Return-path: Envelope-to: isis@patternsinthevoid.net Delivery-date: Thu, 04 Jul 2013 11:38:58 -0600 Received: from pattern7 by box658.bluehost.com with local-bsmtp (Exim 4.80) (envelope-from ) id 1UunUg-0005CD-4Y for isis@patternsinthevoid.net; Thu, 04 Jul 2013 11:38:58 -0600 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on box658.bluehost.com X-Spam-Level: X-Spam-Status: No, score=0.0 required=7.0 tests=AWL,BAYES_00,RDNS_NONE, T_MIME_NO_TEXT,UNPARSEABLE_RELAY shortcircuit=no autolearn=no version=3.3.1 Received: from [204.13.164.192] (port=50585 helo=boum.org) by box658.bluehost.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.80) (envelope-from ) id 1UunUf-0005B2-OL for isis@patternsinthevoid.net; Thu, 04 Jul 2013 11:38:57 -0600 Received: from localhost (unknown [10.36.27.20]) by boum.org (Postfix) with ESMTP id C051A44543 for ; Thu, 4 Jul 2013 19:38:55 +0200 (CEST) Received: from boum.org ([10.36.27.29]) by localhost (censure.boum.org [10.36.27.20]) (amavisd-new, port 10024) with ESMTP id EzLEA-Rb12Hz for ; Thu, 4 Jul 2013 19:38:55 +0200 (CEST) Received: from [127.0.0.1] (localhost [127.0.0.1]) with ESMTPSA id D9A8F4447E Received: from localhost (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 75BE2721E69 for ; Thu, 4 Jul 2013 19:38:46 +0200 (CEST) Message-Id: <85ehbep6mx.fsf@boum.org> From: intrigeri To: Isis! Subject: AGPL library, really? Date: Thu, 04 Jul 2013 19:38:46 +0200 MIME-Version: 1.0 Content-Type: multipart/encrypted; boundary="=-=-="; protocol="application/pgp-encrypted" X-Identified-User: {3202:box658.bluehost.com:pattern7:patternsinthevoid.net} {sentby:spamassassin for local delivery to identified user} --=-=-= Content-Type: application/pgp-encrypted Version: 1 --=-=-= Content-Type: application/octet-stream -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.12 (GNU/Linux) hQIMA1DJjYe0ARAPARAArgElYh6OQGZF7I5iJkKuseLEWy0C4wZ+K36Drm4mEoIN N/3Tp08wf2czaYPYkXH2n5z9eCuCX8Ec0hAozmOHeA3pFsus5bRpVyEBnGMP8cFZ +rpEig1xURd0GoWypWtRQSakf5bpAk9VKiSK9iJpZ3iqtkl/zWEyj13MfD6KEN34 pnDf1m6JZLjUrFa8k2dy8lohubTzl32HiFKcdP04fV+ZhlWNAYoiriDEKzpY4Aoy XFx3HnM5vp3KkqOZM7seFZhXLupCn2F87JMzbEILOwbsJlLkKf/y/Cba+MQSPkSx 7ZE1NVyMQIckRFSrsrZuAR7nZToblQ0/TpcqCYSUUalGF8simW026rFma9c7l6vL p0fKzMzHd0jUucMUpeAbdVkLFeZq3mBcLiyrNZVO2KLMZDnHyipTU6DkelTD+SS4 v6GbUPuELGFRV+CJvc/bPz6SGkmqaANmVXuhSHJEEb2feCliXduxBJsycM+2mxp6 U9W8YmfyCDIb7rJ2Y1HVPGjbRHWmAE+TrXS/7YVtCtWiNQCa13ccbT0Wkc8INjkQ iRZQEI0CxfqMFaLpb33jVKVzUvU5OEERO4DTTDHDnXxAGnNlVAUQGKk6ES7pc4NY aolhj7BkkttLElVZMeL6InhxNTi3oFE4sCTABN2CCqqvVh77IqJmAo9tGUlKxfSF AgwDT1xlSpP5dskBD/oC8Bhvki4E8s/Q1CggPbwfCrHCDzFTjTXxipp8WkReaXE4 lZTNymG0JWrcmVbuhDy3NQH+GgpYk2PkVq1771FJtNqrfzEZN2IPtyK1GxeAYLEi pRBInrej05EH96dhM1xMMlXWEe6svIkm3d05ETdeGuvOByXBuDHg60dgGXsjsrV1 /Duwu1Q90Yhz3XMeRVTNsOUGKZAdsz20REs7yZSiqwrm71Q0cf8RUOF4F/u2jsle kkL6jrLhEt/jhukR9VlpYegxAbluuCM5PslfoNYY/jLagif4akJ0cyGAmNrROtWt g0n/gdc56TFvutci1/f1zkPlqGgZWANOFVnDsv9Em9Ew3dJ2GDMk4ERFKCBV5X/C /tuble7M2GR6gFnJstH+uTsyX+2R+LlI+6HdrTfkEm4+S4buqV62XZg6EHMraE7a QRsgKSa9a9Kd/D0pAo7njvuev7TH9JFvJO1fXG1DARsQYBdxDwJtOHfGnsr4Kc5U 4IKdHKwytwcGC9ulKIBPZ7NN+LJxYFaKwjTfXbS7PARJ35AvN3XL/YJQCk/JKt63 LDQyT+LxeExq+uwUQxRrZQHJm07TqCMgIctLCz/VQrBOe3QMbHCooe+2D8rAR48f bsdShnh7UuuqV7eKVeYf9lWcaeKQSmg4FxrxApnW6bHglF4d2/sMPsT8ZdxItNLB KgE3MIRxtV2C2aWIjhAgiJh/0lBVjls0PaMQhMRYOk1CytiuLQ5ixAme4ptba+qv fGz/pnD0lQd51ZtdDWVXNJM/AagJc+hUNHiDC3DIZw8jEqZqBUke5agHSmzNh+2C 8xQ4jg92p8jnYBkT+AA6oXvudoRpi2Nx+q8jX8fsxpFmgzWAPXyyEDHRmLNLrMhR CIpHWpPkqH+c0/vz0lVV04LJfP2kGrIUupn2AhVDYRFjbHCOL62cNJJpu9WLCkdR auurGi78EqVBqea58a0aE+FwGQH47UaMdDUl/eQOooCpzVb9O83HbWWkqm8buJgj PHSf9AEa+FhnZsrUWwngiiH40ifHfwDQWSzNS2zs5OYG0DbHrESuc+bjOGZ6IOB+ ywIR7z2v4x+XN8bN74eEMK4uIqxv7Thv1BGgGGumqrMDgkrOw1yojUQTC8wRnoiB uZQspyeVbs5iNOdWiiGzscFXW1+QqHfxtdDLqjJdyvPHhVj2JUxG6w/FggXj8nUJ trco39vZKaLfp/Dcimok1INr2IEvzUdhV6vrtrO7w+4waNBY7d/uJtT2DLl80Y4R