[issue9119] Python download page needs to mention crypto code in Windows installer
New submission from Marc-Andre Lemburg
Marc-Andre Lemburg
Changes by geremy condra
Martin v. Löwis
Changes by Éric Araujo
Marc-Andre Lemburg
Martin v. Löwis
added the comment: Which specific clause of the license do you consider violated?
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
----------
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
_______________________________________
Python tracker
Marc-Andre Lemburg
Martin v. Löwis
Which specific clause of the license do you consider violated?
* 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
I fail to see the violation, or how changing the download page could fix that. The download page is *not* "advertising material mentioning features or use of this software". In fact, the download page doesn't refer to SSL at all. Hence there is no obligation to mention OpenSSL on the download page.
* 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)"
Likewise.
* 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
This doesn't apply: we don't include any code (Windows specific or not)
from the apps directory.
----------
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
_______________________________________
Python tracker
Martin v. Löwis
I'd suggest to add a paragraph like this to the release pages:
-1, unless the PSF lawyer advises that such a paragraph is indeed
necessary. It may shy away users from using Python, which is clearly
undesirable.
----------
_______________________________________
Python tracker
Marc-Andre Lemburg
Martin v. Löwis
added the comment: Which specific clause of the license do you consider violated?
* 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
I fail to see the violation, or how changing the download page could fix that. The download page is *not* "advertising material mentioning features or use of this software". In fact, the download page doesn't refer to SSL at all. Hence there is no obligation to mention OpenSSL on the download page.
* 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)"
Likewise.
The license only permits you to use and distribute OpenSSL under the conditions mentioned in the license. Since we are not following those old-style BSD license requirements (which are unfortunate), we are not allowed to use the software: The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files. By contrast, the name "Eric Young" does not appear anywhere on the site (according to a Google search). We can remedy this easily, but putting the notices on the download pages. Perhaps just putting them into the documentation is already good enough.
* 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
This doesn't apply: we don't include any code (Windows specific or not) from the apps directory.
Ok, so we don't have to add this part.
I'd suggest to add a paragraph like this to the release pages:
-1, unless the PSF lawyer advises that such a paragraph is indeed necessary. It may shy away users from using Python, which is clearly undesirable.
So you'd rather have some users get in trouble for downloading
and using crypto software, due import laws or domestic laws
restricting its use in their country ?
Deliberately hiding this information from the user, doesn't
sound like a good approach to the problem. However, I agree
that this is a question to ask the PSF board.
There's probably a better wording for such a text, but some kind of
note of caution needs to go on the website.
----------
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
_______________________________________
Python tracker
Martin v. Löwis
Since we are not following those old-style BSD license requirements
You state that is if it was a fact, which is it not. We, indeed, fully comply with the license requirements.
The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files.
Sure, but this is not advertising material. It's technical documentation.
So you'd rather have some users get in trouble for downloading and using crypto software, due import laws or domestic laws restricting its use in their country ?
I don't believe that users actually will get into troubles for
downloading Python. If they would, a notice is likely not to have
any effect on that - if there is a real risk that users will get
into trouble, most likely, they know before downloading what
that trouble might be.
If you really wanted to post a notice telling people that doing illegal
things may cause problems, for all the illegal things that you can
do with Python, you'll end up with a long list. For example, Python
can be used to break into other computer systems (as can any programming
environment with a networking API) - should we now include a notice
saying
"Python can be used to break into remote computers, using the network
services of Python. Please note that breaking into other computers
may not be legal in your country of residence. It is your responsibility
to make sure you meet all local import and use requirements for
networking code when downloading and using the Python Windows installers."
I hope you agree that would be silly.
----------
title: Python download page needs to mention crypto code in Windows installer -> Python download page needs to mention crypto code in Windows installer
_______________________________________
Python tracker
Marc-Andre Lemburg
Martin v. Löwis
added the comment: Since we are not following those old-style BSD license requirements
You state that is if it was a fact, which is it not. We, indeed, fully comply with the license requirements.
The python.org site is full of references to OpenSSL. Most prominently in the documentation of the ssl and hashlib modules, but also in the release notes/news and other files.
Sure, but this is not advertising material. It's technical documentation.
Ask a lawyer :-) There's a reason why you get around 688.000 hits when searching for "This product includes cryptographic software written by Eric Young" on Google. Now try that search against www.python.org... not a single hit.
So you'd rather have some users get in trouble for downloading and using crypto software, due import laws or domestic laws restricting its use in their country ?
I don't believe that users actually will get into troubles for downloading Python. If they would, a notice is likely not to have any effect on that - if there is a real risk that users will get into trouble, most likely, they know before downloading what that trouble might be.
