License violation

[bastien-roucaries]

you said that your package derive from: ttps://code.google.com/p/crypto-js/

This is the license that is more restrictive than our. You should therefore use the following license and acknowledge original license: Export to GitHub crypto-js - License.wiki

(c) 2009-2013 by Jeff Mott. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation or other materials provided with the distribution.
Neither the name CryptoJS nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS," AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[bastien-roucaries]

Moreover triplesec violate original license but if you consider that MIT apply only to patch you should also acknowledge triplesec author and add this license to his patch work The MIT License (MIT)

Copyright (c) 2013 Maxwell Krohn

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

[bastien-roucaries]

Moreover ghash is tainted by this license: https://github.com/bitwiseshiftleft/sjcl/blob/master/LICENSE.txt

[bastien-roucaries]

I propose this copyright file: Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: browserify-aes Upstream-Contact: https://github.com/crypto-browserify/browserify-aes/issues Source: https://github.com/crypto-browserify/browserify-aes Comment: this package was mainly derivated (see readme.md) from triplesec (https://github.com/keybase/triplesec) that is itself derivated from crypto-js (https://code.google.com/p/crypto-js/ now at https://code.google.com/archive/p/crypto-js/wikis/License.wiki). . crypto-js is distributed under BSD-3. . triplesec is distributed under expat (https://github.com/keybase/triplesec/blob/master/LICENSE) but only for its own modification due to cloning crypto-js. . ghash.js file is derivated see comment in the header from sjcl (https://github.com/bitwiseshiftleft/sjcl/) that is distibuted under BSD-2 or GPL-2 at your choice (see https://github.com/bitwiseshiftleft/sjcl/blob/master/LICENSE.txt). . This package is said upstream to be distributed under expat license but is really under BSD-3.

Files: * Copyright: 2009-2013, Jeff Mott 2013, Maxwell Krohn 2014-2017, browserify-aes contributors License: BSD-3 and Expat comment: Jeff Mott is original author of crypto-js see https://github.com/keybase/triplesec/blob/master/LICENSE . Maxwell Krohn is original author of triplesec releasing modification of cypto-js under expat license see https://github.com/keybase/triplesec/blob/master/LICENSE . browserify-aes contributors released modifications under expat license.

Files: ghash.js Copyright: 2009-2013, Jeff Mott 2013, Maxwell Krohn 2014-2017, browserify-aes contributors 2009-2015, Emily Stark, Mike Hamburg and Dan Boneh at Stanford University 2012 Juho Vähä-Herttua 2016 Fedirico Bond License: BSD-2 or GPL-2, and BSD-3 and Expat comment: Jeff Mott is original author of crypto-js see https://github.com/keybase/triplesec/blob/master/LICENSE . Maxwell Krohn is original author of triplesec releasing modification of cypto-js under expat license see https://github.com/keybase/triplesec/blob/master/LICENSE . browserify-aes contributors released modifications under expat license. . Some functions of this files where copied from sjcl project under BSD-2 or GPL-2 copyright (see https://github.com/bitwiseshiftleft/sjcl/blob/master/LICENSE.txt) . Original author of sjcl project where checked using git history see https://github.com/bitwiseshiftleft/sjcl/commits/master/core/gcm.js

Files: debian/* Copyright: 2017, Bastien Roucariès License: Expat

License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

License: BSD-3 All rights reserved. . Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: .

1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. .
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation or other materials provided with the distribution. .
3. Neither the name CryptoJS nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS," AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

License: BSD-2 All rights reserved. . Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: .

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. .
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

License: GPL-2 This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. . You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA . On Debian systems, the complete text of the GNU General Public License version 2 can be found in `/usr/share/common-licenses/GPL-2'.

[dcousens]

PRs accepted...

[dcousens]

@calvinmetcalf from reading what @bastien-roucaries has said, and briefly looking at some of the links, it appears the summary of changes are as shown below? I am not a lawyer, but I think this would probably help this package be closer to complying with the various LICENSE terms it appears to be under given how much derivative code appears to have been added...

@bastien-roucaries what do you mean by Files: debian/*?

Files: *

Copyright (c) 2009-2013, Jeff Mott
Copyright (c) 2013, Maxwell Krohn
Copyright (c) 2014-2017, browserify-aes contributors

with LICENSE(s) of: BSD-3 and MIT

Files: ghash.js

Copyright (c) 2009-2013, Jeff Mott
Copyright (c) 2012, Juho Vähä-Herttua
Copyright (c) 2013, Maxwell Krohn
Copyright (c) 2014-2017, browserify-aes contributors
Copyright (c) 2009-2015, Emily Stark, Mike Hamburg and Dan Boneh at
Stanford University. All rights reserved.
Copyright (c) 2016 Fedirico Bond

with LICENSE(s) of: BSD-2 or GPL-2, and BSD-3 and MIT

[ljharb]

@bastien-roucaries #59 implies that this issue can be closed. However, the license of the project isn't fully clear to me. Is it dual-licensed, or are different parts licensed differently? in other words, how can the license of this project be accurately represented with a SPDX specifier?

If it can not be, which parts would I need to extract to a different package so that both packages had an accurate SPDX identifier?

[dcousens]

I think parts of this package written by @calvinmetcalf license as MIT - but otherwise different parts would be derivatives which are licensed differently and hopefully were covered by #59.

[ljharb]

oof, ok thanks, that makes things difficult.

[dcousens]

Maybe you could copy the LICENSE headers from ghash.js into LICENSE, then that would have everything in one place? I think the SPDX identifier represents that?

[ljharb]

The ideal destination is that an individual package has a single license that covers it in its entirety. So, I'd probably want to extract out either the MIT parts, or the non-MIT parts, into a new package, so that each one has a single SPDX identifier.