search

Purexo-GoogleExportation / javascript-bcrypt

Automatically exported from code.google.com/p/javascript-bcrypt
0 stars 0 forks source link

Licensing and version issues #10

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
So, if someone wants to use jsBCrypt on their own website, most likely the 
first thing they'll do is go to 
https://code.google.com/p/javascript-bcrypt/downloads/list and download 
jBCrypt-v2.2.tar.gz.

That library depends on the Clipperz JavaScript Crypto Library, which is 
licensed under the AGPL. I'm not a lawyer, but I'm pretty leery of any AGPL 
code - I'm not sure if jsBCrypt can be BSD-licensed if it includes an 
AGPL-licensed library. I think jsBCrypt would be considered a "derivative 
work", and therefore must be licensed as AGPL (or maybe some other compatible 
license? Not sure there).

On the other hand, if you look in the source, it appears that the newest 
version of jsBCrypt instead depends on isaac.js, which is MIT-licensed. So, 
maybe the downloads section just needs to be updated? The demo page uses the 
version which uses isaac, so it appears to work.

That does have other implications, however. It looks to me like isaac.js uses 
Math.random() as a seed, which I guess could make jsBCrypt less secure? I don't 
exactly understand how the BCrypt algorithm uses the random number, so I don't 
know if that's really a problem.

Finally, it seems to me that bCrypt.js should probably have a copy of the BSD 
license at the top. As it is now, if I include bCrypt.js on my website, it 
doesn't indicate to the client what license it is under.

Sorry if that rambled a bit - hope that was clear, though!

Original issue reported on code.google.com by xer...@gmail.com on 7 Apr 2013 at 1:10

GoogleCodeExporter commented 9 years ago 
Just an additional note - I said "I don't exactly understand how the BCrypt 
algorithm uses the random number, so I don't know if that's really a problem". 
Actually, come to look at it, the random number is only used for the gensalt 
function. So yes - that's a potential problem if any solution uses this library 
to generate a salt, but not if it's getting the salt from another source (such 
as the server).

Original comment by xer...@gmail.com on 7 Apr 2013 at 1:34

GoogleCodeExporter commented 9 years ago 
https://github.com/clipperz/javascript-crypto-library says Clipperz is BSD 
3-Clause licensed, so licensing problems have gone away.

Original comment by palfrey on 21 Oct 2014 at 3:02