Debian Bug report logs - #814352
ITP: veracrypt -- Cross-platform on-the-fly encryption

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Wed, 10 Feb 2016 18:07:48 +0100

[Message part 1 (text/plain, inline)]

Package: wnpp
Severity: wishlist
Owner: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

* Package name    : veracrypt
  Version         : 1.16
  Upstream Author : Mounir IDRASSI
* URL             : https://launchpad.net/veracrypt
* License         : TC-3.0 or Ms-PL, E4M, BSD-3-clause, zlib
  Programming Lang: C++
  Description     : Cross-platform on-the-fly encryption

 VeraCrypt provides cross-platform on-the-fly encryption for Linux, MacOS X and
 Windows. It can encrypt filesystems stored either within a file or on disk
 partitions. Supported encryption algorithms include AES, Serpent and Twofish.
 The current version uses the XTS mode of disk encryption. In addition,
 VeraCrypt supports "hidden volumes" - unidentifiable volumes present in the
 free-space of a VeraCrypt volume.
 .
 Veracrypt has been forked from Truecrypt 7.1a and I am aware of previous discussion
 about the non-free character of the license. [1]
 .
 With this ITP, I have also CC:ed the debian-legal mailing list. Question
 at experts from the debian-legal mailing list:
 .
 TL;DR; I would like to bring VeraCrypt into the non-free part of the Debian repo to offer
 VeraCrypt to people in need of easy and GUI based encryption, suitable for cross-platform
 usage. Does the current license situation allow that?
 .
 Details / Questions:
 .
 1.
 Is VeraCrypt suitable for the non-free section of Debian?
 .
 2.
 I suppose VeraCrypt is not suitable for the main section of Debian
 as the TC-3.0 license is not DFSG-compliant. I suppose
 this has not changed for VeraCrypt, compared to TrueCrypt, right?
 .
 3.
 The new upstream maintainer also states that all novelties of the code
 are licensed under the Apache-2.0 license, but as long as any line from
 the original code sticks out, the licensing of the code is governed by
 the original Truecrypt 3.0 license, right?

 [1] https://bugs.debian.org/364034

Example of the new license headers in VeraCrypt:

"""
/*
 Derived from source code of TrueCrypt 7.1a, which is
 Copyright (c) 2008-2012 TrueCrypt Developers Association and which is governed
 by the TrueCrypt License 3.0.

 Modifications and additions to the original source code (contained in this file) 
 and all other portions of this file are Copyright (c) 2013-2015 IDRIX
 and are governed by the Apache License 2.0 the full text of which is
 contained in the file License.txt included in VeraCrypt binary and source
 code distribution packages.
*/
"""

If acceptable, the veracrypt package will be maintained under the umbrella of the
Debian Edu Packaging Team.

[copyright (text/plain, attachment)]

Message #10 received at 814352-submitter@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 814352-submitter@bugs.debian.org

Subject: Bug#814352 marked as pending

Date: Mon, 15 Feb 2016 12:08:20 +0000

tag 814352 pending
thanks

Hello,

Bug #814352 reported by you has been fixed in the Git repository. You can
see the changelog below, and you can check the diff of the fix at:

    http://git.debian.org/?p=debian-edu/pkg-team/veracrypt.git;a=commitdiff;h=d661606

---
commit d6616064243497d158e5c249d935a9b727484715
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Mon Feb 15 12:38:00 2016 +0100

    debian/changelog: Start with a fresh changelog. Honour previous (and excellent) packaging efforts by keeping a changelog.before-Debian file in the debian/ folder.

diff --git a/debian/changelog b/debian/changelog
index 08a4e81..8e18bdb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,89 +1,5 @@
 veracrypt (1.16-1) UNRELEASED; urgency=medium
 
-  * New upstream release.
-  * debian/README.Debian:
-    + Drop statement of personal taste from file.
-  * debian/control:
-    + Make myself maintainer, move former maintainer into Uploaders: field.
-  * debian/control:
-    + Add Vcs-*: fields.
-  * debian/rules:
-    + Add get-orig-source rule.
-  * debian/veracrypt.desktop:
-    + Add Keywords= field to .desktop file.
-  * debian/veracrypt.menu:
-    + Drop in favour of veracrypt.desktop. For details see tech-ctte decision
-      #741573.
+  * Initial release to Debian's non-free section. (Closes: #814352).
 
