license violation of [crypto-js](https://code.google.com/p/crypto-js/)

[bastien-roucaries]

It seems that you derivated this program from crypto-js that is under bds-3

It is a license violation to distribyte triplesec under mit without aknowledgement of crypto-js author...

Could you confirm and corrrect

[maxtaco]

Does Crypto-JS have a license? If so, can you point me to it?

[gburtini]

@maxtaco: https://code.google.com/archive/p/crypto-js/ on the right side of this page, you'll see License: New BSD License. If you dig a little in the recent commits, you'll find the one where he updated a link to this file, which is pretty clearly the 3-Clause BSD.

[maxtaco]

Thanks. I added the license in f3122638c937b97d945025787761094052ee4f99. Reopen if you think this doesn't cover it.

[gburtini]

@maxtaco, I can't reopen because I did not create the issue.

Unless you have a reason to keep this MIT, I think a better solution would be relicensing the whole library as BSD to match the origin license. From my perspective, the licenses are very similar other than the patent grant.

Having both licenses in this library makes it ambiguous what code/changes are subject to what licenses - if you really wanted to do that, it would be better to distribute it as a patchset or clearly delineated dependency tree that represented the boundary between the MIT code and the BSD code.

Considering the patent clause in BSD, users would have to be wary if you did not intend to issue a the explicit patent grant as it would mean if Keybase decided to patent Triplesec, users of this library could be in violation. I expect that would never happen, but perhaps it is reason enough to consider the relicensing.