cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Updated Mozilla certdata inclusion?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Wed, 13 Feb 2008 09:31:37 +0100 (CET)

On Tue, 12 Feb 2008, Yang Tse wrote:

>> As long as the license is clear it doesn't matter if the file is changed or
>> not since the license does allow us to change it and we do distribute the
>> script that does the change.
>
> It does matter it it is changed or not. If certdata.txt remains unchanged we
> and anyone can clearly claim that it is the original Mozilla certdata.txt.
> On the other hand if it is changed or modified the project (libcurl) might
> not even be able to use the Mozilla(R) name to reference it; see last
> paragraph of the "Mozilla CA Certificate Policy (Version 1.2)" [1]

Those are two different matters.

The first, the actual contents of the file is available for us under the
triplet license and we are thus allowed to copy, modify and redistribute it at
will as long as we adhere to the license we select (out of the three
available). That's what I was talking about.

Secondly, Mozilla is using a somewhat restricted policy on what they deem is
acceptable to do with stuff from them and still using the trademarked names
they use. So yes, if we modify the file or if we don't get their blessing (or
whatever it is it takes) we probably won't be allowed to call it "the Mozilla
ca cert bundle" but instead we must properly call it as "derived from the
Mozilla ca cert bundle" or something to that same effect.

In the threads Gunter pointed out at

         http://news.gmane.org/gmane.comp.mozilla.security

some of the guys also brought up the possibility that there are (as there
clearly at least have been) organizations that only allow their CA cert get
distributed by organizations that have agreed to their license and that they
deem fine enough. To me, that's indeed a bit strange reasoning since that
would then be completely against ALL the licenses this file is distributed as!

> If I'm not wrong all this effort aims at making the situation more clear, so
> whatever is done should at least result in a more clear situation for
> lib/curl and copyright holder than it is right now.

Exactly my view of things.

And I'm currently mostly thinking: remove it.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html
Received on 2008-02-13