- -- Mike Gabriel <sunweaver@debian.org>  Wed, 10 Feb 2016 17:52:51 +0100
-
-veracrypt (1.14-0vanir1~15.10) UNRELEASED; urgency=medium
-
-  * No-change backport to wily
-
- -- Unit 193 <unit193@ubuntu.com>  Sat, 19 Sep 2015 17:35:40 -0400
-
-veracrypt (1.14-0vanir1) UNRELEASED; urgency=medium
-
-  * Imported Upstream version 1.14.
-
- -- Unit 193 <unit193@ubuntu.com>  Sat, 19 Sep 2015 16:53:59 -0400
-
-veracrypt (1.12-0vanir1) UNRELEASED; urgency=medium
-
-  * Imported Upstream version 1.12.
-    - Remove upstream commits.
-      + d/p/004-Correct-wxWidgets-assert-warnings-when-displaying-about.diff
-    - Refresh remaining patches.
-
- -- Unit 193 <unit193@ubuntu.com>  Thu, 06 Aug 2015 20:52:40 -0400
-
-veracrypt (1.0f-2-0vanir3) UNRELEASED; urgency=medium
-
-  * d/p/004-Correct-wxWidgets-assert-warnings-when-displaying-about.diff:
-    - Add patch from upstream to fix assert when opening about dialog.
-
- -- Unit 193 <unit193@ubuntu.com>  Mon, 20 Apr 2015 18:20:18 -0400
-
-veracrypt (1.0f-2-0vanir2) UNRELEASED; urgency=medium
-
-  * d/control:
-    - Drop version deps on e2fsprogs and mount.
-    - Replace module-init-tools with kmod.
-    - Drop dep on xterm.
-    - Bump xdg-utils down to recommends.
-
- -- Unit 193 <unit193@ubuntu.com>  Mon, 13 Apr 2015 17:44:29 -0400
-
-veracrypt (1.0f-2-0vanir1) UNRELEASED; urgency=medium
-
-  * Imported Upstream version 1.0f-2
-    - Drop 003-file-manager.diff and 004-no-preference-x.diff, fixed upstream.
-    - Refresh remaining patches.
-  * Remove all references to opencryptoki.
-  * d/rules: Enable verbose build.
-
- -- Unit 193 <unit193@ubuntu.com>  Mon, 06 Apr 2015 16:58:55 -0400
-
-veracrypt (1.0f-1-0vanir1) UNRELEASED; urgency=medium
-
-  * New upstream release.
-    - Refresh patches.
-  * d/watch: Pick up releases with underscores and dashes too.
-
- -- Unit 193 <unit193@ubuntu.com>  Thu, 08 Jan 2015 04:45:50 -0500
-
-veracrypt (1.0f-0vanir1) UNRELEASED; urgency=medium
-
-  * New upstream release.
-    - Refreshed patches.
-  * d/watch: Update for tar.gz, bz2 and xz.
-  * d/copyright: Update years.
-
- -- Unit 193 <unit193@ninthfloor.org>  Sat, 03 Jan 2015 04:11:10 -0500
-
-veracrypt (1.0e-0vanir1) UNRELEASED; urgency=medium
-
-  * Initial release.
-
- -- Unit 193 <unit193@ninthfloor.org>  Sun, 09 Nov 2014 15:36:54 -0500
+ -- Mike Gabriel <sunweaver@debian.org>  Mon, 15 Feb 2016 12:36:56 +0100

Message #15 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Francesco Poli <invernomuto@paranoici.org>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 814352@bugs.debian.org

Cc: Debian-legal <debian-legal@lists.debian.org>

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Wed, 17 Feb 2016 00:17:28 +0100

[Message part 1 (text/plain, inline)]

On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:

[...]
>  1.
>  Is VeraCrypt suitable for the non-free section of Debian?

I am not sure: the TC-3.0 license is still fairly unclear (at least
to my eyes), so I cannot really speculate on its possible
implications...

>  .
>  2.
>  I suppose VeraCrypt is not suitable for the main section of Debian
>  as the TC-3.0 license is not DFSG-compliant. I suppose
>  this has not changed for VeraCrypt, compared to TrueCrypt, right?

Personally, I think this package should stay away from Debian main.
As I said, I am not even sure it is safe to be distributed in the
non-free archive.

