[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

New submission from Marc-Andre Lemburg :

This needs to be done to protect our users (importing crypto code or using it 
may be illegal in their home country, see 
http://rechten.uvt.nl/koops/cryptolaw/ for a survey) and to satisfy an 
attribution requirement in the OpenSSL license and code base:

"""
This product includes cryptographic software written by Eric Young 
(e...@cryptsoft.com). This product includes software written by Tim Hudson 
(t...@cryptsoft.com). This product includes software developed by the OpenSSL 
Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)
"""

--
assignee: d...@python
components: Build, Documentation
messages: 108929
nosy: d...@python, lemburg
priority: normal
severity: normal
status: open
title: Python download page needs to mention crypto code in Windows installer
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

See the OpenSSL license for details on the notice requirement:

http://www.openssl.org/source/license.html

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[geremy condra]

Changes by geremy condra :


--
nosy: +debatem1

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Martin v . Löwis]

Martin v. Löwis  added the comment:

Which specific clause of the license do you consider violated?

--
nosy: +loewis

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Éric Araujo]

Changes by Éric Araujo :


--
nosy: +eric.araujo
versions:  -Python 2.6, Python 3.3

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Martin v. Löwis wrote:
> 
> Martin v. Löwis  added the comment:
> 
> Which specific clause of the license do you consider violated?

 * 3. All advertising materials mentioning features or use of this
 *software must display the following acknowledgment:
 *"This product includes software developed by the OpenSSL Project
 *for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

 * 3. All advertising materials mentioning features or use of this software
 *must display the following acknowledgement:
 *"This product includes cryptographic software written by
 * Eric Young (e...@cryptsoft.com)"
 *The word 'cryptographic' can be left out if the rouines from the library
 *being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from
 *the apps directory (application code) you must include an acknowledgement:
 *"This product includes software written by Tim Hudson 
(t...@cryptsoft.com)"

--
title: Python download page needs to mention crypto code in Windows installer 
-> Python download page needs to mention crypto code in   Windows installer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

I'd suggest to add a paragraph like this to the release pages:

"""
The Python Windows installers include OpenSSL, which provides cryptographic
services to Python. Please note that downloading or using cryptographic
code may not be legal in your country of residence. It is your responsibility
to make sure you meet all local import and use requirements for cryptographic
code when downloading and using the Python Windows installers.

OpenSSL Notice: This product includes cryptographic software written by Eric 
Young
(e...@cryptsoft.com). This product includes software written by Tim Hudson 
(t...@cryptsoft.com). This
product includes software developed by the OpenSSL Project for use in the 
OpenSSL Toolkit.
(http://www.openssl.org/)
"""

--
title: Python download page needs to mention crypto code in Windows 
installer -> Python download page needs to mention crypto code in Windows 
installer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Martin v . Löwis]

Martin v. Löwis  added the comment:

>> Which specific clause of the license do you consider violated?
> 
>  * 3. All advertising materials mentioning features or use of this
>  *software must display the following acknowledgment:
>  *"This product includes software developed by the OpenSSL Project
>  *for use in the OpenSSL Toolkit. (http://www.openssl.org/)"

I fail to see the violation, or how changing the download page could
fix that. The download page is *not* "advertising material mentioning
features or use of this software". In fact, the download page doesn't
refer to SSL at all. Hence there is no obligation to mention OpenSSL
on the download page.

>  * 3. All advertising materials mentioning features or use of this software
>  *must display the following acknowledgement:
>  *"This product includes cryptographic software written by
>  * Eric Young (e...@cryptsoft.com)"

Likewise.

>  * 4. If you include any Windows specific code (or a derivative thereof) from
>  *the apps directory (application code) you must include an 
> acknowledgement:
>  *"This product includes software written by Tim Hudson 
> (t...@cryptsoft.com)"

This doesn't apply: we don't include any code (Windows specific or not)
from the apps directory.

--
title: Python download page needs to mention crypto code in Windows installer 
-> Python download page needs to mention crypto code in   Windows installer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Martin v . Löwis]

Martin v. Löwis  added the comment:

> I'd suggest to add a paragraph like this to the release pages:

-1, unless the PSF lawyer advises that such a paragraph is indeed
necessary. It may shy away users from using Python, which is clearly
undesirable.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Martin v. Löwis wrote:
> 
> Martin v. Löwis  added the comment:
> 
>>> Which specific clause of the license do you consider violated?
>>
>>  * 3. All advertising materials mentioning features or use of this
>>  *software must display the following acknowledgment:
>>  *"This product includes software developed by the OpenSSL Project
>>  *for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
> 
> I fail to see the violation, or how changing the download page could
> fix that. The download page is *not* "advertising material mentioning
> features or use of this software". In fact, the download page doesn't
> refer to SSL at all. Hence there is no obligation to mention OpenSSL
> on the download page.
> 
>>  * 3. All advertising materials mentioning features or use of this software
>>  *must display the following acknowledgement:
>>  *"This product includes cryptographic software written by
>>  * Eric Young (e...@cryptsoft.com)"
> 
> Likewise.

The license only permits you to use and distribute OpenSSL under
the conditions mentioned in the license.

