classification
Title: Python download page needs to mention crypto code in Windows installer
Type: Stage: resolved
Components: Build, Documentation Versions: Python 3.4, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: BreamoreBoy, berker.peksag, christian.heimes, debatem1, docs@python, eric.araujo, georg.brandl, lemburg, loewis, rhettinger, terry.reedy
Priority: normal Keywords: patch

Created on 2010-06-29 18:37 by lemburg, last changed 2015-02-20 11:30 by berker.peksag. This issue is now closed.

Messages (21)
msg108929 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-06-29 18:37
This needs to be done to protect our users (importing crypto code or using it may be illegal in their home country, see http://rechten.uvt.nl/koops/cryptolaw/ for a survey) and to satisfy an attribution requirement in the OpenSSL license and code base:

"""
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
"""
msg108930 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-06-29 18:38
See the OpenSSL license for details on the notice requirement:

http://www.openssl.org/source/license.html
msg115043 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-08-26 22:59
Which specific clause of the license do you consider violated?
msg115056 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-08-27 07:50
Martin v. Löwis wrote:
> 
> Martin v. Löwis <martin@v.loewis.de> added the comment:
> 
> Which specific clause of the license do you consider violated?

 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
msg115057 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-08-27 08:00
I'd suggest to add a paragraph like this to the release pages:

"""
The Python Windows installers include OpenSSL, which provides cryptographic
services to Python. Please note that downloading or using cryptographic
code may not be legal in your country of residence. It is your responsibility
to make sure you meet all local import and use requirements for cryptographic
code when downloading and using the Python Windows installers.

OpenSSL Notice: This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This
product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.
(http://www.openssl.org/)
"""
msg115066 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-08-27 12:19
>> Which specific clause of the license do you consider violated?
> 
>  * 3. All advertising materials mentioning features or use of this
>  *    software must display the following acknowledgment:
>  *    "This product includes software developed by the OpenSSL Project
>  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

I fail to see the violation, or how changing the download page could
fix that. The download page is *not* "advertising material mentioning
features or use of this software". In fact, the download page doesn't
refer to SSL at all. Hence there is no obligation to mention OpenSSL
on the download page.

>  * 3. All advertising materials mentioning features or use of this software
>  *    must display the following acknowledgement:
>  *    "This product includes cryptographic software written by
>  *     Eric Young (eay@cryptsoft.com)"

Likewise.

>  * 4. If you include any Windows specific code (or a derivative thereof) from
>  *    the apps directory (application code) you must include an acknowledgement:
>  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

This doesn't apply: we don't include any code (Windows specific or not)
from the apps directory.
msg115067 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-08-27 12:21
> I'd suggest to add a paragraph like this to the release pages:

-1, unless the PSF lawyer advises that such a paragraph is indeed
necessary. It may shy away users from using Python, which is clearly
undesirable.
msg115078 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-08-27 14:13
Martin v. Löwis wrote:
> 
> Martin v. Löwis <martin@v.loewis.de> added the comment:
> 
>>> Which specific clause of the license do you consider violated?
>>
>>  * 3. All advertising materials mentioning features or use of this
>>  *    software must display the following acknowledgment:
>>  *    "This product includes software developed by the OpenSSL Project
>>  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
> 
> I fail to see the violation, or how changing the download page could
> fix that. The download page is *not* "advertising material mentioning
> features or use of this software". In fact, the download page doesn't
> refer to SSL at all. Hence there is no obligation to mention OpenSSL
> on the download page.
> 
>>  * 3. All advertising materials mentioning features or use of this software
>>  *    must display the following acknowledgement:
>>  *    "This product includes cryptographic software written by
>>  *     Eric Young (eay@cryptsoft.com)"
> 
> Likewise.

The license only permits you to use and distribute OpenSSL under
the conditions mentioned in the license.

Since we are not following those old-style BSD license requirements
(which are unfortunate), we are not allowed to use the software:

The python.org site is full of references to OpenSSL. Most
prominently in the documentation of the ssl and hashlib modules,
but also in the release notes/news and other files.
By contrast, the name "Eric Young" does not appear anywhere
on the site (according to a Google search).

We can remedy this easily, but putting the notices on the download
pages. Perhaps just putting them into the documentation is already
good enough.

>>  * 4. If you include any Windows specific code (or a derivative thereof) from
>>  *    the apps directory (application code) you must include an acknowledgement:
>>  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
> 
> This doesn't apply: we don't include any code (Windows specific or not)
> from the apps directory.

Ok, so we don't have to add this part.

>> I'd suggest to add a paragraph like this to the release pages:
>
> -1, unless the PSF lawyer advises that such a paragraph is indeed
> necessary. It may shy away users from using Python, which is clearly
> undesirable.

