[License-discuss] TrueCrypt license (not OSI-approved; seeking history, context).

Tom Callaway tcallawa at redhat.com
Mon Oct 14 21:25:41 UTC 2013


On 10/14/2013 09:32 PM, Karl Fogel wrote:
> Obviously, I'd like to see TrueCrypt be truly open source.  The ideal
> solution is not to have them remove the words "open source" from their
> self-description, but rather for their software to be under an
> OSI-approved open source license

I have not looked at the TrueCrypt license (in depth) in quite some
time, but when Fedora and Red Hat reviewed it in 2008, not only was it
non-free, it was actually dangerous.

(from 2008):
http://lists.freedesktop.org/archives/distributions/2008-October/000273.html
http://lists.freedesktop.org/archives/distributions/2008-October/000276.html

They appear to have reworded some concerning parts of that license,
however, when we pointed out these concerns to them directly in 2008,
their response was to forcefully (and rather rudely) reply that the
problems caused by their license wording were not problems, but
intentional. That alone gave us serious concern as to the intentions of
the upstream, especially given the nature of the software under that
license.

Notable is that Section VI.3 appears to be the same in the TrueCrypt
license as it was in 2008. It is arguably necessary for any Free or Open
Source license to waive some "intellectual property rights" in order to
share those rights (which default to being exclusive to the copyright
holder) with others. This section was noted to the TrueCrypt upstream
(in 2008) as potentially conflicting with the rest of the license, and
again, they pointed out that they were aware of the potential conflict
and that it was _intentional_.

In short, we were forced to conclude the license was worded the way that
it was (with clever wording traps) as a sort of sham license.

For what it is worth, I'm not sure the OSI should voluntarily spend any
time or effort on the TrueCrypt license unless the TrueCrypt copyright
holder brings it forward themselves with a willingness to address these
issues in a serious and reasonable fashion.

The fact that there are other FOSS implementations for TrueCrypt (most
notably tc-play (https://github.com/bwalex/tc-play) minimizes the need
to resolve these issues with the upstream, which is why Fedora stopped
attempting to do so quite some years ago.

~tom

==
Fedora Project


More information about the License-discuss mailing list