Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Francesco Poli invernomuto at paranoici.org
Wed Feb 17 20:49:54 UTC 2016 

On Wed, 17 Feb 2016 11:39:00 +0000 Mike Gabriel wrote:

[...]
> (taking debian-edu-pkg-team @ Alioth into the discussion loop, as that  
> would be the maintainer team for VeraCrypt in Debian)

OK, fine.

> 
> On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:
> 
> > On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:
> >
> > [...]
> >>  1.
> >>  Is VeraCrypt suitable for the non-free section of Debian?
> >
> > I am not sure: the TC-3.0 license is still fairly unclear (at least
> > to my eyes), so I cannot really speculate on its possible
> > implications...
> 
> Hmmm... ok. I think the ftpmasters would be glad about some guidance  
> on why you see veracrypt (not the TC 3.0 license, see below) unfit for  
> Debian non-free. I have already uploaded VeraCrypt to Debian  
> NEW/non-free and it is waiting approval/rejection from an ftpmaster.

I didn't say that veracrypt is clearly unfit for the non-free archive.

I said that the TC-3.0 license is unclear, and that I am consequently
not sure about the possibility to distribute a package including code
under such a license (even in the non-free archive).

I hope I clarified what I meant.

> 
> Also, it'd be interesting if the upstream people of VeraCrypt can  
> apply any change(s) to the upstream sources, their VeraCrypt license  
> or whatever, to make the software fit at least for Debian non-free.

If VeraCrypt upstream developers (IDRIX, I suppose) are in good terms
with the copyright holders for the Truecrypt version they forked from
(TrueCrypt Developers Association, I suppose) and can persuade them to
agree to a re-licensing of the code-base, the outcome could be
definitely interesting.
Everything re-licensed under the terms of the 3-clause-BSD license
would be a huge win for everyone, since it would mean the possibility
to upload veracrypt to Debian main (assuming no other showstopper comes
up).

[...]
> >>  3.
> >>  The new upstream maintainer also states that all novelties of the code
> >>  are licensed under the Apache-2.0 license, but as long as any line from
> >>  the original code sticks out, the licensing of the code is governed by
> >>  the original Truecrypt 3.0 license, right?
> > [...]
> >
> > Then I am not sure I understand why the debian/copyright file draft
> > you sent states
> >   Files: *
> >   Copyright: 2003-2011, TrueCrypt Developers Association
> >              2013-2014, IDRIX
> >   License: TC-3.0 or Ms-PL
> >
> > What's Ms-PL ? Shouldn't it be Apache-2.0 ?
> > Moreover, "or" means dual-licensing, but I understand this to be a
> > code-mixing case: I think "and" should be used instead.
> >
> > See
> > https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
> > for more details.
> 
> Oh, I am sorry. With this mail, I have attached the latest  
> debian/copyright file as I have it now after having it reworked two  
> days ago. I should have sent an updated copy to debian-legal  
> immediately. Sorry for that.

Mmmmh, I cannot see any attachment. Was it forgotten or lost somehow?

> 
> As it seems, the VeraCrypt upstream people have come up with a new  
> license, the VeraCrypt license. See attached copyright file for details.

Please send the updated debian/copyright file...

[...]
> > Anyway, without looking at any further details, a question arises:
> > why are you packaging veracrypt for the non-free archive? what does
> > it offer that tcplay doesn't?
> >
> > See
> > https://packages.debian.org/sid/tcplay
> > https://tracker.debian.org/pkg/tcplay
> 
> I have checked tcplay and also zulucrypt-gui again. We provide  
> veracrypt to teachers / students at school that come from the Windows  
> realm mainly. For them, it is essential to recognize some pieces of  
> software on our Linux environment that they have become so used to on  
> their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an  
> application. Teachers here in Germany have to encrypt all personal  
> data that they carry around, so they need _one_ cross platform tool  
> for that. I'd be happy to provide that piece of software to other  
> people in Debian (Edu).
> 
> Working on the command line (tcplay) is not an option for the  
> teachers, we support here.

Then I hope someone will develop a GUI front-end for tcplay, if it is so
important for at least one category of users...

> And personally, I just tried out  
> zulucrypt-gui the second time and I could not get it running as  
> non-root. This is probably possible, I did not spend much time on  
> this, but honestly, I prefer a solution that works right away. Also  
> ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
> currently is.

Mmmmh, I see.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/debian-edu-pkg-team/attachments/20160217/81c573a1/attachment.sig>

More information about the Debian-edu-pkg-team mailing list