Issue9119
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2010-06-29 18:37 by lemburg, last changed 2022-04-11 14:57 by admin. This issue is now closed.
Messages (21) | |||
---|---|---|---|
msg108929 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-06-29 18:37 | |
This needs to be done to protect our users (importing crypto code or using it may be illegal in their home country, see http://rechten.uvt.nl/koops/cryptolaw/ for a survey) and to satisfy an attribution requirement in the OpenSSL license and code base: """ This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) """ |
|||
msg108930 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-06-29 18:38 | |
See the OpenSSL license for details on the notice requirement: http://www.openssl.org/source/license.html |
|||
msg115043 - (view) | Author: Martin v. Löwis (loewis) * | Date: 2010-08-26 22:59 | |
Which specific clause of the license do you consider violated? |
|||
msg115056 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-08-27 07:50 | |
Martin v. Löwis wrote: > > Martin v. Löwis <martin@v.loewis.de> added the comment: > > Which specific clause of the license do you consider violated? * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
|||
msg115057 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-08-27 08:00 | |
I'd suggest to add a paragraph like this to the release pages: """ The Python Windows installers include OpenSSL, which provides cryptographic services to Python. Please note that downloading or using cryptographic code may not be legal in your country of residence. It is your responsibility to make sure you meet all local import and use requirements for cryptographic code when downloading and using the Python Windows installers. OpenSSL Notice: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) """ |
|||
msg115066 - (view) | Author: Martin v. Löwis (loewis) * | Date: 2010-08-27 12:19 | |
>> Which specific clause of the license do you consider violated? > > * 3. All advertising materials mentioning features or use of this > * software must display the following acknowledgment: > * "This product includes software developed by the OpenSSL Project > * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" I fail to see the violation, or how changing the download page could fix that. The download page is *not* "advertising material mentioning features or use of this software". In fact, the download page doesn't refer to SSL at all. Hence there is no obligation to mention OpenSSL on the download page. > * 3. All advertising materials mentioning features or use of this software > * must display the following acknowledgement: > * "This product includes cryptographic software written by > * Eric Young (eay@cryptsoft.com)" Likewise. > * 4. If you include any Windows specific code (or a derivative thereof) from > * the apps directory (application code) you must include an acknowledgement: > * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" This doesn't apply: we don't include any code (Windows specific or not) from the apps directory. |
|||
msg115067 - (view) | Author: Martin v. Löwis (loewis) * | Date: 2010-08-27 12:21 | |
> I'd suggest to add a paragraph like this to the release pages: -1, unless the PSF lawyer advises that such a paragraph is indeed necessary. It may shy away users from using Python, which is clearly undesirable. |
|||
msg115078 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-08-27 14:13 | |
Martin v. Löwis wrote: > > Martin v. Löwis <martin@v.loewis.de> added the comment: > >>> Which specific clause of the license do you consider violated? >> >> * 3. All advertising materials mentioning features or use of this >> * software must display the following acknowledgment: >> * "This product includes software developed by the OpenSSL Project >> * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" > > I fail to see the violation, or how changing the download page could > fix that. The download page is *not* "advertising material mentioning > features or use of this software". In fact, the download page doesn't > refer to SSL at all. Hence there is no obligation to mention OpenSSL > on the download page. > >> * 3. All advertising materials mentioning features or use of this software >> * must display the following acknowledgement: >> * "This product includes cryptographic software written by >> * Eric Young (eay@cryptsoft.com)" > > Likewise. The license only permits you to use and distribute OpenSSL under the conditions mentioned in the license. Since we are not following those old-style BSD license requirements (which are unfortunate), we are not allowed to use the software: The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files. By contrast, the name "Eric Young" does not appear anywhere on the site (according to a Google search). We can remedy this easily, but putting the notices on the download pages. Perhaps just putting them into the documentation is already good enough. >> * 4. If you include any Windows specific code (or a derivative thereof) from >> * the apps directory (application code) you must include an acknowledgement: >> * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" > > This doesn't apply: we don't include any code (Windows specific or not) > from the apps directory. Ok, so we don't have to add this part. >> I'd suggest to add a paragraph like this to the release pages: > > -1, unless the PSF lawyer advises that such a paragraph is indeed > necessary. It may shy away users from using Python, which is clearly > undesirable. So you'd rather have some users get in trouble for downloading and using crypto software, due import laws or domestic laws restricting its use in their country ? Deliberately hiding this information from the user, doesn't sound like a good approach to the problem. However, I agree that this is a question to ask the PSF board. There's probably a better wording for such a text, but some kind of note of caution needs to go on the website. |