MIyDeMKhw9q//u1mMOG7Ce7n9iwzX2Bf2t8TSRmM5fqwXtjxcDBl5fceCilIyfCL fMT2Dws+/n9Y2YQ= =jcmz -----END PGP MESSAGE----- --=-=-=-- Content-Type: text/plain Hi, I see on https://pypi.python.org/pypi/gnupg that you released this library under AGPLv3. Is this correct? If it is, then you might be interested to have a look to this long ongoing thread on debian-devel mailing-list where I've seen explained (by people I trust on this topic) that AGPLv3 is really not well suited for libraries -- to start with, quite some of its terms are ambiguous when one tries to apply them to a library: https://lists.debian.org/debian-devel/2013/07/msg00031.html Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc Content-Type: text/plain Hi isis, isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) : > I think this message better describes why AGPL is bad for libraries: > https://lists.debian.org/debian-devel/2013/07/msg00041.html > or, at least, I understood that one better than the first. TBH, I've pointed you at the beginning of the thread because I was too lazy to go fetch the best email in there. I'm glad it helps anyway. > Do you know if it is okay for me to re-license it as regular GPL? I've just re-read a bit to confirm, and my conclusion is that: yeah, as the sole copyright holder (is this the case?) you can freely re-licence to whatever you want. > Do you have any advice on which of GPLv(2|3)(\+)* that I should use? I usually do GPL-3+, but I would not be able to defend it seriously against v2 or v2+. > Thanks for pointing this out so quickly before it caused trouble, by the > way. :) Np. Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc Content-Type: text/plain Hi isis, > Is it okay to credit you and/or publicly point to these emails as > the basis for the rationale for the switch? Feel free to credit me if you wish, but I certainly don't feel it's necessary. I feel a bit lazy to read this thread again to check if it's fine to publish stuff from there, so if you don't mind, I'd rather skip this part ;) Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc Content-Type: multipart/mixed; boundary="LwW0XdcUbUexiWVK" Content-Disposition: inline --LwW0XdcUbUexiWVK Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable intrigeri transcribed 2.3K bytes: > I see on https://pypi.python.org/pypi/gnupg that you released this > library under AGPLv3. Is this correct? Yes, that it correct. > If it is, then you might be interested to have a look to this long > ongoing thread on debian-devel mailing-list where I've seen explained > (by people I trust on this topic) that AGPLv3 is really not well > suited for libraries -- to start with, quite some of its terms are > ambiguous when one tries to apply them to a library: > https://lists.debian.org/debian-devel/2013/07/msg00031.html Okay, thanks! /me reads=E2=80=A6 I think this message better describes why AGPL is bad for libraries: https://lists.debian.org/debian-devel/2013/07/msg00041.html or, at least, I understood that one better than the first. I certainly do not want to make problems for Debian, and now that a bunch of Tor, LEAP, CryptoParty, and Freebox projects, and perhaps soon Pip too, will be depending on this, I *really* don't want to make anyone else's license h= ell worse. Attached is an email from leap@lists.riseup.net where we had fisticuffs over licensing opinions, wherein I explained my preference for AGPL for everything. Essentially, I do not want people/corporations/etc. to use my w= ork in a closed source application and then potentially make changes to patch found vulnerabilities without contributing those patches back to the main codebase. Though, you're correct, this doesn't make sense for a library, as a closed-source web-service frontend to this Python module likely isn't going= to get anyone exploited except the person running the service. So it