[issue9119] Python download page needs to mention crypto code in Windows installer
New submission from Marc-Andre Lemburg <mal@egenix.com>: This needs to be done to protect our users (importing crypto code or using it may be illegal in their home country, see http://rechten.uvt.nl/koops/cryptolaw/ for a survey) and to satisfy an attribution requirement in the OpenSSL license and code base: """ This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) """ ---------- assignee: docs@python components: Build, Documentation messages: 108929 nosy: docs@python, lemburg priority: normal severity: normal status: open title: Python download page needs to mention crypto code in Windows installer versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: See the OpenSSL license for details on the notice requirement: http://www.openssl.org/source/license.html ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Changes by geremy condra <debatem1@gmail.com>: ---------- nosy: +debatem1 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Martin v. Löwis <martin@v.loewis.de> added the comment: Which specific clause of the license do you consider violated? ---------- nosy: +loewis _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: Martin v. Löwis wrote:
Martin v. Löwis <martin@v.loewis.de> added the comment:
Which specific clause of the license do you consider violated?
* 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ---------- title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Martin v. Löwis <martin@v.loewis.de> added the comment:
Which specific clause of the license do you consider violated?
* 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
I fail to see the violation, or how changing the download page could fix that. The download page is *not* "advertising material mentioning features or use of this software". In fact, the download page doesn't refer to SSL at all. Hence there is no obligation to mention OpenSSL on the download page.
* 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)"
Likewise.
* 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
This doesn't apply: we don't include any code (Windows specific or not) from the apps directory. ---------- title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: Martin v. Löwis wrote:
Martin v. Löwis <martin@v.loewis.de> added the comment:
Which specific clause of the license do you consider violated?
* 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
I fail to see the violation, or how changing the download page could fix that. The download page is *not* "advertising material mentioning features or use of this software". In fact, the download page doesn't refer to SSL at all. Hence there is no obligation to mention OpenSSL on the download page.
* 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)"
Likewise.
The license only permits you to use and distribute OpenSSL under the conditions mentioned in the license. Since we are not following those old-style BSD license requirements (which are unfortunate), we are not allowed to use the software: The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files. By contrast, the name "Eric Young" does not appear anywhere on the site (according to a Google search). We can remedy this easily, but putting the notices on the download pages. Perhaps just putting them into the documentation is already good enough.
* 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
This doesn't apply: we don't include any code (Windows specific or not) from the apps directory.
Ok, so we don't have to add this part.
I'd suggest to add a paragraph like this to the release pages:
-1, unless the PSF lawyer advises that such a paragraph is indeed necessary. It may shy away users from using Python, which is clearly undesirable.
So you'd rather have some users get in trouble for downloading and using crypto software, due import laws or domestic laws restricting its use in their country ? Deliberately hiding this information from the user, doesn't sound like a good approach to the problem. However, I agree that this is a question to ask the PSF board. There's probably a better wording for such a text, but some kind of note of caution needs to go on the website. ---------- title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Martin v. Löwis <martin@v.loewis.de> added the comment:
Since we are not following those old-style BSD license requirements
You state that is if it was a fact, which is it not. We, indeed, fully comply with the license requirements.
The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files.
Sure, but this is not advertising material. It's technical documentation.
So you'd rather have some users get in trouble for downloading and using crypto software, due import laws or domestic laws restricting its use in their country ?
I don't believe that users actually will get into troubles for downloading Python. If they would, a notice is likely not to have any effect on that - if there is a real risk that users will get into trouble, most likely, they know before downloading what that trouble might be. If you really wanted to post a notice telling people that doing illegal things may cause problems, for all the illegal things that you can do with Python, you'll end up with a long list. For example, Python can be used to break into other computer systems (as can any programming environment with a networking API) - should we now include a notice saying "Python can be used to break into remote computers, using the network services of Python. Please note that breaking into other computers may not be legal in your country of residence. It is your responsibility to make sure you meet all local import and use requirements for networking code when downloading and using the Python Windows installers." I hope you agree that would be silly. ---------- title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: Martin v. Löwis wrote:
Martin v. Löwis <martin@v.loewis.de> added the comment:
Since we are not following those old-style BSD license requirements
You state that is if it was a fact, which is it not. We, indeed, fully comply with the license requirements.
The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files.
Sure, but this is not advertising material. It's technical documentation.
Ask a lawyer :-) There's a reason why you get around 688.000 hits when searching for "This product includes cryptographic software written by Eric Young" on Google. Now try that search against www.python.org... not a single hit.
So you'd rather have some users get in trouble for downloading and using crypto software, due import laws or domestic laws restricting its use in their country ?
I don't believe that users actually will get into troubles for downloading Python. If they would, a notice is likely not to have any effect on that - if there is a real risk that users will get into trouble, most likely, they know before downloading what that trouble might be.
Right now, they are downloading a file without knowing that they are in fact possibly importing crypto code. Even if they know that importing or using crypto code is illegal, they don't get the needed information from us to decide whether or not they want to proceed. And they don't get a choice to download an installer without crypto code either. This latter point may actually be a good way to make them aware without scaring anyone away: put two installers up on the page, one with OpenSSL, the other without OpenSSL and then let the users decide which one they want.