>  .
>  3.
>  The new upstream maintainer also states that all novelties of the code
>  are licensed under the Apache-2.0 license, but as long as any line from
>  the original code sticks out, the licensing of the code is governed by
>  the original Truecrypt 3.0 license, right?
[...]

Then I am not sure I understand why the debian/copyright file draft
you sent states

  Files: *
  Copyright: 2003-2011, TrueCrypt Developers Association
             2013-2014, IDRIX
  License: TC-3.0 or Ms-PL

What's Ms-PL ? Shouldn't it be Apache-2.0 ?
Moreover, "or" means dual-licensing, but I understand this to be a
code-mixing case: I think "and" should be used instead.

See
https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
for more details.


Anyway, without looking at any further details, a question arises:
why are you packaging veracrypt for the non-free archive? what does
it offer that tcplay doesn't?

See
https://packages.debian.org/sid/tcplay
https://tracker.debian.org/pkg/tcplay

I hope this helps a little.
Bye.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[Message part 2 (application/pgp-signature, inline)]

Message #20 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Francesco Poli <invernomuto@paranoici.org>

Cc: 814352@bugs.debian.org, Debian-legal <debian-legal@lists.debian.org>, debian-edu-pkg-team@lists.alioth.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Wed, 17 Feb 2016 11:39:00 +0000

[Message part 1 (text/plain, inline)]

Hi Francesco,
(taking debian-edu-pkg-team @ Alioth into the discussion loop, as that  
would be the maintainer team for VeraCrypt in Debian)

On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:

> On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:
>
> [...]
>>  1.
>>  Is VeraCrypt suitable for the non-free section of Debian?
>
> I am not sure: the TC-3.0 license is still fairly unclear (at least
> to my eyes), so I cannot really speculate on its possible
> implications...

Hmmm... ok. I think the ftpmasters would be glad about some guidance  
on why you see veracrypt (not the TC 3.0 license, see below) unfit for  
Debian non-free. I have already uploaded VeraCrypt to Debian  
NEW/non-free and it is waiting approval/rejection from an ftpmaster.

Also, it'd be interesting if the upstream people of VeraCrypt can  
apply any change(s) to the upstream sources, their VeraCrypt license  
or whatever, to make the software fit at least for Debian non-free.

>>  .
>>  2.
>>  I suppose VeraCrypt is not suitable for the main section of Debian
>>  as the TC-3.0 license is not DFSG-compliant. I suppose
>>  this has not changed for VeraCrypt, compared to TrueCrypt, right?
>
> Personally, I think this package should stay away from Debian main.
> As I said, I am not even sure it is safe to be distributed in the
> non-free archive.

Ok, I fully agree for the veracrypt license construct not being  
suitable for Debian main.
  .
>>  3.
>>  The new upstream maintainer also states that all novelties of the code
>>  are licensed under the Apache-2.0 license, but as long as any line from
>>  the original code sticks out, the licensing of the code is governed by
>>  the original Truecrypt 3.0 license, right?
> [...]
>
> Then I am not sure I understand why the debian/copyright file draft
> you sent states
>   Files: *
>   Copyright: 2003-2011, TrueCrypt Developers Association
>              2013-2014, IDRIX
>   License: TC-3.0 or Ms-PL
>
> What's Ms-PL ? Shouldn't it be Apache-2.0 ?
> Moreover, "or" means dual-licensing, but I understand this to be a
> code-mixing case: I think "and" should be used instead.
>
> See
> https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
> for more details.

Oh, I am sorry. With this mail, I have attached the latest  
debian/copyright file as I have it now after having it reworked two  
days ago. I should have sent an updated copy to debian-legal  
immediately. Sorry for that.

As it seems, the VeraCrypt upstream people have come up with a new  
license, the VeraCrypt license. See attached copyright file for details.

My proposed Debian package is also available online [1], you may want  
to grab the .dsc file and check the upstream files, as well.

[1] http://packages.sunweavers.net/debian/pool/non-free/v/veracrypt/

> Anyway, without looking at any further details, a question arises:
> why are you packaging veracrypt for the non-free archive? what does
> it offer that tcplay doesn't?
>
> See
> https://packages.debian.org/sid/tcplay
> https://tracker.debian.org/pkg/tcplay

I have checked tcplay and also zulucrypt-gui again. We provide  
veracrypt to teachers / students at school that come from the Windows  
realm mainly. For them, it is essential to recognize some pieces of  
software on our Linux environment that they have become so used to on  
their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an  
application. Teachers here in Germany have to encrypt all personal  
data that they carry around, so they need _one_ cross platform tool  
for that. I'd be happy to provide that piece of software to other  
people in Debian (Edu).