doesn't m= ake as much sense. Do you know if it is okay for me to re-license it as regular GPL? Do you have any advice on which of GPLv(2|3)(\+)* that I should use? Thanks for pointing this out so quickly before it caused trouble, by the way. :) --=20 =E2=99=A5=E2=92=B6 isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt --LwW0XdcUbUexiWVK Content-Type: text/plain; charset=utf-8 Content-Disposition: attachment; filename=to-intrigeri Content-Transfer-Encoding: quoted-printable =46rom leap-owner@lists.riseup.net Tue May 28 04:14:29 2013 Date: Tue, 28 May 2013 04:13:56 +0000 =46rom: isis agora lovecruft To: micah Cc: Tomas Touceda , leap@lists.riseup.net Message-ID: <20130528041356.GL14793@patternsinthevoid.net> Reply-To: isis@patternsinthevoid.net References: <51914DF8.2020507@riseup.net> <51A38709.5050408@riseup.net> <87a9ng74wn.fsf@muck.riseup.net> MIME-Version: 1.0 Content-Type: text/plain; charset=3Dutf-8; x-action=3Dpgp-signed Content-Transfer-Encoding: 8bit In-Reply-To: <87a9ng74wn.fsf@muck.riseup.net> X-GPG-Public-Key-URL: https://blog.patternsinthevoid.net/isis.txt X-Louis-Lingg: In this hope do I say to you I despise you. I despise your order, your laws, your force-propped authority. Hang me for it! X-Virus-Scanned: clamav-milter 0.97.8 at willet X-Virus-Status: Clean Subject: Re: [leap] license X-Loop: leap@lists.riseup.net X-Sequence: 404 Errors-to: leap-owner@lists.riseup.net Precedence: list Precedence: bulk X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 micah transcribed 1.3K bytes: > Tomas Touceda writes: >=20 > > On 05/13/2013 05:32 PM, elijah wrote: > >> if you have any wisdom or opinions regarding the ever joyful and > >> uncontroversial topic of free software licenses, then please deposit > >> said wisdom or opinions in this wiki: > >>=20 > >> https://we.riseup.net/leap/license > >>=20 > >> in a nutshell, we need to decide on a license for the client. > >>=20 > > > > Does anybody have license knowledge a priori? Or should I get started > > reading licenses? >=20 > I'm supposed to have a more than zero knowledge of what constitutes free > licenses due to my debian training, and debian is world-renknowned for > having a particularly nasty debian-legal mailing list where licenses are > chewed up and spit out... but I personally hate the topic and tend to > avoid it as much as possible. >=20 > So basically my opinons are:=20 >=20 > 1. no license that is incompatible with the DFSG[0] (debian free > software guidelines) - it seems like we are probably in agreement about > this? >=20 ACK > 2. BSD multi-claused licenses and MIT are confusing and annoying, so I > tend to think they should be avoided due to this >=20 ACK > 3. openssl derived works require granting an exception with GPL licenses > (an exception is trivial), so I prefer gnutls code where possible >=20 ACK > 4. it seems weird to make things AGPL that aren't webapps >=20 I started release everything I could AGPLv3 three years ago, after a conversation with some other activist free-software devs: Me: "I want a license which says 'If you are part of any governing body= or corporation which contracts to any private or public military entity, t= hen you should go fuck youself. And no, you cannot use my software -- I will sue your pants off.'" Them: "Isis, that is silly, and even na=C3=AFve. Universities are libra= ries are often 'part of governing bodies', you don't want to exclude them, do yo= u? And also, you're like not going to see the blobs your code is included in...it will get privately installed on custom military and law enforcement hardware, and when they're done with it it'll go and rot outside on a base or in a police confiscation parking lot somewhere." Me: "Hum. I hate talking about licenses anyway." Them: "Yeah, it sucks. But it's important for us to take this seriously, because the tools we're