If you really wanted to post a notice telling people that doing illegal things may cause problems, for all the illegal things that you can do with Python, you'll end up with a long list. For example, Python can be used to break into other computer systems (as can any programming environment with a networking API) - should we now include a notice saying
"Python can be used to break into remote computers, using the network services of Python. Please note that breaking into other computers may not be legal in your country of residence. It is your responsibility to make sure you meet all local import and use requirements for networking code when downloading and using the Python Windows installers."
I hope you agree that would be silly.
Agreed, but that's not what I'm talking about :-) ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: I'd suggest to add a paragraph like this to the release pages: """ The Python Windows installers include OpenSSL, which provides cryptographic services to Python. Please note that downloading or using cryptographic code may not be legal in your country of residence. It is your responsibility to make sure you meet all local import and use requirements for cryptographic code when downloading and using the Python Windows installers. OpenSSL Notice: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) """ ---------- title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Martin v. Löwis <martin@v.loewis.de> added the comment:
I'd suggest to add a paragraph like this to the release pages:
-1, unless the PSF lawyer advises that such a paragraph is indeed necessary. It may shy away users from using Python, which is clearly undesirable. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Changes by Éric Araujo <merwok@netwok.org>: ---------- nosy: +eric.araujo versions: -Python 2.6, Python 3.3 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Terry J. Reedy <tjreedy@udel.edu> added the comment: This is really two issues: docs and windows builds. As for docs: Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to "This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)." or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users. The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top: "The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules." Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries. ---------- keywords: +patch nosy: +terry.reedy stage: -> needs patch _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: Terry J. Reedy wrote:
Terry J. Reedy <tjreedy@udel.edu> added the comment:
This is really two issues: docs and windows builds. As for docs:
Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to
"This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)."
or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users.
+1
The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top:
"The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules."
Fine with me. The text should also link to actual current license text: http://docs.python.org/license.html BTW: I have a little trouble actually finding the license text on the python.org web-site. It is not mentioned on the download page, there's not mention of it in the downloads nav bar, nor in the documentation section of the site. Only the "about" section includes a mention of the license and the "foundation" section even mentions it in the nav bar (but that's not where people would look to find it). What's worse: all links point to: http://www.python.org/psf/license/ and that page refers to the Python 2.6.2 license... I'll report this to the webmasters.
Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries.
Many other providers of software builds that include crypto software either make it obvious that the builds include crypto software in their licenses (by copying the OpenSSL license into the document) or on the download page (ticking a checkbox, in case there's an export issue). Some also put the crypto code into a separate download (e.g. Java and many Linux distros). The idea with having a separate download without the crypto code was just to hint the user at a possible issue without scaring them away. If we can do the same without requiring a separate installer that would be even better. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Raymond Hettinger <rhettinger@users.sourceforge.net> added the comment: FYI, there is a section of the docs devoted to notifications and attribution licenses: http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorp... ---------- nosy: +rhettinger _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: Raymond Hettinger wrote:
Raymond Hettinger <rhettinger@users.sourceforge.net> added the comment:
FYI, there is a section of the docs devoted to notifications and attribution licenses:
http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorp...
Good point. We should add the OpenSSL license to that section and mention that the code is included in the Windows installer we ship from python.org. How does one go about getting that page updated ? Is that just a regular build of the Python documentation, so only a checkin is needed ? ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Éric Araujo <merwok@netwok.org> added the comment: Yes, everything under docs.python.org is generated from files from the Doc directory of a CPython checkout. s/.html/.rst/ and you have your filename. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Georg Brandl <georg@python.org> added the comment: Not quite everything (index.html and download.html are special, in that they're not generated from reST), but otherwise that is correct. ---------- nosy: +georg.brandl _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Marc-Andre Lemburg <mal@egenix.com> added the comment: Added OpenSSL license to Python 2.7, 3.1 and 3.2 in r84938, r84939, r84940 resp. Now we'll only need to add a mention of the fact that we ship OpenSSL in the Windows installers on the download page. Terry, would you like to move this forward with the Python.org webmasters ? ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Terry J. Reedy <tjreedy@udel.edu> added the comment: I sent an email. ---------- _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Changes by Christian Heimes <lists@cheimes.de>: ---------- nosy: +christian.heimes versions: +Python 3.3, Python 3.4 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Mark Lawrence added the comment: @Terry it does not look as if the download pages were ever updated so can you follow this up please? ---------- nosy: +BreamoreBoy _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Terry J. Reedy added the comment: No, this is really out of my ballpark. ---------- versions: +Python 3.5 -Python 3.1, Python 3.2, Python 3.3 _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
Berker Peksag added the comment:
Terry, would you like to move this forward with the Python.org webmasters ?
This is now a content issue and can be handled on GitHub: https://github.com/python/pythondotorg/issues ---------- nosy: +berker.peksag resolution: -> fixed stage: needs patch -> resolved status: open -> closed _______________________________________ Python tracker <report@bugs.python.org> <http://bugs.python.org/issue9119> _______________________________________
participants (10)
-
Berker Peksag -
Christian Heimes
-
Georg Brandl
-
geremy condra
-
Marc-Andre Lemburg
-
Mark Lawrence
-
Martin v. Löwis
-
Raymond Hettinger
-
Terry J. Reedy
-
Éric Araujo