|||
msg115084 - (view) | Author: Martin v. Löwis (loewis) * | Date: 2010-08-27 14:39 | |
> Since we are not following those old-style BSD license requirements You state that is if it was a fact, which is it not. We, indeed, fully comply with the license requirements. > The python.org site is full of references to OpenSSL. Most > prominently in the documentation of the ssl and hashlib modules, > but also in the release notes/news and other files. Sure, but this is not advertising material. It's technical documentation. > So you'd rather have some users get in trouble for downloading > and using crypto software, due import laws or domestic laws > restricting its use in their country ? I don't believe that users actually will get into troubles for downloading Python. If they would, a notice is likely not to have any effect on that - if there is a real risk that users will get into trouble, most likely, they know before downloading what that trouble might be. If you really wanted to post a notice telling people that doing illegal things may cause problems, for all the illegal things that you can do with Python, you'll end up with a long list. For example, Python can be used to break into other computer systems (as can any programming environment with a networking API) - should we now include a notice saying "Python can be used to break into remote computers, using the network services of Python. Please note that breaking into other computers may not be legal in your country of residence. It is your responsibility to make sure you meet all local import and use requirements for networking code when downloading and using the Python Windows installers." I hope you agree that would be silly. |
|||
msg115086 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-08-27 15:05 | |
Martin v. Löwis wrote: > > Martin v. Löwis <martin@v.loewis.de> added the comment: > >> Since we are not following those old-style BSD license requirements > > You state that is if it was a fact, which is it not. We, indeed, fully > comply with the license requirements. > >> The python.org site is full of references to OpenSSL. Most >> prominently in the documentation of the ssl and hashlib modules, >> but also in the release notes/news and other files. > > Sure, but this is not advertising material. It's technical documentation. Ask a lawyer :-) There's a reason why you get around 688.000 hits when searching for "This product includes cryptographic software written by Eric Young" on Google. Now try that search against www.python.org... not a single hit. >> So you'd rather have some users get in trouble for downloading >> and using crypto software, due import laws or domestic laws >> restricting its use in their country ? > > I don't believe that users actually will get into troubles for > downloading Python. If they would, a notice is likely not to have > any effect on that - if there is a real risk that users will get > into trouble, most likely, they know before downloading what > that trouble might be. Right now, they are downloading a file without knowing that they are in fact possibly importing crypto code. Even if they know that importing or using crypto code is illegal, they don't get the needed information from us to decide whether or not they want to proceed. And they don't get a choice to download an installer without crypto code either. This latter point may actually be a good way to make them aware without scaring anyone away: put two installers up on the page, one with OpenSSL, the other without OpenSSL and then let the users decide which one they want. > If you really wanted to post a notice telling people that doing illegal > things may cause problems, for all the illegal things that you can > do with Python, you'll end up with a long list. For example, Python > can be used to break into other computer systems (as can any programming > environment with a networking API) - should we now include a notice > saying > > "Python can be used to break into remote computers, using the network > services of Python. Please note that breaking into other computers > may not be legal in your country of residence. It is your responsibility > to make sure you meet all local import and use requirements for > networking code when downloading and using the Python Windows installers." > > I hope you agree that would be silly. Agreed, but that's not what I'm talking about :-) |
|||
msg115129 - (view) | Author: Terry J. Reedy (terry.reedy) * | Date: 2010-08-27 20:20 | |
This is really two issues: docs and windows builds. As for docs: Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to "This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)." or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users. The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top: "The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules." Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries. |
|||
msg115130 - (view) | Author: Raymond Hettinger (rhettinger) * | Date: 2010-08-27 20:33 | |
FYI, there is a section of the docs devoted to notifications and attribution licenses: http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorporated-software |
|||
msg115203 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-08-30 08:30 | |