working on have the potential for helping us better organise at protests, as well as better help the cops kettle us into paddy wagons." [one of the tools was a crisis mapping thing] Different one of them: "Perhaps you both should read AGPL, and see if t= hat helps. I don't think using law against them is going to work, because we can't assume they will play by the rules, but if we're arguing licenses anyway..." AGPL also seems useful when it seems possible that shady closed-source startups are going to add a fancier UI or other feature to your code, and t= hen market it. This is especially worrying, not because they are "stealing user= s", but because it's never clear if vulns discovered in your own code have been fixed in theirs and vice versa. Or, it could get used in way that is dangerous, or that it wasn't meant for. (For example, there is currently a concern that a certain shell company is going to use OONI's code on these little android-system-on-a-USB dongly thingies...and there are certain dang= ers with Tor on Android that these people either don't understand or have no intention of warning users about.) Anyway. There is my argument for AGPL. Though I also hate these discussions, don't care about laws, think reformism is bunk, WTFPL is the only sane LICENSE, and all that jazz, so I'm going to= go stand over there ----------------------------------------------------------= -> and watch everybody else duke it out. :) <(A)3 isis agora lovecruft - --=20 GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt -----BEGIN PGP SIGNATURE----- iQJuBAEBCgBYBQJRpC8DBYMB4TOASxSAAAAAABoAKGlzaXNAcGF0dGVybnNpbnRo ZXZvaWQubmV0MEE2QTU4QTE0QjU5NDZBQkRFMThFMjA3QTNBREI2N0EyQ0RCOEIz NQAKCRCjrbZ6LNuLNVkVD/9NVDCeFvMbAeGSCbXt/gMlyZ/OJfQcS2WwuegaRR8B BtfujOIKEA/D9zywCTJYpk9gVQo1TqG7EiTdG25FU9cVnlf4/E0Dp/6vKS4q4T9j Bba+lxMjoZ0ivC+nVIf2pQS1YK0PtiGZDLj4cVh5UuYcSZA0kxCh4KamqrEq/WdE iYyd1WWvNFDYaWhsB5+DlqRi7PNs7IF7mxegGOpkqVR31NrFu9WxThFpiFKmT7m+ cEHzdGmVfa8iz2yTDrh8D01rw54GHIam8OdLp/SuyBsaaSD6UZsYXEc8L6ePR8Xa QkO/n9PZAo2vm5Ph+ASIOKwRX5DdiiTawJ7sBb9/e0QIwsiQ0Q9nrB7Qbbv053ko S7Bqu37hZiCjO2aPDCAF2r4UMGJw1Qy/FJme3TYEav1qL61sOYKCVwhfF2/IWzA+ kO8+4Ei4AKcoLkc6cQUDrQBgwRqEd9qzDSL5/JLJOW7Gkc5rBAADVJcPbFKuMpPr evqdtjFXdej3KsrqdvnNRA6Q8t1XDv2CUxoK8/YK3CzPa8GbqjwS5J1pIDgA2tl9 RRYoPgfgXcYf3sQJSJUoPGUOQAqduu0WeLJFHi/kXRqzQf4nGFCUg/mi6lsGswcF pBguGmO8deoRi59ddhek2Pgpi9hUE2cjasAgZb1B54XmjYYkDqe+owfvWDOKXOZa AQ=3D=3D =3DUxwA -----END PGP SIGNATURE----- --LwW0XdcUbUexiWVK-- Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable intrigeri transcribed 2.6K bytes: > isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) : > > Do you know if it is okay for me to re-license it as regular GPL? >=20 > I've just re-read a bit to confirm, and my conclusion is that: yeah, > as the sole copyright holder (is this the case?) you can freely > re-licence to whatever you want. Hey intrigeri, I've decided to relicence with your recommendation of GPL3+. Is it okay to credit you and/or publicly point to these emails as the basis for the rationale for the switch? --=20 =E2=99=A5=E2=92=B6 isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable intrigeri transcribed 2.6K bytes: > isis agora lovecruft wrote (07 Jul 2013 04:20:13 GMT) : > > Do you know if it is okay for me to re-license it as regular GPL? >=20 > I've just re-read a bit to confirm, and my conclusion is that: yeah, > as the sole copyright holder (is this the case?) you can freely > re-licence to whatever you want. Hey intrigeri, I've decided to relicence with your recommendation of GPL3+. Is it okay to credit you and/or publicly point to these emails as the basis for the rationale for the switch? --=20 =E2=99=A5=E2=92=B6 isis agora lovecruft _________________________________________________________ GPG: 4096R/A3ADB67A2CDB8B35 Current Keys: https://blog.patternsinthevoid.net/isis.txt