask our FTP Masters >> > and Jack himself how to interpret it. >> >> Can you give a link to the file in question please? > It's on the link yourself also included in your reply. Currently on > the top of the text. But if you mean link to the upstream file which > is in the latest release[1] and/or the license text[2] (link is in the > file) of OASIS Open then here you go (under the 'Notices' paragraph). > The actual text snippet in question is (if I read Alvin correctly): > "However, this document itself may not be modified in any way, > including by removing the copyright notice or references to OASIS, > [...]". But please read the whole copyright text in all. Does the 'may > not be modified in any way' refers the code (header file this time) or > only the copyright text itself? > In short, OASIS Open is a DFSG compliant license or not? Thanks. It looks like the license which does not permit modification applies to the specification, so the specification is not DFSG-free. As for pkcs11.h, I can't see any statement that it is under any license at all, never mind a DFSG-free license. So the bug severity would seem to be correct. -- Sean Whitton signature.asc Description: PGP signature
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
On Mon, Mar 2, 2020 at 7:54 PM Sean Whitton wrote: > On Mon 02 Mar 2020 at 06:39PM +01, László Böszörményi (GCS) wrote: > > On Mon, Mar 2, 2020 at 10:27 AM Alvin Chen wrote: > >> https://sources.debian.org/src/botan/2.12.1-2/src/lib/prov/pkcs11/pkcs11.h/ > > It's up to Jack, who develops Botan. I'm still not sure this text > > snippet makes the code non-modifiable. But let me ask our FTP Masters > > and Jack himself how to interpret it. > > Can you give a link to the file in question please? It's on the link yourself also included in your reply. Currently on the top of the text. But if you mean link to the upstream file which is in the latest release[1] and/or the license text[2] (link is in the file) of OASIS Open then here you go (under the 'Notices' paragraph). The actual text snippet in question is (if I read Alvin correctly): "However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, [...]". But please read the whole copyright text in all. Does the 'may not be modified in any way' refers the code (header file this time) or only the copyright text itself? In short, OASIS Open is a DFSG compliant license or not? Thanks, Laszlo/GCS [1] https://github.com/randombit/botan/blob/2.13.0/src/lib/prov/pkcs11/pkcs11.h [2] http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
Hello, On Mon 02 Mar 2020 at 06:39PM +01, László Böszörményi (GCS) wrote: > Control: tags -1 +moreinfo > > On Mon, Mar 2, 2020 at 10:27 AM Alvin Chen wrote: >> Since headers provided by OASIS PKCS11 are not-exactly free license >> (they do not allow modification), > Do you mention the " However, this document itself may not be > modified in any way, including by > removing the copyright notice or references to OASIS, [...]" part? As > I read it that references the copyright text itself and _not_ the > actual code. > >> You can use an alternative header like p11-kit which is licensed under >> a more liberal license. >> >> https://sources.debian.org/src/botan/2.12.1-2/src/lib/prov/pkcs11/pkcs11.h/ > It's up to Jack, who develops Botan. I'm still not sure this text > snippet makes the code non-modifiable. But let me ask our FTP Masters > and Jack himself how to interpret it. Can you give a link to the file in question please? -- Sean Whitton signature.asc Description: PGP signature
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
Control: tags -1 +moreinfo On Mon, Mar 2, 2020 at 10:27 AM Alvin Chen wrote: > Since headers provided by OASIS PKCS11 are not-exactly free license > (they do not allow modification), Do you mention the " However, this document itself may not be modified in any way, including by removing the copyright notice or references to OASIS, [...]" part? As I read it that references the copyright text itself and _not_ the actual code. > You can use an alternative header like p11-kit which is licensed under > a more liberal license. > > https://sources.debian.org/src/botan/2.12.1-2/src/lib/prov/pkcs11/pkcs11.h/ It's up to Jack, who develops Botan. I'm still not sure this text snippet makes the code non-modifiable. But let me ask our FTP Masters and Jack himself how to interpret it. Thanks, Laszlo/GCS
Bug#952951: botan: Replace PKCS11 headers provided by OASIS
Source: botan Severity: serious Since headers provided by OASIS PKCS11 are not-exactly free license (they do not allow modification), You can use an alternative header like p11-kit which is licensed under a more liberal license. https://sources.debian.org/src/botan/2.12.1-2/src/lib/prov/pkcs11/pkcs11.h/ Regards, Alvin Chen