Since we are not following those old-style BSD license requirements
(which are unfortunate), we are not allowed to use the software:

The python.org site is full of references to OpenSSL. Most
prominently in the documentation of the ssl and hashlib modules,
but also in the release notes/news and other files.
By contrast, the name "Eric Young" does not appear anywhere
on the site (according to a Google search).

We can remedy this easily, but putting the notices on the download
pages. Perhaps just putting them into the documentation is already
good enough.

>>  * 4. If you include any Windows specific code (or a derivative thereof) from
>>  *the apps directory (application code) you must include an 
>> acknowledgement:
>>  *"This product includes software written by Tim Hudson 
>> (t...@cryptsoft.com)"
> 
> This doesn't apply: we don't include any code (Windows specific or not)
> from the apps directory.

Ok, so we don't have to add this part.

>> I'd suggest to add a paragraph like this to the release pages:
>
> -1, unless the PSF lawyer advises that such a paragraph is indeed
> necessary. It may shy away users from using Python, which is clearly
> undesirable.

So you'd rather have some users get in trouble for downloading
and using crypto software, due import laws or domestic laws
restricting its use in their country ?

Deliberately hiding this information from the user, doesn't
sound like a good approach to the problem. However, I agree
that this is a question to ask the PSF board.

There's probably a better wording for such a text, but some kind of
note of caution needs to go on the website.

--
title: Python download page needs to mention crypto code in Windows 
installer -> Python download page needs to mention crypto code in Windows 
installer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Martin v . Löwis]

Martin v. Löwis  added the comment:

> Since we are not following those old-style BSD license requirements

You state that is if it was a fact, which is it not. We, indeed, fully
comply with the license requirements.

> The python.org site is full of references to OpenSSL. Most
> prominently in the documentation of the ssl and hashlib modules,
> but also in the release notes/news and other files.

Sure, but this is not advertising material. It's technical documentation.

> So you'd rather have some users get in trouble for downloading
> and using crypto software, due import laws or domestic laws
> restricting its use in their country ?

I don't believe that users actually will get into troubles for
downloading Python. If they would, a notice is likely not to have
any effect on that - if there is a real risk that users will get
into trouble, most likely, they know before downloading what
that trouble might be.

If you really wanted to post a notice telling people that doing illegal
things may cause problems, for all the illegal things that you can
do with Python, you'll end up with a long list. For example, Python
can be used to break into other computer systems (as can any programming
environment with a networking API) - should we now include a notice
saying

"Python can be used to break into remote computers, using the network
services of Python. Please note that breaking into other computers
may not be legal in your country of residence. It is your responsibility
to make sure you meet all local import and use requirements for
networking code when downloading and using the Python Windows installers."

I hope you agree that would be silly.

--
title: Python download page needs to mention crypto code in Windows installer 
-> Python download page needs to mention crypto code in   Windows installer

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Martin v. Löwis wrote:
> 
> Martin v. Löwis  added the comment:
> 
>> Since we are not following those old-style BSD license requirements
> 
> You state that is if it was a fact, which is it not. We, indeed, fully
> comply with the license requirements.
>
>> The python.org site is full of references to OpenSSL. Most
>> prominently in the documentation of the ssl and hashlib modules,
>> but also in the release notes/news and other files.
> 
> Sure, but this is not advertising material. It's technical documentation.

Ask a lawyer :-)

There's a reason why you get around 688.000 hits when searching for
"This product includes cryptographic software written by Eric Young"
on Google.

Now try that search against www.python.org... not a single hit.

>> So you'd rather have some users get in trouble for downloading
>> and using crypto software, due import laws or domestic laws
>> restricting its use in their country ?
> 
> I don't believe that users actually will get into troubles for
> downloading Python. If they would, a notice is likely not to have
> any effect on that - if there is a real risk that users will get
> into trouble, most likely, they know before downloading what
> that trouble might be.

Right now, they are downloading a file without knowing that
they are in fact possibly importing crypto code. Even if they
know that importing or using crypto code is illegal, they
don't get the needed information from us to decide whether
or not they want to proceed.

And they don't get a choice to download an installer without
crypto code either.

This latter point may actually be a good way
to make them aware without scaring anyone away: put two installers
up on the page, one with OpenSSL, the other without OpenSSL and
then let the users decide which one they want.

> If you really wanted to post a notice telling people that doing illegal
> things may cause problems, for all the illegal things that you can
> do with Python, you'll end up with a long list. For example, Python
> can be used to break into other computer systems (as can any programming
> environment with a networking API) - should we now include a notice
> saying
> 
> "Python can be used to break into remote computers, using the network
> services of Python. Please note that breaking into other computers
> may not be legal in your country of residence. It is your responsibility
> to make sure you meet all local import and use requirements for
> networking code when downloading and using the Python Windows installers."
> 
> I hope you agree that would be silly.