Working on the command line (tcplay) is not an option for the  
teachers, we support here. And personally, I just tried out  
zulucrypt-gui the second time and I could not get it running as  
non-root. This is probably possible, I did not spend much time on  
this, but honestly, I prefer a solution that works right away. Also  
ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
currently is.

Greets,
Mike




-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #25 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Francesco Poli <invernomuto@paranoici.org>

Cc: 814352@bugs.debian.org, Debian-legal <debian-legal@lists.debian.org>, debian-edu-pkg-team@lists.alioth.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Wed, 17 Feb 2016 12:22:23 +0000

[Message part 1 (text/plain, inline)]

Hi again,

On  Mi 17 Feb 2016 12:39:00 CET, Mike Gabriel wrote:

> I have checked tcplay and also zulucrypt-gui again. We provide  
> veracrypt to teachers / students at school that come from the  
> Windows realm mainly. For them, it is essential to recognize some  
> pieces of software on our Linux environment that they have become so  
> used to on their Windows machines. VeraCrypt (for formerly  
> TrueCrypt) is such an application. Teachers here in Germany have to  
> encrypt all personal data that they carry around, so they need _one_  
> cross platform tool for that. I'd be happy to provide that piece of  
> software to other people in Debian (Edu).
>
> Working on the command line (tcplay) is not an option for the  
> teachers, we support here. And personally, I just tried out  
> zulucrypt-gui the second time and I could not get it running as  
> non-root. This is probably possible, I did not spend much time on  
> this, but honestly, I prefer a solution that works right away. Also  
> ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
> currently is.

just a short follow up, why I want to see VeraCrypt installable from Debian:

The current upstream maintainers offer binary blobs of VeraCrypt for  
installation on Linux, also Debian.

With the binary builds, I see the issue that no exact sources of the  
builds are available. The builds probably have been derived from the  
upstream Git or source release tarballs, but who knows.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #30 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Francesco Poli <invernomuto@paranoici.org>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: 814352@bugs.debian.org, Debian-legal <debian-legal@lists.debian.org>, debian-edu-pkg-team@lists.alioth.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Wed, 17 Feb 2016 21:49:54 +0100

[Message part 1 (text/plain, inline)]

On Wed, 17 Feb 2016 11:39:00 +0000 Mike Gabriel wrote:

[...]
> (taking debian-edu-pkg-team @ Alioth into the discussion loop, as that  
> would be the maintainer team for VeraCrypt in Debian)

OK, fine.

> 
> On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:
> 
> > On Wed, 10 Feb 2016 18:07:48 +0100 Mike Gabriel wrote:
> >
> > [...]
> >>  1.
> >>  Is VeraCrypt suitable for the non-free section of Debian?
> >
> > I am not sure: the TC-3.0 license is still fairly unclear (at least
> > to my eyes), so I cannot really speculate on its possible
> > implications...
> 
> Hmmm... ok. I think the ftpmasters would be glad about some guidance  
> on why you see veracrypt (not the TC 3.0 license, see below) unfit for  
> Debian non-free. I have already uploaded VeraCrypt to Debian  
> NEW/non-free and it is waiting approval/rejection from an ftpmaster.

I didn't say that veracrypt is clearly unfit for the non-free archive.

I said that the TC-3.0 license is unclear, and that I am consequently
not sure about the possibility to distribute a package including code
under such a license (even in the non-free archive).

I hope I clarified what I meant.

> 
> Also, it'd be interesting if the upstream people of VeraCrypt can  
> apply any change(s) to the upstream sources, their VeraCrypt license  
> or whatever, to make the software fit at least for Debian non-free.

If VeraCrypt upstream developers (IDRIX, I suppose) are in good terms
with the copyright holders for the Truecrypt version they forked from
(TrueCrypt Developers Association, I suppose) and can persuade them to
agree to a re-licensing of the code-base, the outcome could be
definitely interesting.
Everything re-licensed under the terms of the 3-clause-BSD license
would be a huge win for everyone, since it would mean the possibility
to upload veracrypt to Debian main (assuming no other showstopper comes
up).