So you'd rather have some users get in trouble for downloading
and using crypto software, due import laws or domestic laws
restricting its use in their country ?

Deliberately hiding this information from the user, doesn't
sound like a good approach to the problem. However, I agree
that this is a question to ask the PSF board.

There's probably a better wording for such a text, but some kind of
note of caution needs to go on the website.
msg115084 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2010-08-27 14:39
> Since we are not following those old-style BSD license requirements

You state that is if it was a fact, which is it not. We, indeed, fully
comply with the license requirements.

> The python.org site is full of references to OpenSSL. Most
> prominently in the documentation of the ssl and hashlib modules,
> but also in the release notes/news and other files.

Sure, but this is not advertising material. It's technical documentation.

> So you'd rather have some users get in trouble for downloading
> and using crypto software, due import laws or domestic laws
> restricting its use in their country ?

I don't believe that users actually will get into troubles for
downloading Python. If they would, a notice is likely not to have
any effect on that - if there is a real risk that users will get
into trouble, most likely, they know before downloading what
that trouble might be.

If you really wanted to post a notice telling people that doing illegal
things may cause problems, for all the illegal things that you can
do with Python, you'll end up with a long list. For example, Python
can be used to break into other computer systems (as can any programming
environment with a networking API) - should we now include a notice
saying

"Python can be used to break into remote computers, using the network
services of Python. Please note that breaking into other computers
may not be legal in your country of residence. It is your responsibility
to make sure you meet all local import and use requirements for
networking code when downloading and using the Python Windows installers."

I hope you agree that would be silly.
msg115086 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-08-27 15:05
Martin v. Löwis wrote:
> 
> Martin v. Löwis <martin@v.loewis.de> added the comment:
> 
>> Since we are not following those old-style BSD license requirements
> 
> You state that is if it was a fact, which is it not. We, indeed, fully
> comply with the license requirements.
>
>> The python.org site is full of references to OpenSSL. Most
>> prominently in the documentation of the ssl and hashlib modules,
>> but also in the release notes/news and other files.
> 
> Sure, but this is not advertising material. It's technical documentation.

Ask a lawyer :-)

There's a reason why you get around 688.000 hits when searching for
"This product includes cryptographic software written by Eric Young"
on Google.

Now try that search against www.python.org... not a single hit.

>> So you'd rather have some users get in trouble for downloading
>> and using crypto software, due import laws or domestic laws
>> restricting its use in their country ?
> 
> I don't believe that users actually will get into troubles for
> downloading Python. If they would, a notice is likely not to have
> any effect on that - if there is a real risk that users will get
> into trouble, most likely, they know before downloading what
> that trouble might be.

Right now, they are downloading a file without knowing that
they are in fact possibly importing crypto code. Even if they
know that importing or using crypto code is illegal, they
don't get the needed information from us to decide whether
or not they want to proceed.

And they don't get a choice to download an installer without
crypto code either.

This latter point may actually be a good way
to make them aware without scaring anyone away: put two installers
up on the page, one with OpenSSL, the other without OpenSSL and
then let the users decide which one they want.

> If you really wanted to post a notice telling people that doing illegal
> things may cause problems, for all the illegal things that you can
> do with Python, you'll end up with a long list. For example, Python
> can be used to break into other computer systems (as can any programming
> environment with a networking API) - should we now include a notice
> saying
> 
> "Python can be used to break into remote computers, using the network
> services of Python. Please note that breaking into other computers
> may not be legal in your country of residence. It is your responsibility
> to make sure you meet all local import and use requirements for
> networking code when downloading and using the Python Windows installers."
> 
> I hope you agree that would be silly.

Agreed, but that's not what I'm talking about :-)
msg115129 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2010-08-27 20:20
This is really two issues: docs and windows builds. As for docs:

Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to

"This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)."

or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users.

The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top:

"The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules." 

Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries.
msg115130 - (view) Author: Raymond Hettinger (rhettinger) * (Python committer) Date: 2010-08-27 20:33
FYI, there is a section of the docs devoted to notifications and attribution licenses:

http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorporated-software
msg115203 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-08-30 08:30
Terry J. Reedy wrote:
> 
> Terry J. Reedy <tjreedy@udel.edu> added the comment:
> 
> This is really two issues: docs and windows builds. As for docs:
> 
> Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to
> 
> "This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)."
> 
> or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users.

+1

> The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top:
> 
> "The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules." 

Fine with me. The text should also link to actual current license text:

http://docs.python.org/license.html

BTW: I have a little trouble actually finding the license text on
the python.org web-site. It is not mentioned on the download page,
there's not mention of it in the downloads nav bar, nor in the documentation
section of the site.