Agreed, but that's not what I'm talking about :-)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Terry J. Reedy]

Terry J. Reedy  added the comment:

This is really two issues: docs and windows builds. As for docs:

Many of the module doc pages mention original authors and give urls for further 
info. The ssl page already says " This module uses the OpenSSL library." Rather 
than fuss over whether the doc constitutes 'advertising material' (and a lawyer 
certain could claim it does), we can easily expand the above to

"This module includes software developed by the OpenSSL Project for use in the 
OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software written by 
Eric Young (e...@cryptsoft.com)."

or whatever would be correct. This wording better meets the attribution 
requirement *and* is more informative to users.

The download page currently does not contain the word 'license', which I think 
is an omission that should be filled. I think it should include something like 
the following reasonably near the top:

"The History and License for each version is included with its document set. In 
layperson's terms, the license more or less says that you can use Python as you 
wish as long as you 1) do not claim ownership of the name or code, and 2) 
assume full legal and moral responsibility for the downloading and use of the 
code, including the cryptographic modules." 

Builds: have there been multiple overt requests for no-crypto builds? Do any of 
the other build providers make such? I think this falls under "These 
re-packagings often include more libraries or are specialized for a particular 
application:" -- like being so unfortunate as to live in certain countries.

--
keywords: +patch
nosy: +terry.reedy
stage:  -> needs patch

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Raymond Hettinger]

Raymond Hettinger  added the comment:

FYI, there is a section of the docs devoted to notifications and attribution 
licenses:

http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorporated-software

--
nosy: +rhettinger

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Terry J. Reedy wrote:
> 
> Terry J. Reedy  added the comment:
> 
> This is really two issues: docs and windows builds. As for docs:
> 
> Many of the module doc pages mention original authors and give urls for 
> further info. The ssl page already says " This module uses the OpenSSL 
> library." Rather than fuss over whether the doc constitutes 'advertising 
> material' (and a lawyer certain could claim it does), we can easily expand 
> the above to
> 
> "This module includes software developed by the OpenSSL Project for use in 
> the OpenSSL Toolkit (http://www.openssl.org/) and cryptographic software 
> written by Eric Young (e...@cryptsoft.com)."
> 
> or whatever would be correct. This wording better meets the attribution 
> requirement *and* is more informative to users.

+1

> The download page currently does not contain the word 'license', which I 
> think is an omission that should be filled. I think it should include 
> something like the following reasonably near the top:
> 
> "The History and License for each version is included with its document set. 
> In layperson's terms, the license more or less says that you can use Python 
> as you wish as long as you 1) do not claim ownership of the name or code, and 
> 2) assume full legal and moral responsibility for the downloading and use of 
> the code, including the cryptographic modules." 

Fine with me. The text should also link to actual current license text:

http://docs.python.org/license.html

BTW: I have a little trouble actually finding the license text on
the python.org web-site. It is not mentioned on the download page,
there's not mention of it in the downloads nav bar, nor in the documentation
section of the site.

Only the "about" section includes a mention of the
license and the "foundation" section even mentions it in the nav bar
(but that's not where people would look to find it). What's worse:
all links point to:

http://www.python.org/psf/license/

and that page refers to the Python 2.6.2 license...

I'll report this to the webmasters.

> Builds: have there been multiple overt requests for no-crypto builds? Do any 
> of the other build providers make such? I think this falls under "These 
> re-packagings often include more libraries or are specialized for a 
> particular application:" -- like being so unfortunate as to live in certain 
> countries.

Many other providers of software builds that include crypto software
either make it obvious that the builds include crypto software in their
licenses (by copying the OpenSSL license into the document) or
on the download page (ticking a checkbox, in case there's an export
issue). Some also put the crypto code into a separate download
(e.g. Java and many Linux distros).

The idea with having a separate download without the crypto code
was just to hint the user at a possible issue without scaring
them away. If we can do the same without requiring a separate
installer that would be even better.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Raymond Hettinger wrote:
> 
> Raymond Hettinger  added the comment:
> 
> FYI, there is a section of the docs devoted to notifications and attribution 
> licenses:
> 
> http://docs.python.org/license.html#licenses-and-acknowledgements-for-incorporated-software

Good point. We should add the OpenSSL license to that section
and mention that the code is included in the Windows installer
we ship from python.org.

How does one go about getting that page updated ? Is that just a regular
build of the Python documentation, so only a checkin is needed ?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Éric Araujo]

Éric Araujo  added the comment:

Yes, everything under docs.python.org is generated from files from the Doc 
directory of a CPython checkout.  s/.html/.rst/ and you have your filename.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Georg Brandl]

Georg Brandl  added the comment:

Not quite everything (index.html and download.html are special, in that they're 
not generated from reST), but otherwise that is correct.

--
nosy: +georg.brandl

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Marc-Andre Lemburg]

Marc-Andre Lemburg  added the comment:

Added OpenSSL license to Python 2.7, 3.1 and 3.2 in r84938, r84939, r84940 resp.

Now we'll only need to add a mention of the fact that we ship OpenSSL in the 
Windows installers on the download page.

Terry, would you like to move this forward with the Python.org webmasters ?

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Terry J. Reedy]

Terry J. Reedy  added the comment:

I sent an email.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue9119] Python download page needs to mention crypto code in Windows installer

[Christian Heimes]

Changes by Christian Heimes :


--
nosy: +christian.heimes
versions: +Python 3.3, Python 3.4

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com