Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <50675D8C.5030701@mccme.ru>
Date: Sun, 30 Sep 2012 00:43:56 +0400
From: Alexander Cherepanov <cherepan@...me.ru>
To: john-dev@...ts.openwall.com
Subject: Re: unrar license is not compatible with gpl, it is not
 free at all

On 2012-09-29 16:47, magnum wrote:
>> On Sat, Sep 29, 2012 at 7:20 AM, Alexander Cherepanov <cherepan@...me.ru> wrote:
>>> I'm afraid you are. Although I'm not 100% sure -- I don't remember
>>> exactly how GPL is applied to source-only distribution and I don't know
>>> well enough which parts of john are under GPL, who their authors are and
>>> how they interact. Maybe license exception from Solar is enough but
>>> maybe not.
[skip]
> Is there a difference between just "GPL" and explicitly "GPL v2"? 

Not in this area.

> This is a list of files containing any reference to GPL:
> 
> $ git grep -l GPL
> BFEgg_fmt_plug.c
> alghmac.h
> gladman_fileenc.h
> gladman_hmac.c
> gladman_hmac.h
> gladman_pwd2key.c
> gladman_pwd2key.h

Gladman's files are dual-licensed and the main license seems to be
BSD-like (without advertizing clause) so it should be ok without
converting to GPL.

> ike_fmt_plug.c
> keepass2john.c
> lowpbe.c
> lowpbe.h
> mozilla_des.c
> mozilla_des.h
> mozilla_fmt.c
> npdf_fmt_plug.c
> office2john.c
> pfx2john.c
> undrop.c
> vnc_fmt_plug.c
> vncpcap2john.cpp

There are more files:

$ git grep -l gpl
opencl/cryptsha256_kernel_AMD.cl
opencl/cryptsha256_kernel_DEFAULT.cl
opencl/cryptsha256_kernel_NVIDIA.cl
opencl/cryptsha512_kernel_AMD.cl
opencl/cryptsha512_kernel_DEFAULT.cl
opencl/cryptsha512_kernel_NVIDIA.cl
opencl/msha_kernel.cl
opencl/sha1_kernel.cl
opencl/sha512-ng_kernel.cl
opencl/sha512-ng_kernel_LOCAL.cl
opencl/ssha_kernel.cl
opencl_cryptsha256.h
opencl_cryptsha256_fmt.c
opencl_cryptsha512.h
opencl_cryptsha512_fmt.c
opencl_device_info.h
opencl_mysqlsha1_fmt.c
opencl_nsldaps_fmt.c
opencl_rawsha1_fmt.c
opencl_rawsha512-ng.h
opencl_rawsha512-ng_fmt.c

(not including unused/ ).

> Of those, only the last two (VNC) says "GPL v2". We could opt to drop/rewrite those instead of RAR (in case it's the "v2" that is a problem, but maybe that's not it).

It doesn't matter which version of GPL is used. It's a basic property of
copyleft that you cannot include anything non-free.

> After some thought I think it's very unlikely that just a source tree could possibly violate any license. So is the user violating a license when he/she builds JtR? Or is it only a violation when someone distributes a binary?

It seems to be a big grey area and that the exact conclusion would be
depended on details of how gpled parts are intermixed with other parts
etc. Here are some examples of SFLC/FSF's decisions for comparison:

- "PHP in WordPress themes must be GPL":

  http://wordpress.org/news/2009/07/themes-are-gpl-too/

IMO it's very similar to the situation with john's formats.

- "Patches are still derivative works":

  http://circlemud.org/maillist/2001-10/0058.html

This means that even moving of rar support into a patch will not help
unless Solar adds a special exception into john's license.

Some consider position of FSF overreaching but given non-freeness of
unrar I'm not sure I want to dig into it any deeper.

IMHO a realistic plan would be like this:
- for Solar Designer to give you an exception to combine his files with
unrar (this exception could be given to you personally instead of being
applicable to general public);
- create another git branch (say, unstable-jumbo-nonfree) from
unstable-jumbo and remove everything GPL'd from it except for Solar's
files (maybe even remove all formats except for rar);
- remove rar from unstable-jumbo;
- long-term: make free rar support based on The Unarchiver and drop the
non-free one.

In any case the text of GPLv2 should be included into the project.
Distributing john without is not legal. The text is here:

  https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt

-- 
Alexander Cherepanov

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.