Only the "about" section includes a mention of the
license and the "foundation" section even mentions it in the nav bar
(but that's not where people would look to find it). What's worse:
all links point to:

http://www.python.org/psf/license/

and that page refers to the Python 2.6.2 license...

I'll report this to the webmasters.

> Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries.

Many other providers of software builds that include crypto software
either make it obvious that the builds include crypto software in their
licenses (by copying the OpenSSL license into the document) or
on the download page (ticking a checkbox, in case there's an export
issue). Some also put the crypto code into a separate download
(e.g. Java and many Linux distros).

The idea with having a separate download without the crypto code
was just to hint the user at a possible issue without scaring
them away. If we can do the same without requiring a separate
installer that would be even better.
msg115204 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-08-30 08:32
Raymond Hettinger wrote:
> 
> Raymond Hettinger <rhettinger@users.sourceforge.net> added the comment:
> 
> FYI, there is a section of the docs devoted to notifications and attribution licenses:
> 
> http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorporated-software

Good point. We should add the OpenSSL license to that section
and mention that the code is included in the Windows installer
we ship from python.org.

How does one go about getting that page updated ? Is that just a regular
build of the Python documentation, so only a checkin is needed ?
msg116881 - (view) Author: Éric Araujo (eric.araujo) * (Python committer) Date: 2010-09-19 19:17
Yes, everything under docs.python.org is generated from files from the Doc directory of a CPython checkout.  s/.html/.rst/ and you have your filename.
msg116888 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-09-19 21:43
Not quite everything (index.html and download.html are special, in that they're not generated from reST), but otherwise that is correct.
msg117047 - (view) Author: Marc-Andre Lemburg (lemburg) * (Python committer) Date: 2010-09-21 11:45
Added OpenSSL license to Python 2.7, 3.1 and 3.2 in r84938, r84939, r84940 resp.

Now we'll only need to add a mention of the fact that we ship OpenSSL in the Windows installers on the download page.

Terry, would you like to move this forward with the Python.org webmasters ?
msg117085 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2010-09-21 17:20
I sent an email.
msg236224 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2015-02-19 16:24
@Terry it does not look as if the download pages were ever updated so can you follow this up please?
msg236233 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2015-02-19 19:45
No, this is really out of my ballpark.
msg236272 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2015-02-20 11:30
> Terry, would you like to move this forward with the Python.org webmasters ?

This is now a content issue and can be handled on GitHub: https://github.com/python/pythondotorg/issues
History
Date User Action Args
2015-02-20 11:30:43berker.peksagsetstatus: open -> closed

nosy: + berker.peksag
messages: + msg236272

resolution: fixed
stage: needs patch -> resolved
2015-02-19 19:45:32terry.reedysetmessages: + msg236233
versions: + Python 3.5, - Python 3.1, Python 3.2, Python 3.3
2015-02-19 16:24:20BreamoreBoysetnosy: + BreamoreBoy
messages: + msg236224
2013-07-07 15:02:47christian.heimessetnosy: + christian.heimes

versions: + Python 3.3, Python 3.4
2010-09-21 17:20:23terry.reedysetmessages: + msg117085
2010-09-21 11:45:19lemburgsetmessages: + msg117047
2010-09-19 21:43:24georg.brandlsetnosy: + georg.brandl
messages: + msg116888
2010-09-19 19:17:22eric.araujosetmessages: + msg116881
2010-08-30 08:32:20lemburgsetmessages: + msg115204
2010-08-30 08:30:31lemburgsetmessages: + msg115203
2010-08-27 20:33:03rhettingersetnosy: + rhettinger
messages: + msg115130
2010-08-27 20:20:44terry.reedysetnosy: + terry.reedy
messages: + msg115129

keywords: + patch
stage: needs patch
2010-08-27 15:05:58lemburgsetmessages: + msg115086
2010-08-27 14:39:27loewissetmessages: + msg115084
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
2010-08-27 14:13:59lemburgsetmessages: + msg115078
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
2010-08-27 12:21:46loewissetmessages: + msg115067
2010-08-27 12:19:49loewissetmessages: + msg115066
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
2010-08-27 08:00:46lemburgsetmessages: + msg115057
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
2010-08-27 07:50:42lemburgsetmessages: + msg115056
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
2010-08-26 23:31:05eric.araujosetnosy: + eric.araujo

versions: - Python 2.6, Python 3.3
2010-08-26 22:59:57loewissetnosy: + loewis
messages: + msg115043
2010-06-29 18:41:36debatem1setnosy: + debatem1
2010-06-29 18:38:37lemburgsetmessages: + msg108930
2010-06-29 18:37:37lemburgcreate