[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Why GNU GPL is bad for crypto deployment





Someone asked me in email why I said on coderpunks & cypherpunks:

> > If one is interested to encourage people to include crypto in their
> > applications, GNU style licenses are a step in the wrong direction.

And as I wrote a longish explanation, I thought I'd share it:

Here is problem: say that our goal is to maximise deployment of
software with crypto built in, especially commercial software.

So people write libraries, and software say like Eric Young's SSLeay,
or Werner Koch's GNUGP (OpenPGP implementation).

Some of these people then use GNU license because that is the friendly
net ethos of the way to do it.  (And in general I agree, but there is
a conflict here...)

So now the license on the libraries or software that they've written
(specifically to encourage commercial companies to add crypto) are
evaluated by the prospective companies lawyers.

The lawyer observes that, GNU license says:

1) thou shalt adopt the GNU license for your whole source tree, if
there is one line of GNU derived code in it.

(or words to effect).

And he goes ... hmmm ... so what else does GNU license say if we put
our source under GNU license.

It also says:

2) source shall be available for shipping and handling fee only

(or words to effect)

and he grumbles, and maybe causes the project to be scrapped, if the
company has ideas on keeping source code secret (though we all know
this is not a good idea especially for crypto code, such companies
exist, these the parameters we are mostly working within).

so if the project is still ok by the lawyer, he examines the license
some more, and it says:

3) it shall be allowed for anyone to take and re-distribute any GNU
software charging what they like.

(or words to effect)

And he goes (floating point exception... core dumped!)  Because it
means that his companies software can be legally copied and re-sold
with no financial benefit to his company.

Which is why companies won't touch GNU license stuff with a barge
pole.

Note that there are two licenses promoted by FSF: the GPL (GNU General
Public License) and the GNU LGPL (GNU Library General Public License).

The GNU LGPL is as I commented in an earlier post just about usable
for commercial purposes, because it does not infect the source tree
using the code with the LGPL (or GPL) because it allows specifically
for providing only the code for the library and not the rest of the
code, and does not demand that the rest of the code use the same
license.

However Werner is using GPL for G10 aka GNUPG (at least as of
g10-0.0.0 which is the version I have).

So the plea is, if you are going to use GNU, at least use GLPL and NOT
GPL.

Well, it's your code, and you wrote it, so it's your choice: my
comments are based on the assumption that the author is more
interested in crypto deployment than in the GNU license virus as a
means of promoting the availability of source code.

Adam