[...]
> >>  3.
> >>  The new upstream maintainer also states that all novelties of the code
> >>  are licensed under the Apache-2.0 license, but as long as any line from
> >>  the original code sticks out, the licensing of the code is governed by
> >>  the original Truecrypt 3.0 license, right?
> > [...]
> >
> > Then I am not sure I understand why the debian/copyright file draft
> > you sent states
> >   Files: *
> >   Copyright: 2003-2011, TrueCrypt Developers Association
> >              2013-2014, IDRIX
> >   License: TC-3.0 or Ms-PL
> >
> > What's Ms-PL ? Shouldn't it be Apache-2.0 ?
> > Moreover, "or" means dual-licensing, but I understand this to be a
> > code-mixing case: I think "and" should be used instead.
> >
> > See
> > https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
> > for more details.
> 
> Oh, I am sorry. With this mail, I have attached the latest  
> debian/copyright file as I have it now after having it reworked two  
> days ago. I should have sent an updated copy to debian-legal  
> immediately. Sorry for that.

Mmmmh, I cannot see any attachment. Was it forgotten or lost somehow?

> 
> As it seems, the VeraCrypt upstream people have come up with a new  
> license, the VeraCrypt license. See attached copyright file for details.

Please send the updated debian/copyright file...

[...]
> > Anyway, without looking at any further details, a question arises:
> > why are you packaging veracrypt for the non-free archive? what does
> > it offer that tcplay doesn't?
> >
> > See
> > https://packages.debian.org/sid/tcplay
> > https://tracker.debian.org/pkg/tcplay
> 
> I have checked tcplay and also zulucrypt-gui again. We provide  
> veracrypt to teachers / students at school that come from the Windows  
> realm mainly. For them, it is essential to recognize some pieces of  
> software on our Linux environment that they have become so used to on  
> their Windows machines. VeraCrypt (for formerly TrueCrypt) is such an  
> application. Teachers here in Germany have to encrypt all personal  
> data that they carry around, so they need _one_ cross platform tool  
> for that. I'd be happy to provide that piece of software to other  
> people in Debian (Edu).
> 
> Working on the command line (tcplay) is not an option for the  
> teachers, we support here.

Then I hope someone will develop a GUI front-end for tcplay, if it is so
important for at least one category of users...

> And personally, I just tried out  
> zulucrypt-gui the second time and I could not get it running as  
> non-root. This is probably possible, I did not spend much time on  
> this, but honestly, I prefer a solution that works right away. Also  
> ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt  
> currently is.

Mmmmh, I see.


-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[Message part 2 (application/pgp-signature, inline)]

Message #35 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Francesco Poli <invernomuto@paranoici.org>

Cc: 814352@bugs.debian.org, Debian-legal <debian-legal@lists.debian.org>, debian-edu-pkg-team@lists.alioth.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Thu, 18 Feb 2016 05:02:37 +0000

[Message part 1 (text/plain, inline)]

Hi Francesco,

On  Mi 17 Feb 2016 21:49:54 CET, Francesco Poli wrote:

> On Wed, 17 Feb  
> 2016https://github.com/mhogomchungu/zuluCrypt/releases/download/4.8.0/zuluCrypt-4.8.0-debian-8-Jessie.tar.xz 11:39:00 +0000 Mike Gabriel  
> wrote:

>> On  Mi 17 Feb 2016 00:17:28 CET, Francesco Poli wrote:

>> Oh, I am sorry. With this mail, I have attached the latest
>> debian/copyright file as I have it now after having it reworked two
>> days ago. I should have sent an updated copy to debian-legal
>> immediately. Sorry for that.
>
> Mmmmh, I cannot see any attachment. Was it forgotten or lost somehow?
>
>>
>> As it seems, the VeraCrypt upstream people have come up with a new
>> license, the VeraCrypt license. See attached copyright file for details.
>
> Please send the updated debian/copyright file...
>

Oh, I must have forgotten to attach that file. Here it comes.

>> And personally, I just tried out
>> zulucrypt-gui the second time and I could not get it running as
>> non-root. This is probably possible, I did not spend much time on
>> this, but honestly, I prefer a solution that works right away. Also
>> ZuluCrypt feels a little nerdy, not so user friendly as VeraCrypt
>> currently is.
>
> Mmmmh, I see.