Right now, they are downloading a file without knowing that they are in fact possibly importing crypto code. Even if they know that importing or using crypto code is illegal, they don't get the needed information from us to decide whether or not they want to proceed. And they don't get a choice to download an installer without crypto code either. This latter point may actually be a good way to make them aware without scaring anyone away: put two installers up on the page, one with OpenSSL, the other without OpenSSL and then let the users decide which one they want.
If you really wanted to post a notice telling people that doing illegal things may cause problems, for all the illegal things that you can do with Python, you'll end up with a long list. For example, Python can be used to break into other computer systems (as can any programming environment with a networking API) - should we now include a notice saying
"Python can be used to break into remote computers, using the network services of Python. Please note that breaking into other computers may not be legal in your country of residence. It is your responsibility to make sure you meet all local import and use requirements for networking code when downloading and using the Python Windows installers."
I hope you agree that would be silly.
Agreed, but that's not what I'm talking about :-)
----------
_______________________________________
Python tracker
Terry J. Reedy
Raymond Hettinger
Marc-Andre Lemburg
Terry J. Reedy
added the comment: This is really two issues: docs and windows builds. As for docs:
Many of the module doc pages mention original authors and give urls for further info. The ssl page already says " This module uses the OpenSSL library." Rather than fuss over whether the doc constitutes 'advertising material' (and a lawyer certain could claim it does), we can easily expand the above to
"This module includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by Eric Young (eay@cryptsoft.com)."
or whatever would be correct. This wording better meets the attribution requirement *and* is more informative to users.
+1
The download page currently does not contain the word 'license', which I think is an omission that should be filled. I think it should include something like the following reasonably near the top:
"The History and License for each version is included with its document set. In layperson's terms, the license more or less says that you can use Python as you wish as long as you 1) do not claim ownership of the name or code, and 2) assume full legal and moral responsibility for the downloading and use of the code, including the cryptographic modules."
Fine with me. The text should also link to actual current license text: http://docs.python.org/license.html BTW: I have a little trouble actually finding the license text on the python.org web-site. It is not mentioned on the download page, there's not mention of it in the downloads nav bar, nor in the documentation section of the site. Only the "about" section includes a mention of the license and the "foundation" section even mentions it in the nav bar (but that's not where people would look to find it). What's worse: all links point to: http://www.python.org/psf/license/ and that page refers to the Python 2.6.2 license... I'll report this to the webmasters.
Builds: have there been multiple overt requests for no-crypto builds? Do any of the other build providers make such? I think this falls under "These re-packagings often include more libraries or are specialized for a particular application:" -- like being so unfortunate as to live in certain countries.
Many other providers of software builds that include crypto software
either make it obvious that the builds include crypto software in their
licenses (by copying the OpenSSL license into the document) or
on the download page (ticking a checkbox, in case there's an export
issue). Some also put the crypto code into a separate download
(e.g. Java and many Linux distros).
The idea with having a separate download without the crypto code
was just to hint the user at a possible issue without scaring
them away. If we can do the same without requiring a separate
installer that would be even better.
----------
_______________________________________
Python tracker
Marc-Andre Lemburg
Raymond Hettinger
added the comment: FYI, there is a section of the docs devoted to notifications and attribution licenses:
http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorp...
Good point. We should add the OpenSSL license to that section
and mention that the code is included in the Windows installer
we ship from python.org.
How does one go about getting that page updated ? Is that just a regular
build of the Python documentation, so only a checkin is needed ?
----------
_______________________________________
Python tracker
Éric Araujo
Georg Brandl
Marc-Andre Lemburg
Terry J. Reedy
Changes by Christian Heimes
Mark Lawrence added the comment:
@Terry it does not look as if the download pages were ever updated so can you follow this up please?
----------
nosy: +BreamoreBoy
_______________________________________
Python tracker
Terry J. Reedy added the comment:
No, this is really out of my ballpark.
----------
versions: +Python 3.5 -Python 3.1, Python 3.2, Python 3.3
_______________________________________
Python tracker
Berker Peksag added the comment:
Terry, would you like to move this forward with the Python.org webmasters ?
This is now a content issue and can be handled on GitHub: https://github.com/python/pythondotorg/issues
----------
nosy: +berker.peksag
resolution: -> fixed
stage: needs patch -> resolved
status: open -> closed
_______________________________________
Python tracker
participants (10)
-
Berker Peksag
-
Christian Heimes
-
Georg Brandl
-
geremy condra
-
Marc-Andre Lemburg
-
Mark Lawrence
-
Martin v. Löwis
-
Raymond Hettinger
-
Terry J. Reedy
-
Éric Araujo