Bug#1029842: ITP: randombytes -- Library generating fresh randomness

[Sam Hartman]

>>>>> "Jan" == Jan Mojzis <jan.m...@gmail.com> writes:

* Package name : randombytes
Version : 20230126
Upstream Author : Daniel J. Bernstein
* URL : https://randombytes.cr.yp.to/
* License : Public domain

Public domain is problematic as a license.
At least under US copyright law, there are very few circumstances when
something can actually be public domain.
One example is software written by US government employees.
But I don't think any of those circumstances apply to this library.
So I'm not sure the license is okay.

I'll also admit to being skepticle of the utility of such a library
given the getrandom() API in libc.

[Jan Mojzis]

> On 28. 1. 2023, at 21:42, Sam Hartman <hart...@debian.org> wrote:
>
>>>>>> "Jan" == Jan Mojzis <jan.m...@gmail.com> writes:
>
> * Package name : randombytes
> Version : 20230126
> Upstream Author : Daniel J. Bernstein
> * URL : https://randombytes.cr.yp.to/
> * License : Public domain
>
> Public domain is problematic as a license.
> At least under US copyright law, there are very few circumstances when
> something can actually be public domain.
> One example is software written by US government employees.
> But I don't think any of those circumstances apply to this library.
> So I'm not sure the license is okay.

If I understand it correctly, CC0-style public-domain declaration in debian/copyright solves the problem.
(learned here: https://lists.debian.org/debian-mentors/2017/09/msg00171.html)

~~~
License: public-domain-CC0-1.0
Public domain.
.
Upstream library is marked as public-domain https://randombytes.cr.yp.to/index.html.
.
Public-domain mark does not have the same meaning in all jurisdictions,
to avoid confusion, please follow CC0 1.0 Universal.
The complete text of the CC0 license, version 1.0,
can be found in /usr/share/common-licenses/CC0-1.0.
~~~

Or am I wrong?

>
> I'll also admit to being skepticle of the utility of such a library
> given the getrandom() API in libc.

The library internally uses getrandom().
The primary bonus is in portability and usability. The library (namely randombytes-kernel) uses one of the variants
getrandom(), getentropy(), "/dev/urandom" and the user/aplication doesn't need to care what resource is on a given operating system available.
And the user/aplication also doesn't have to worry about whether the system has enough entropy (e.g. /dev/urandom initialized).
Randombytes() simply waits/blocks until there is enough entropy.

Jan

[Sam Hartman]

>>>>> "Jan" == Jan Mojzis <jan.m...@gmail.com> writes:

Jan> If I understand it correctly, CC0-style public-domain
Jan> declaration in debian/copyright solves the problem. (learned
Jan> here:
Jan> https://lists.debian.org/debian-mentors/2017/09/msg00171.html)

I'm not entirely sure I agree with Don, and he was also being short.
I agree that a cc0 style declaration made by the original author makes
everything fine.
I do not think you can make a cc0 style declaration on behalf of someone
else.

[Simon Josefsson]

Sam Hartman <hart...@debian.org> writes:

>>>>>> "Jan" == Jan Mojzis <jan.m...@gmail.com> writes:
>
> * Package name : randombytes
> Version : 20230126
> Upstream Author : Daniel J. Bernstein
> * URL : https://randombytes.cr.yp.to/
> * License : Public domain
>
> Public domain is problematic as a license.
> At least under US copyright law, there are very few circumstances when
> something can actually be public domain.
> One example is software written by US government employees.
> But I don't think any of those circumstances apply to this library.
> So I'm not sure the license is okay.

We have plenty of code written under that same license from the same
group of authors, already in Debian. Look in OpenSSH and OpenSSL for
example. So I would disagree there is a license problem having this
package in Debian.

Jan, I'm happy to help review, sponsor and co-maintain randombytes if
you are interested. I rely on it as a dependency in some projects I'm
working on.

/Simon