JtR add-on licenses

David Paleino d.paleino at gmail.com
Sun Jan 18 17:03:07 UTC 2009

On Sun, 18 Jan 2009 19:42:23 +0300, Solar Designer wrote:

> Hi David,

Hi Alex,
(I read the list, no need to CC ;-))

> Thank you for trying to get the many JtR contributors to license their
> code properly.  I neglected to do it so far, for a variety of reasons,
> and indeed I did not include that code into the official JtR.

Yes, I could imagine the reason.
However, I was planning the release of in Debian and... luckily I marked
my debian/copyright with big TODO marks, we avoided a sure REJECT ;)

> As you work on this, you could want to be aware of my licensing
> requirements to consider a piece of code for inclusion into JtR.  In
> short, not every free software license will do.  I'd need to be able to
> include the code into the free JtR, which is currently under GPLv2, but
> I also want to retain the freedom to re-license JtR (or a derivative
> work) differently (which I now have, being the copyright holder).
> I currently exercise this freedom for JtR Pro, which is under a non-free
> license - http://www.openwall.com/john/pro/doc/LICENSE


> The possibilities for contributed code, to be considered for inclusion,
> appear to be:
> - public domain statement (in this case, the author should be mentioned,
> but no copyright statement may be included; in fact, a copyright
> disclaimer may be included along with the "placed in the public domain"
> statement);

Well, copyright statement is just saying "Hey, I did it, I have my rights
on it and can exercise those" -- but right after you release it in the "public

I don't consider files with missing statements as PD -- they're "All rights
reserved" in most countries.

> - a relaxed license compatible with GNU GPL v2+, but also allowing for
> proprietary derivative works - e.g., the license I use for popa3d or
> Matthew Kwan's micro-license found in nonstd.c in JtR;

Yes -- I considered those free already (snippet from current debian/copyright):

Files: src/nonstd.c
Copyright: © 1998, Matthew Kwan
License: other
==> nonstd.c <==
  * Generated S-box files.
  * This software may be modified, redistributed, and used for any purpose,
  * so long as its origin is acknowledged.
  * Produced by Matthew Kwan - May 1998
==> sboxes.c <==
  * Generated S-box files.
  * This software may be modified, redistributed, and used for any purpose,
  * so long as its origin is acknowledged.
  * Produced by Matthew Kwan - March 1998

> - dual-license: "GNU GPL v2 or later"

This is because JtR is itself under GPL-2+, I suppose.

> or a specific permissive license allowing for proprietary derivative works at
> the user's discretion;


> - copyright transferred to me (uncommon).


> I am not happy about common choices for a "permissive license allowing
> for proprietary derivative works", such as BSD, as those tend to have
> specific requirements for attribution, which could make e.g. the license
> for JtR Pro look complicated.  If BSD is inevitable, then shorter forms
> of it are preferred (2-clause).

As you might have seen, the mails I sent generally lacked any statement. So,
let the authors decide the license they want -- if they choose BSD, I'll push
them towards BSD-2, if they choose a JtR-incompatible (yet free) license, I'll
warn them about the patches not being included upstream, and so forth.

> I previously touched on this issue in the following posting:
> 	http://www.openwall.com/lists/john-users/2007/03/19/4

Regarding the OpenSSL issue, you might want to read a mail I sent some time
before to solve a similar issue:


As far as I understand your requirements though, and the OpenSSL license [0],
probably point 3 is failing your "must not have specific requirements for
attribution" wish. Correct me if I'm wrong (I'm not a lawyer, after all).

[0] http://www.openssl.org/source/license.html

Thank you for your mail. I'll point to it in further mails to add-on authors :-)


 . ''`.  Debian maintainer | http://wiki.debian.org/DavidPaleino
 : :'  : Linuxer #334216 --|-- http://www.hanskalabs.net/
 `. `'`  GPG: 1392B174 ----|---- http://snipr.com/qa_page
   `-   2BAB C625 4E66 E7B8 450A C3E1 E6AA 9017 1392 B174
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-john-devel/attachments/20090118/3764fb0a/attachment-0001.pgp 

More information about the Pkg-john-devel mailing list