Re: tlug: OpenSSH and keys

[Shimpei Yamashita <shimpei@example.com>]

On Thu, Jul 13, 2000 at 02:07:50AM -0700, Austin K. Kurahone wrote:
> >Hello
> >I was using openssh-1.2.1 for a while and recently switched to
> >openssh-2.1.1
> Ugh, I feel unpure and tainted by answering this question.  First
> of all get a real ssh implementation freesoftware is no good if 
> it's crap.  (www.ssh.org)

But did you read the new license for ssh 1.2.30? Oh my gawd.

Exhibit A:

>Further, subject to the terms and conditions contained herein and
>provided that your are an individual, SSH hereby grants to You, an end
>user, a personal, non-transferable, non-exclusive, non-sublicensable
>license to install and use the Software for recreational and hobby
>purposes only.

In other words, you arguably can't use this software for such purposes as
maintaining a volunteer organization's web server, unless you do it strictly
as a hobby rather than as a charity work.

(Academic users do get a "non-commercial" license, BTW. While I find that
suboptimal, I would be able to live with it. However, the fact that they get a
catch-all non-commercial license and we don't strongly suggest that they would
like to exclude some non-commercial activities by non-students.)

Exhibit B is even more clear-cut and evil.

>You may not: (i) use the Software, except under the terms listed
>above; (ii) modify, translate, reverse engineer, decompile,
>disassemble or otherwise attempt to reconstruct or discover the source
>code of the Software (except to the extent applicable laws
>specifically prohibit such restriction);

WTF is the point of the source code if you can't even modify it for your
own use?!?!?! The way I read this license, you're screwed if the source
fails to compile, because you aren't allowed to modify the source to allow
it to compile. Sigh.

Am I the only one who finds the "reverse engineer" a bit farcical, BTW?
You already have the source code; what else is there to reverse engineer?

Finally, Exhibit C:

>If You are a licensee under the Non-Commercial User License,
>or the Evaluation for Commercial Use License, You may make a single
>copy the Software for back-up purposes, provided such copy contains
>all of the original Software's copyright, trademark and other
>proprietary notices and marks. If You are a licensee under the
>Commercial User License, You may make only the number of copies of the
>Software paid for by You plus a single additional copy for back-up
>purposes, provided any and all copies must contain all of the original
>Software's copyright, trademark and other proprietary notices and
>marks.

This software is freely downloadable from an FTP site, BTW. If you used
software such as Netscape to get a copy, chances are that you've already
breached your contract preemptively by keeping a copy for non-backup
purposes in your web cache; if you're going through a caching proxy, the
entity operating the proxy may be in violation of the contract as well.

I also wonder: what sort of a butt-headed lawyer came up with this lame
license? The best you can say about it is that it's myopic, and needs to be
put through a grammar checker; the worst is that it may well be unenforceable
given how the software is distributed. The least he could have done is use a
boilerplate shareware/ trialware license, which is basically what this ssh
release is.

This license is unreasonably restrictive, looks hastily put together (look at
the grammar errors in the parts I quoted you), doesn't mesh well at all with
their mode of distribution--everything that suggests that whoever is doing
release management at DataFellows (or whatever they call themselves these
days) is not doing their job. I haven't actually compiled and tried out
the new release yet, but the shoddy nature of this license does not increase
my confidence in the code quality of this release. What was that you were
saying about crap software, Austin?

Finally, what the hell is GNU gmp doing in a non-free software package? It
sure looks like a flagrant violation of GPL to me, now that I think about it,
but it's hard for me to believe that no one else has noticed this before.


I've avoided OpenSSH up to this point, but I'll have to think really, really,
really hard about switching now. At least Theo de Raadt isn't obnoxious
enough to require me to remember not to use ssh for anything I don't find
"recreational," and he also can't stop me from applying patches should
anyone ever find a security hole in it (just theoretically speaking, of
course; we all know that There Are No Security Holes In OpenBSD Because It's
Been Audited).

-- 
Shimpei Yamashita                   <http://www2.gol.com/users/shimpei/>