Project

General

Profile

Freedom Issue #3308

[cracklib] Proprietary wordlist

gap - about 1 month ago - . Updated about 1 month ago.

Status:
unconfirmed
Priority:
bug
Assignee:
-
% Done:

0%


Description

This project's source repo includes a proprietary wordlist: https://github.com/cracklib/cracklib/tree/master/words

Various other sources. Licensing of some of these lists is questionable - however I believe that these would reasonably fall under the 'list of facts' and 'can't copyright the phone book' copyright scenarios. If someone objects to a list being included here, it will be removed immediately.

Copyright holder admits and attempts to rationalise his unjust monopoly:

You're allowed to use and redistribute this wordlists collection or parts thereof, with or without modification, provided that credit is given where it is due, any modified versions are marked as such, this license is kept intact and included with each copy, and NO FEE IS CHARGED FOR OBTAINING A COPY except as negotiated with the copyright holder. In particular, you are NOT permitted to charge for bandwidth, physical media, and/or shipping. You're also not permitted to bundle this wordlists collection with a product you charge for.

If redistribution for a fee is what you're after, please contact the copyright holder to negotiate special terms for the downloadable or the extended CD-ready version of this collection.

It was a significant amount of work to compile this collection and having a monopoly on regulating the CD sales is my way to compensate for the time already spent and to allow for further work.

-- Alexander Peslyak aka Solar Designer

cracklib is required by 6 packages:
- 389-ds-base
- deepin-pw-check
- lib32-cracklib
- libpwquality
- mariadb (optional)
- mariadb (make)

History

#1

Updated by bill-auger about 1 month ago

On Wed, 13 Jul 2022 15:54:56 +0000 wrote:

You're also not permitted to bundle this wordlists collection with a product you charge for.

that is definitely non-free

In particular, you are NOT permitted to charge for bandwidth, physical media, and/or shipping.

that is more like nonsense - none of those activities are related
to copyright; so the authors can not prohibit those activities

but that license is for only the two files under
words/files/openwall/ - the package itself could probably be
rescued - unfortunately, that README give no licensing
information for any of the other word lists - the files under
words/files/cracklib/ are presumably under the cracklib
license; but the others would need to be investigated

words/files/clarkson.edu/
  • clarkson.txt.bz2
words/files/mark-burnett/
  • 10k-most-common.txt.bz2
  • passed-basic-check.bz2
  • scored-above-50.bz2
words/files/skullsecurity.org/
  • 500-worst-passwords.txt.bz2
  • alypaa.txt.bz2
  • cain.txt.bz2
  • carders.cc.txt.bz2
  • conficker.txt.bz2
  • elitehacker.txt.bz2
  • facebook-pastebay.txt.bz2
  • facebook-phished.txt.bz2
  • faithwriters.txt.bz2
  • hak5.txt.bz2
  • hotmail.txt.bz2
  • myspace.txt.bz2
  • phpbb.txt.bz2
  • porn-unknown.txt.bz2
  • singles.org.txt.bz2
  • tuscl.txt.bz2
  • twitter-banned.txt.bz2
#2

Updated by gap about 1 month ago

If such wordlists can indeed be copyrighted, I'd recommend immediately blacklisting cracklib whilst we work on a cleaned-up version, and report the issue upstream.
Unfortunately, from a quick check, it looks like blacklisting cracklib will have a catastrophic knock-on effect which might render Deepin and GNOME uninstallable until the cleaned-up -libre version is complete.

#3

Updated by bill-auger about 1 month ago

Issue #3308 has been updated by gap.

I'd recommend immediately blacklisting cracklib whilst we work on a cleaned-up version

that is not the blacklisting procedure though

1) evaluate and document the extent of the conflict
2) try to liberate the package

if that is not feasible:
3) try to find a suitable replacement

if that is not feasible:
4) blacklist it, as a last resort,
because that may entail blacklisting other packages.
each of which would need to go through this entire procedure,
recursively

and report the issue upstream.

that is always a good idea after step 1 is completed
(successfully or not) - if any of those other word lists are
also non-free, then it would not solve the problem to report
only the obvious ones

in this case, i think that is unlikely to be fruitful though;
because the cracklib maintainers are already aware of the
conflict, and have disclaimed the conflict explicitly - only
their contributors or the authors of the non-free files could
make them change their position

arch could do something about it though - if those files are
essential to the program's operation, then the GPL is invalid

#4

Updated by gap about 1 month ago

Whilst that procedure is certainly technically superior, I thought our first priority was to comply with the GNU FSDG even if that means temporarily breaking the repos.

#5

Updated by bill-auger about 1 month ago

this is the FSDG requirement:

So we expect distros to occasionally
contain mistakes: nonfree software that slipped through
Our requirement is
for the distribution developers to have a firm commitment to
promptly correct any mistakes that are reported to them.

the "mistake" was only discovered today; so we are still well
within the range of "promptly"

if you have the time, download all those word lists and check if
they have license files inside - if none of them do, then this
package probably can not be rescued

#6

Updated by gap about 1 month ago

I think we need FSF assistance as to whether such wordlists are even eligible for copyright.

Also available in: Atom PDF