search

spdx / license-list-XML

This is the repository for the master files that comprise the SPDX License List
Other
355 stars 288 forks source link

New license request: Openwall crypt #2262

Closed voxik closed 9 months ago

voxik commented 11 months ago

How license meets inclusion principles

This was discussed in this Fedora ticket:

https://gitlab.com/fedora/legal/fedora-license-data/-/merge_requests/239

And was previously classified as Public Domain.

Please note that I have come to this license via ruby-bcrypt, but it seems that this is the original upstream

License Name

Openwall crypt

Suggested short identifier

Openwall-crypt

License or Exception?

license

URL to license text

https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/ext/mri/crypt_blowfish.c

OSI Status

I don't know

License author or steward

https://en.wikipedia.org/wiki/Solar_Designer

URL to project(s) that use license

https://github.com/bcrypt-ruby/bcrypt-ruby https://www.openwall.com/crypt/

paste text of license here

The crypt_blowfish homepage is:

 http://www.openwall.com/crypt/

This code comes from John the Ripper password cracker, with reentrant and crypt(3) interfaces added, but optimizations specific to password cracking removed.

Written by Solar Designer in 1998-2014. No copyright is claimed, and the software is hereby placed in the public domain. In case this attempt to disclaim copyright and place the software in the public domain is deemed null and void, then the software is Copyright (c) 1998-2014 Solar Designer and it is hereby released to the general public under the following terms:

Redistribution and use in source and binary forms, with or without modification, are permitted.

There's ABSOLUTELY NO WARRANTY, express or implied.

It is my intent that you should be able to use this on your system, as part of a software package, or anywhere else to improve security, ensure compatibility, or for any other purpose. I would appreciate it if you give credit where it is due and keep your modifications in the public domain as well, but I don't require that in order to let you place this code and any modifications you make under a license of your choice.

This implementation is fully compatible with OpenBSD's bcrypt.c for prefix "$2b$", originally by Niels Provos , and it uses some of his ideas. The password hashing algorithm was designed by David Mazieres . For information on the level of compatibility for bcrypt hash prefixes other than "$2b$", please refer to the comments in BF_set_key() below and to the included crypt(3) man page.

There's a paper on the algorithm that explains its design decisions:

 http://www.usenix.org/events/usenix99/provos.html

Some of the tricks in BF_ROUND might be inspired by Eric Young's Blowfish library (I can't be sure if I would think of something if I hadn't seen his code).

voxik commented 11 months ago

As the license itself says, this was extracted from John the Ripper. Not sure if it would not be worth of the effort to review the code or other projects, if there is some pattern in the licenses.

jlovejoy commented 10 months ago

+1 to add and the name and ID suggestions seem fine to me. I don't think any markup is necessary, as this seems to be a one-off license used for a couple projects that are used by major distro(s)

Pizza-Ria commented 9 months ago

Per @voxik comment above - it looks like JR is under the GPLv2 so not sure that this code can be dedicated to the public domain (or his backup license). 

This code comes from John the Ripper password cracker, with reentrant
and crypt(3) interfaces added, but optimizations specific to password
cracking removed.   John the Ripper is released under GNU GPL v2 "or later", with portions also available under more relaxed terms.
voxik commented 9 months ago

Actually, good that you have mentioned again the JR, because there is also this comment in the LICENSE file:

Furthermore, as the copyright holder for the bcrypt (Blowfish-based
password hashing) implementation found in John the Ripper, I have placed
a derived version of this implementation in the public domain.  This
derived version may be obtained at:

    https://www.openwall.com/crypt/

The intent is to provide modern password hashing for your servers and
your software (where the GPL restrictions could be a problem).
jlovejoy commented 9 months ago

@Pizza-Ria - any thoughts on where this leaves us given @voxik latest comment? i think I'm still inclined as per my comment above...

swinslow commented 9 months ago

Discussed with @jlovejoy, looking at the "upstream" package linked above, this part of the submitted license text applies in multiple files:

 * Written by Solar Designer <solar at openwall.com> in 1998-2014.
 * No copyright is claimed, and the software is hereby placed in the public
 * domain.  In case this attempt to disclaim copyright and place the software
 * in the public domain is deemed null and void, then the software is
 * Copyright (c) 1998-2014 Solar Designer and it is hereby released to the
 * general public under the following terms:
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted.
 *
 * There's ABSOLUTELY NO WARRANTY, express or implied.

I'm +1 to add this, with <copyrightText> around the top line and an <alt> match for the subsequent "Copyright (c)" line midway down. Suggest bcrypt-Solar-Designer as license ID