
TrueCrypt developer says no to license change for forking - chmars
http://pastebin.com/RS0f8gwn
======
Jedd
In 2006 or 2007 I was running a non-trivially sized project for a government
agency, and we wanted to use TrueCrypt on every new machine we were rolling
out.

The default licensing arrangement certainly meant we were (legally) covered,
but we sought out the author and offered a financial arrangement in terms of
support (we weren't proposing an especially onerous arrangement, and were
quite clear in our 'improvements we fund, we're happy to go back to GPL' and
it was very much an early stage of negotiations from our perspective). Weirdly
it was dismissed outright.

Highly anecdotal, and the guy I had that contacted the TrueCrypt author may
have given the wrong impression (unlikely), but since then I've always felt
the project was in the 'slightly odd' category.

~~~
jacquesm
Or maybe he just figured that taking money would mean that people would make
assumptions about services rendered for that payment.

Sometimes it is better to not be associated with certain sources of funding if
you want to keep your reputation clean and not being the subject of 'sold out'
claims even if that isn't the case.

~~~
pasbesoin
I would suggest that going to work for "the/this government", even on a
contract basis, may and probably has all sorts of implications including
perhaps a majority of which and the most concerning are not actually spelled
out in the direct contract, itself.

Just trying to evaluate what those might include could be a very extensive and
unachievable exercise.

I can imagine someone in a position like that of the TrueCrypt developers
being loathe to enter into a scenario bringing with it such ramifications.
Even setting aside any personal ideology, it has the appearance of a swamp in
need of the obligatory sign, "Here Be Dragons".

Just my blue sky speculation, but based upon a number of years of casual and
outside observation of facts and anecdotes that make it into the sphere of
public knowledge.

~~~
Jedd
I can understand the sentiment you describe.

But there was no 'come work for us' implied or explicit, of that I'm sure.

This was small to medium-sized Australian government agency, knowingly talking
to people we (assume) were based in either Europe or the USA, either way off-
shore.

We didn't even have a tentative contract to hand, and as I say I can't
remember the details, but I suspect our opening inquiry was along the lines of
'has anyone else talked to you about this type of deal', leading into a 'we'd
just like something on paper that will satisfy management that we've done due
diligence'. Our expectation was that it would effectively be a donation to the
project.

Clearly there was, for us, back then, no perceived risk at all TrueCrypt was
about to be abandoned - and the project's response to fixing bugs far exceeded
any non-free / proprietary software we were concurrently deploying.

~~~
pasbesoin
Thanks for the clarification. Although I still think a person in a position
such as that of the TrueCrypt developers might be reluctant to take anything
from a government or provide them any sort of... statement.

------
Spoom
So fork it anyway and call it something else. According to the license[1],
this is permitted.

1\.
[https://www.ohloh.net/licenses/TrueCrypt_Collective_License](https://www.ohloh.net/licenses/TrueCrypt_Collective_License)
(see section III)

~~~
tobias3
Yes, the title should not say "TrueCrypt developer says no to license change
for forking" but "TrueCrypt developer says no to license change for forking
with the same name and removing copyleft"

------
jrochkind1
It's unclear to me if the licensing terms of TrueCrypt allow others to fork it
even without the developer's permission, perhaps without the TrueCrypt name?

Resources were invested by some to audit the code. The developer is
uninterested in letting the code go on. I think the lesson is, don't invest
significant resources in supporting a shared codebase, unless it's got a
license that will let people continue to use/develop the codebase even without
the original developer/owner's permission.

~~~
ordinary
No, they don't. You're allowed to inspect the source code for any reason, but
the license does not allow redistribution or modification. TrueCrypt is not
open source or free software.

~~~
yebyen
I don't remember hearing that redistribution wasn't allowed, I'll admit I
haven't read the license carefully, but what I understood was the original
license forbade modifications through the advertising clause (making it
incompatible with open-source licenses):

If you take and modify the source, you must remove all references to the
"TrueCrypt" name inside of the source code and program interface and not call
it TrueCrypt. If you redistribute it unmodified, you must leave the
"TrueCrypt" name intact. I don't have a source for the second term, but it
would seem to be impossible to have an unmodified work that didn't call itself
TrueCrypt -- by removing TrueCrypt branding, you fulfilled the terms of the
first part, even if the functionality of the software was actually unchanged.