Terry J. Reedy wrote: > > Terry J. Reedy <tjreedy@udel.edu> added the comment: > > This is really two issues: docs and windows builds. As for docs: > > Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to > > "This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)." > > or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users. +1 > The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top: > > "The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules." Fine with me. The text should also link to actual current license text: http://docs.python.org/license.html BTW: I have a little trouble actually finding the license text on the python.org web-site. It is not mentioned on the download page, there's not mention of it in the downloads nav bar, nor in the documentation section of the site. Only the "about" section includes a mention of the license and the "foundation" section even mentions it in the nav bar (but that's not where people would look to find it). What's worse: all links point to: http://www.python.org/psf/license/ and that page refers to the Python 2.6.2 license... I'll report this to the webmasters. > Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries. Many other providers of software builds that include crypto software either make it obvious that the builds include crypto software in their licenses (by copying the OpenSSL license into the document) or on the download page (ticking a checkbox, in case there's an export issue). Some also put the crypto code into a separate download (e.g. Java and many Linux distros). The idea with having a separate download without the crypto code was just to hint the user at a possible issue without scaring them away. If we can do the same without requiring a separate installer that would be even better. |
|||
msg115204 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-08-30 08:32 | |
Raymond Hettinger wrote: > > Raymond Hettinger <rhettinger@users.sourceforge.net> added the comment: > > FYI, there is a section of the docs devoted to notifications and attribution licenses: > > http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorporated-software Good point. We should add the OpenSSL license to that section and mention that the code is included in the Windows installer we ship from python.org. How does one go about getting that page updated ? Is that just a regular build of the Python documentation, so only a checkin is needed ? |
|||
msg116881 - (view) | Author: Éric Araujo (eric.araujo) * | Date: 2010-09-19 19:17 | |
Yes, everything under docs.python.org is generated from files from the Doc directory of a CPython checkout. s/.html/.rst/ and you have your filename. |
|||
msg116888 - (view) | Author: Georg Brandl (georg.brandl) * | Date: 2010-09-19 21:43 | |
Not quite everything (index.html and download.html are special, in that they're not generated from reST), but otherwise that is correct. |
|||
msg117047 - (view) | Author: Marc-Andre Lemburg (lemburg) * | Date: 2010-09-21 11:45 | |
Added OpenSSL license to Python 2.7, 3.1 and 3.2 in r84938, r84939, r84940 resp. Now we'll only need to add a mention of the fact that we ship OpenSSL in the Windows installers on the download page. Terry, would you like to move this forward with the Python.org webmasters ? |
|||
msg117085 - (view) | Author: Terry J. Reedy (terry.reedy) * | Date: 2010-09-21 17:20 | |
I sent an email. |
|||
msg236224 - (view) | Author: Mark Lawrence (BreamoreBoy) * | Date: 2015-02-19 16:24 | |
@Terry it does not look as if the download pages were ever updated so can you follow this up please? |
|||
msg236233 - (view) | Author: Terry J. Reedy (terry.reedy) * | Date: 2015-02-19 19:45 | |
No, this is really out of my ballpark. |
|||
msg236272 - (view) | Author: Berker Peksag (berker.peksag) * | Date: 2015-02-20 11:30 | |
> Terry, would you like to move this forward with the Python.org webmasters ? This is now a content issue and can be handled on GitHub: https://github.com/python/pythondotorg/issues |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:57:03 | admin | set | github: 53365 |
2015-02-20 11:30:43 | berker.peksag | set | status: open -> closed nosy: + berker.peksag messages: + msg236272 resolution: fixed stage: needs patch -> resolved |
2015-02-19 19:45:32 | terry.reedy | set | messages:
+ msg236233 versions: + Python 3.5, - Python 3.1, Python 3.2, Python 3.3 |
2015-02-19 16:24:20 | BreamoreBoy | set | nosy:
+ BreamoreBoy messages: + msg236224 |
2013-07-07 15:02:47 | christian.heimes | set | nosy:
+ christian.heimes versions: + Python 3.3, Python 3.4 |
2010-09-21 17:20:23 | terry.reedy | set | messages: + msg117085 |
2010-09-21 11:45:19 | lemburg | set | messages: + msg117047 |
2010-09-19 21:43:24 | georg.brandl | set | nosy:
+ georg.brandl messages: + msg116888 |
2010-09-19 19:17:22 | eric.araujo | set | messages: + msg116881 |
2010-08-30 08:32:20 | lemburg | set | messages: + msg115204 |
2010-08-30 08:30:31 | lemburg | set | messages: + msg115203 |
2010-08-27 20:33:03 | rhettinger | set | nosy:
+ rhettinger messages: + msg115130 |
2010-08-27 20:20:44 | terry.reedy | set | nosy:
+ terry.reedy messages: + msg115129 keywords: + patch stage: needs patch |
2010-08-27 15:05:58 | lemburg | set | messages: + msg115086 |
2010-08-27 14:39:27 | loewis | set | messages:
+ msg115084 title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer |
2010-08-27 14:13:59 | lemburg | set | messages:
+ msg115078 title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer |
2010-08-27 12:21:46 | loewis | set | messages: + msg115067 |
2010-08-27 12:19:49 | loewis | set | messages:
+ msg115066 title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer |
2010-08-27 08:00:46 | lemburg | set | messages:
+ msg115057 title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer |
2010-08-27 07:50:42 | lemburg | set | messages:
+ msg115056 title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer |
2010-08-26 23:31:05 | eric.araujo | set | nosy:
+ eric.araujo versions: - Python 2.6, Python 3.3 |
2010-08-26 22:59:57 | loewis | set | nosy:
+ loewis messages: + msg115043 |
2010-06-29 18:41:36 | debatem1 | set | nosy:
+ debatem1 |
2010-06-29 18:38:37 | lemburg | set | messages: + msg108930 |
2010-06-29 18:37:37 | lemburg | create |