Project is not using an open source license

[konklone]

This isn't an open source license:

https://github.com/cloudflare/keyless/blob/master/LICENSE

You may examine source code, if provided to you, solely for the limited purpose of evaluating the Software for security flaws. You may also use the Service to create derivative works which are exclusively compatible with any CloudFlare product service and no other product or service.

And the blog post announcing this repo certainly implies that the license is tied to a business relationship with Cloudflare:

Customers also get access to a reference implementation written in C, so they can build their own compatible key server.

You should quickly add to the README a human explanation of what this license is. So few repositories on GitHub have a LICENSE file that is not open source, that I think many, many people coming upon this repository will assume that they are free to use and modify this code as they would an open source project.

I also strongly urge you to reconsider your choice of license, and make this an open source project.

This server represents, at the very least, the API documentation for Cloudflare's engineering feat of implementing SSL without access to a private key. Anyone who wants to build a server that implements a keyless system is going to at least want to reference this work. Its impact to the broader community of security engineers is going to be limited if the reference implementation is available only under a restricted license.

Cloudflare is in the business of providing a secure, global CDN for its clients, and I'm sure that keeping a competitive advantage factors into this license choice. But Cloudflare also very clearly works hard to improve the overall security of the Internet, and wants to be a respected and impactful community leader in that regard. Cloudflare is prioritizing the former over the latter here, and as an admirer of Cloudflare's leadership on Internet security, I find that disappointing.

[jgrahamc]

The source is publicly available as a reference implementation. We made determination that, at least initially, for key servers that interface with our network we wanted some visibility. If you're building a key server and have concerns, we're happy to work with you to resolve them.

[konklone]

OK. But you should still update the README with a 1-paragraph explainer of the LICENSE, and put that description at the top of the LICENSE file as well. Without it, you're going to have people assume this is under an open source license.

Also, it needs to be noted that your response is literally just your boss's tweets copy and pasted in sequence. That's total PRspeak, and not a very open or humane way to communicate with the outside world.

[konklone]

And to be a little more concrete about what's PRspeak about it, "...for key servers that interface with our network we wanted some visibility." does not explain the rationale. Matthew has another tweet that helps explain it a bit: "difference here is that the software inherently connects with our network and there's a perceived security risk."

It's not clear to me why that's any different than the myriad other open source tools out there that touch the internals of someone's network, like openssl or nginx or whatever other tools are helping support your work.

As Matthew said, Cloudflare is an approachable company that cares about a better Internet, and if I do want to build a keyless SSL server, I'm sure I can reach out over email, and Cloudflare will be helpful. But I think it's important to be able to speak clearly and openly about Cloudflare's business decisions.

[jgrahamc]

How about I add "Note: the license for this project is not 'open source' as described in the 'open source definition': http://opensource.org/osd"?

[konklone]

:+1: Sure, that'd help.

[jgrahamc]

Done.