~~~
Dylan16807
So the license is non-free because it duplicates trademark law within itself?
It's annoying how things with no real impact can ruin compatibility.

~~~
yebyen
This is a funny thing about FOSS licenses, and I guess a commonly known thing
about the advertising clause as it relates to FOSS licensing. The wording in
the GPL that causes this situation I believe is: "No additional restrictions
may be placed on the redistribution of either the original work or a
derivative work."

The intent of the advertising clause is to assert and maintain control over
the software in the hands of the creator/owner; this is fundamentally
incompatible with FOSS ideology, where anyone can fork and edit, and the
leadership of the project is "de-facto" as in the eyes of a community rather
than "de-jure". That being said, it is annoying.

------
harshreality
If the author is not willing to unmask him or herself, I'm not convinced
courts would allow an author to maintain anonymity while suing you for
copyright violation. Particularly given the specifics of this case: the
copyrighted work being freely available, and the author publicly stating that
it's abandoned.

~~~
tjaerv
[http://commons.wikimedia.org/wiki/Commons:Anonymous_works](http://commons.wikimedia.org/wiki/Commons:Anonymous_works)

~~~
harshreality
Copyright violations only matter (legally speaking) if someone is willing and
able to sue.

~~~
nitrogen
If you have the right to copyright under a pen name, should you not also have
the right to sue without revealing your identity? A right that can't be
exercised doesn't exist.

~~~
agwa
Rights can come in conflict with one another, and when this happens one has to
yield. The public has the right to open court records, and defendants have the
right to know who's suing them. These rights usually outweigh any right the
plaintiff may have in suing anonymously. It is possible to sue anonymously in
the U.S. (e.g. "Jane Roe" of Roe v. Wade was a pseudonym) but IANAL so I don't
know by what standard this is determined or whether the TrueCrypt dev(s) would
qualify.

------
SeanDav
The TrueCrypt developer(s) may be under a government gag order and this may
just be their way of letting us know without saying "The Government can crack
TrueCrypt, it is not fit for purpose anymore"

This may be another Lavabit situation.

~~~
danielweber
Or aliens.

------
valarauca1
It sounds like the developers found a critical flaw, and gave up. I'm not
saying its purposely malicious government inserted, or just plan negligence.

But from this response and how their website changed really makes me inclined
to believe something is fundamentally broken in truecrypt.

~~~
easytiger
I think its more likely the author is slightly unstable and has gotten pissed
off at the public discussion around it

~~~
valarauca1
Eh in reality any decision or assumption is no more then us putting ourselves
in the developers shoes based on the few communications that have took place.

We likely won't know what happened for several years after, if we ever learn
at all.

~~~
easytiger
I just find it hard to believe we can't work out who these people are.
Impressive work on their part. bet the NSA do!

~~~
meapix
they might be nsa guys :) who knows.

------
morsch
Typically using source code as a direct reference would mark the product as a
derived work. You need an appropriate free license to do it. I wonder if this
written premission is enough to remove the taint.

------
danbruc
I used to think that - at least sometimes - redeveloping something from
scratch is a good idea but in the last couple of years I realized that this
rarely if ever the case. The problem is that you will introduce a lot of new
bugs and reintroduce bugs that got fixed long ago. There is no good reason to
believe that you can develop a piece of software without making hundreds of
the common small mistakes that just happen - off by one, switched sign,
missing null checks, you name it. And even if you have to deal with one of the
worst code bases you have ever seen, the developers will already have spent
countless hours wiping out such problems. Starting from scratch not only means
getting rid of bad code, it also means throwing a lot of useful work
overboard.

So if I have to deal with The-Worst-Code-Base-Ever™ I create a new project and
copy the code into the new project file by file in the order you would develop
from scratch and clean it up before moving on to the next file. Improve the
naming, split large functions, extract common code, unify similar code, look
for and fix bugs, improve algorithms, comment out code that references code
not yet in the new project or code not yet used and when there is a good
opportunity improve the architecture - given that you already understand the
code base well enough. It takes time, you touch some files a hundred times and
move around bits and pieces seemingly forever, but I am pretty confident the
result is better than rewriting everything from scratch. All this might be not
such a good idea without good tool support, but if moving and renaming things
or changing function signatures project wide is just a matter of seconds,
there is real value in doing it incrementally instead of trying to do and get
it right all at once.

~~~
illumen
Starting with tests is usually a better first step. Mostly functional tests
are easiest to write.

If you can find parts to replace into separate services, that is best. So you
can slowly migrate the system, whilst gaining the benefits quickly for the new
code. That way, if the project takes a year, bug fixes can happen in the new
code. Also features can be added to the new code.

Also, if after a year and the old system is still being used, then valid
questions may be asked about what use the new system is.

YMWNV

------
JoshTriplett
There's an Open Source implementation for Linux at
[https://github.com/bwalex/tc-play](https://github.com/bwalex/tc-play) ;
perhaps that would serve as a better starting point.

------
merlish
Being forced to start from scratch seems a real shame. TrueCrypt as it is, is
a reasonably stable and mature piece of technology. Far better to swap out the
broken/substandard bits than start solving a fundamentally hard problem all
over again from step one.

There is no guarantee that a rewrite would be better than the original. And it
will take man-years worth of effort to get even to where TrueCrypt is right
now.

