PyCrypto licensing is unclear

The RIPEMD implementation could probably just be replaced by the one at http://homes.esat.kuleuven.be/~bosselae/ripemd160.html (same author, same date, but different license terms).

Yes, I see that, though I've already written my own implementation of RIPEMD-160 (without an "obnoxious advertising clause"), which is currently sitting in my source tree.

I filed this bug report in response to this mailing list post:
https://listserv.surfnet.nl/scripts/wa.cgi?A2=ind0808&L=python-crypto&T=0&F=&S=&P=187

Andrew, could you help clarify a few things?

1. Since I'm a Canadian living in Canada, I need to be mindful of Canadian crypto export rules. Canada's crypto export rules are a bit more complicated for U.S.-origin technology, so it's helpful to know the "country of origin" of the software. Your website is hosted on a ".ca" TLD, but it says that you are now living in the US. Could you identify what part(s) of PyCrypto are of US vs. non-US origin?

2. PyCrypto's licensing statement is kind of ambiguous. It authorizes distribution and "use", but it's not entirely clear that distributing modified versions is permitted. Some people seem to think that the copyrights have been totally disclaimed, but the LICENSE file doesn't really reflect that:

    =====
    Distribute and use freely; there are no restrictions on further
    dissemination and usage except those imposed by the laws of your
    country of residence. This software is provided "as is" without
    warranty of fitness for use or suitability for any purpose, express
    or implied. Use at your own risk or not at all.
    =====

    Incorporating the code into commercial products is permitted; you do
    not have to make source available or contribute your changes back
    (though that would be nice).

Would it be possible for you to contribute a PGP-signed clarification statement? Perhaps something stating that the copyright notices that cover any PyCrypto code that you wrote can be replaced with something like this?

    =====
    Copyright (C) 2008 Andrew M. Kuchling <email address hidden>

    Permission is hereby granted, free of charge, to any person obtaining
    a copy of this software and associated documentation files (the
    "Software"), to deal in the Software without restriction, including
    without limitation the rights to use, copy, modify, merge, publish,
    distribute, sublicense, and/or sell copies of the Software, and to
    permit persons to whom the Software is furnished to do so.

    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
    "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
    LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
    A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
    OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
    SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
    LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
    DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
    THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
    (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
    OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    =====

3. I don't know how much time you have, but any help you could provide in ...

This is well on its way to being fixed.

Should be fixed now. PyCrypto is mostly in the public domain, with a few things copied from the Python 2.2 sources.

http://gitweb.pycrypto.org/?p=crypto/pycrypto-2.x.git;a=commitdiff;h=9df50513c6d401656d26c87937c63b6e9e77a0df

We believe this bug has been fixed in PyCrypto v2.1.0, which can be obtained from http://www.pycrypto.org/