Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

License violation #43

Open
bastien-roucaries opened this issue May 27, 2017 · 10 comments
Open

License violation #43

bastien-roucaries opened this issue May 27, 2017 · 10 comments
Assignees
@bastien-roucaries
Labels
question

Comments

@bastien-roucaries
Copy link

you said that your package derive from:
ttps://code.google.com/p/crypto-js/

This is the license that is more restrictive than our. You should therefore use the following license and acknowledge original license:
Export to GitHub
crypto-js - License.wiki

(c) 2009-2013 by Jeff Mott. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation or other materials provided with the distribution.
Neither the name CryptoJS nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS," AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
@bastien-roucaries
Copy link
Author

Moreover triplesec violate original license but if you consider that MIT apply only to patch you should also acknowledge triplesec author and add this license to his patch work
The MIT License (MIT)

Copyright (c) 2013 Maxwell Krohn

Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

@bastien-roucaries
Copy link
Author

Moreover ghash is tainted by this license:
https://github.com/bitwiseshiftleft/sjcl/blob/master/LICENSE.txt

@bastien-roucaries
Copy link
Author

I propose this copyright file:
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: browserify-aes
Upstream-Contact: https://github.com/crypto-browserify/browserify-aes/issues
Source: https://github.com/crypto-browserify/browserify-aes
Comment: this package was mainly derivated (see readme.md)
from triplesec (https://github.com/keybase/triplesec)
that is itself derivated from crypto-js
(https://code.google.com/p/crypto-js/ now at
https://code.google.com/archive/p/crypto-js/wikis/License.wiki).
.
crypto-js is distributed under BSD-3.
.
triplesec is distributed under expat
(https://github.com/keybase/triplesec/blob/master/LICENSE)
but only for its own modification due to cloning crypto-js.
.
ghash.js file is derivated see comment in the header from sjcl
(https://github.com/bitwiseshiftleft/sjcl/) that is distibuted under
BSD-2 or GPL-2 at your choice
(see https://github.com/bitwiseshiftleft/sjcl/blob/master/LICENSE.txt).
.
This package is said upstream to be distributed under expat license
but is really under BSD-3.

Files: *
Copyright: 2009-2013, Jeff Mott
2013, Maxwell Krohn
2014-2017, browserify-aes contributors
License: BSD-3 and Expat
comment: Jeff Mott is original author of crypto-js see
https://github.com/keybase/triplesec/blob/master/LICENSE
.
Maxwell Krohn is original author of triplesec releasing modification
of cypto-js under expat license see
https://github.com/keybase/triplesec/blob/master/LICENSE
.
browserify-aes contributors released modifications under expat license.

Files: ghash.js
Copyright: 2009-2013, Jeff Mott
2013, Maxwell Krohn
2014-2017, browserify-aes contributors
2009-2015, Emily Stark, Mike Hamburg and Dan Boneh at Stanford University
2012 Juho Vähä-Herttua
2016 Fedirico Bond
License: BSD-2 or GPL-2, and BSD-3 and Expat
comment: Jeff Mott is original author of crypto-js see
https://github.com/keybase/triplesec/blob/master/LICENSE
.
Maxwell Krohn is original author of triplesec releasing modification
of cypto-js under expat license see
https://github.com/keybase/triplesec/blob/master/LICENSE
.
browserify-aes contributors released modifications under expat license.
.
Some functions of this files where copied from sjcl project under
BSD-2 or GPL-2 copyright
(see https://github.com/bitwiseshiftleft/sjcl/blob/master/LICENSE.txt)
.
Original author of sjcl project where checked using git history see
https://github.com/bitwiseshiftleft/sjcl/commits/master/core/gcm.js

Files: debian/*
Copyright: 2017, Bastien Roucariès
License: Expat

License: Expat
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
.
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

License: BSD-3
All rights reserved.
.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
.

  1. Redistributions of source code must retain the above copyright notice,
    this list of conditions, and the following disclaimer.
    .
  2. Redistributions in binary form must reproduce the above copyright notice,
    this list of conditions, and the following disclaimer in the documentation
    or other materials provided with the distribution.
    .
  3. Neither the name CryptoJS nor the names of its contributors may be used to endorse
    or promote products derived from this software without specific prior written permission.
    .
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS," AND ANY EXPRESS
    OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED.
    IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
    BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
    OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

License: BSD-2
All rights reserved.
.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
.

  1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
    .
  2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
    .
    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
    IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
    TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
    PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
    HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
    TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
    PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
    LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
    NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
    SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

License: GPL-2
This package is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License.
.
This package is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.
You should have received a copy of the GNU General Public License
along with this package; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
.
On Debian systems, the complete text of the GNU General Public
License version 2 can be found in `/usr/share/common-licenses/GPL-2'.

@dcousens
Copy link
Member

dcousens commented May 27, 2017
edited
Loading

PRs accepted...

@jopit jopit mentioned this issue Mar 2, 2018
Closed
@dcousens
Copy link
Member

dcousens commented Sep 23, 2019
edited
Loading

@calvinmetcalf from reading what @bastien-roucaries has said, and briefly looking at some of the links, it appears the summary of changes are as shown below?
I am not a lawyer, but I think this would probably help this package be closer to complying with the various LICENSE terms it appears to be under given how much derivative code appears to have been added...

@bastien-roucaries what do you mean by Files: debian/*?

Files: *

Copyright (c) 2009-2013, Jeff Mott
Copyright (c) 2013, Maxwell Krohn
Copyright (c) 2014-2017, browserify-aes contributors

with LICENSE(s) of: BSD-3 and MIT

Files: ghash.js

Copyright (c) 2009-2013, Jeff Mott
Copyright (c) 2012, Juho Vähä-Herttua
Copyright (c) 2013, Maxwell Krohn
Copyright (c) 2014-2017, browserify-aes contributors
Copyright (c) 2009-2015, Emily Stark, Mike Hamburg and Dan Boneh at
Stanford University. All rights reserved.
Copyright (c) 2016 Fedirico Bond

with LICENSE(s) of: BSD-2 or GPL-2, and BSD-3 and MIT

@dcousens dcousens mentioned this issue Sep 23, 2019
Merged
@ljharb
Copy link
Member

ljharb commented Sep 18, 2023

@bastien-roucaries #59 implies that this issue can be closed. However, the license of the project isn't fully clear to me. Is it dual-licensed, or are different parts licensed differently? in other words, how can the license of this project be accurately represented with a SPDX specifier?

If it can not be, which parts would I need to extract to a different package so that both packages had an accurate SPDX identifier?

@dcousens
Copy link
Member

dcousens commented Sep 18, 2023
edited
Loading

I think parts of this package written by @calvinmetcalf license as MIT - but otherwise different parts would be derivatives which are licensed differently and hopefully were covered by #59.

@ljharb
Copy link
Member

ljharb commented Sep 18, 2023

oof, ok thanks, that makes things difficult.

@dcousens
Copy link
Member

dcousens commented Sep 18, 2023
edited
Loading

Maybe you could copy the LICENSE headers from ghash.js into LICENSE, then that would have everything in one place?
I think the SPDX identifier represents that?

@ljharb
Copy link
Member

ljharb commented Sep 18, 2023

The ideal destination is that an individual package has a single license that covers it in its entirety. So, I'd probably want to extract out either the MIT parts, or the non-MIT parts, into a new package, so that each one has a single SPDX identifier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bastien-roucaries bastien-roucaries

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @dcousens @bastien-roucaries