~~~
pessimizer
It's not always easier to swap out broken/substandard bits than to start over
again with the original as a reference. In the opinion of this particular
Truecrypt developer, in this particular case it would not be.

------
MichaelStubbs
I can only assume that the person who posted this was "Matt" as signed off on
the original email, but Matt who? Why should we trust this?

~~~
Y0nash
Matthew Green
[https://twitter.com/matthew_d_green/status/47872127131675852...](https://twitter.com/matthew_d_green/status/478721271316758528)

------
drunkcatsdgaf
LibreCrypt around the corner

~~~
tptacek
That would be unlikely, since OpenBSD doesn't use Truecrypt.

------
lasermike026
No fork? Clone.

------
bollockitis
I generally don't advocate complete rewrites, but it seems to be the best
option in this scenario. Why is everyone so opposed to doing this? I don't
mean that rhetorically. I truly don't understand. I don't want to downplay the
difficulty of such a project, but I regularly see brilliant developers here at
HN and elsewhere scrambling to create something meaningful. Here's an
excellent opportunity to build something that would have widespread use, with
both cultural and political impact, yet there seems to be a lot of reluctance
to actually take on such a project. Instead, we keep speculating about
anonymous developers who have made it clear that they're done and want nothing
to do with it anymore. We even have permission to use TrueCrypt for reference.
Seems like an awesome opportunity for developers smart enough to do it.

~~~
na85
Agree. Unfortunately it seems to me that people on this site would rather
create yet another jsframework.js or Flappy Bird As A Service as opposed to
something like NewCrypt.

Pretty standard for the Hacker News crowd in my experience.

~~~
andrewljohnson
Such unwarranted and poisonous bitterness.

The people who publish easy stuff are typically new developers/entrepreneurs,
simply people with less practice. There aren't all that many amazing,
experienced developers with deep toolkits and skills. Better to commend people
for trying and critique their work for what it is, than bemoan the lack of
depth.

This sort of comment slings mud at the efforts of the young and inexperienced,
when we should be trying to form a welcoming community that helps them grow.
Our duty is to be supportive and help comb through the chafe to help find the
diamond tech, content, and comments. That's the point of being here.

~~~
dang
I agree, but there's another factor besides inexperience: time constraint.
Many people have day jobs. Any projects that they do for fun or interest have
to fit into their spare time. There's a limit to how ambitious such projects
can be, and we definitely don't want to exclude them.

I think it's critical for HN to welcome a wide spectrum of original work. We
want to see major technical achievements, of course. But we also want to see
the minor one-offs. The bar for sharing your work on HN should be low.

The relationship between major work and minor one-offs is mysterious. Things
that start off playful and trivial can develop in unexpected ways. Or maybe a
success at something trivial inspires someone to a more ambitious next effort.
If we want to have a culture of people sharing things they've made—which we
do—we need to accept that most won't seem very impressive.

A good example is 2048. That game and its many variations weren't necessarily
technically impressive. But the way in which a whole bunch of people riffed on
each other's work for a few weeks—that was one of the most creative things
ever to happen spontaneously on HN. If the game itself had been less trivial,
I doubt that would have happened. The barrier to entry would have felt too
high, so people without much time or experience wouldn't have gone for it. But
because it was so simple, making one's own variation felt doable, and lots of
people did.

------
Y0nash
I can see 3 possible scenarios: 1) Gov gave him "An Offer He Can't Refuse". 2)
It's not him. He is either dead or in prison. 3) He is an asshole or mentally
unstable.

~~~
danielweber
Yeah, he gave the world a bunch of work for free. Total asshole, man!!1 Fuck
him right in the ear!!

Srsly: TC always had a weird license and we accepted it because the rest of
the product (seemed to) work so well. He doesn't owe anyone anything.

~~~
Y0nash
Without commercial intentions he gives something for free, yet he forbids
others from using it however they want. He also gave a completely vague reply
to all the requests and arguments.

~~~
danielweber
The author didn't owe anyone a filesystem encryption program. He still gave
one to people for his own reasons. The fact that some people are pissed about
the thing he gave them for free says more about those people than it does
about him.

He doesn't owe anyone anything.

 _EDIT_ Fox must have good lawyers because I couldn't find Comic Book Guy
complaining about how Itchy & Scratchy owe him because they've given him
hundreds of hours of entertainment for free.

~~~
Y0nash
Jeez... nobody says he owes anything to anyone. Nobody said that people are
pissed (maybe you are?) I think people are just disappointed because he
destroyed something really valuable and he clearly hampers any attempts to
recover that damage.

~~~
newaccountfool
Its his software he can do whatever he wants with it.