OT here, but for completing info on zuluCrypt:

I just learned from the zuluCrypt upstream maintainer, that  
zuluCrypt-gui will work as non-root user if zuluCrypt-cli and  
zuluMount-cli are installed setuid root, it is just that the Debian  
maintainers of zulucrypt-gui do not set those permissions in their  
packaging. (Though, personally, I agree on not having more setuid root  
executables on a Debian system than absolutely necessary).

Also zuluCrypt offers binary built .deb packages of their code on  
their homepage [1] without shipping a source package alongside. They  
install those mentioned executables as setuid root. So here we have a  
binary blob with no directly referenced source, doing filesystem  
crypto _and_ obtaining root privileges. Sigh...

[1] http://mhogomchungu.github.io/zuluCrypt/

Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

[copyright (text/plain, attachment)]

[Message part 3 (application/pgp-signature, inline)]

Message #40 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Francesco Poli <invernomuto@paranoici.org>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: 814352@bugs.debian.org, Debian-legal <debian-legal@lists.debian.org>, debian-edu-pkg-team@lists.alioth.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Thu, 18 Feb 2016 23:36:48 +0100

[Message part 1 (text/plain, inline)]

On Thu, 18 Feb 2016 05:02:37 +0000 Mike Gabriel wrote:

> On  Mi 17 Feb 2016 21:49:54 CET, Francesco Poli wrote:
[...]
> > Please send the updated debian/copyright file...
> >
> 
> Oh, I must have forgotten to attach that file. Here it comes.

Well, the so-called VeraCrypt License is just the TrueCrypt License
version 3.0 + the Apache License version 2.0.
Since both licenses apply, the situation is not really different from
the one we have discussed in the previous messages of this thread...

Bye.

-- 
 http://www.inventati.org/frx/
 There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

[Message part 2 (application/pgp-signature, inline)]

Message #45 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Francesco Poli <invernomuto@paranoici.org>

Cc: 814352@bugs.debian.org, Debian-legal <debian-legal@lists.debian.org>, debian-edu-pkg-team@lists.alioth.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Fri, 19 Feb 2016 08:19:10 +0000

[Message part 1 (text/plain, inline)]

Hi Francesco,

On  Do 18 Feb 2016 23:36:48 CET, Francesco Poli wrote:

> On Thu, 18 Feb 2016 05:02:37 +0000 Mike Gabriel wrote:
>
>> On  Mi 17 Feb 2016 21:49:54 CET, Francesco Poli wrote:
> [...]
>> > Please send the updated debian/copyright file...
>> >
>>
>> Oh, I must have forgotten to attach that file. Here it comes.
>
> Well, the so-called VeraCrypt License is just the TrueCrypt License
> version 3.0 + the Apache License version 2.0.
> Since both licenses apply, the situation is not really different from
> the one we have discussed in the previous messages of this thread...
>
> Bye.

Thanks for your time and expertise on this again. I really appreciate  
having such a skilled licensing export on the Debian project.

Let's see how the ftpmasters decide on my veracrypt upload, then.

Greets,
Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #50 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Eriberto Mota <eriberto@debian.org>

To: 814352@bugs.debian.org

Subject: Re: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Sat, 9 Jul 2016 19:05:12 -0300

Hi,

What is the current status of this package?

Regards,

Eriberto

Message #55 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Eriberto Mota <eriberto@debian.org>, 814352@bugs.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Sun, 10 Jul 2016 18:15:02 +0000

[Message part 1 (text/plain, inline)]

Control: close -1
Control: tags -1 wontfix

Hi Eriberto,

On  So 10 Jul 2016 00:05:12 CEST, Eriberto Mota wrote:

> Hi,
>
> What is the current status of this package?
>
> Regards,
>
> Eriberto

Unfortunately, the ftp master team rejected the upload due to the  
dodgy license history of Veracrypt / Truecrypt:

On  Fr 08 Jul 2016 02:00:09 CEST, Thorsten Alteholz wrote:

> Hi Mike,
>
> unfortunately I have to reject your package.
> According to [1] "(...)TrueCrypt seems to be reserving the right to sue
> any licensee for copyright infringement, no matter whether they comply
> with the conditions of the license or not. Based on this, our counsel
> advised that above and beyond being non-free, software under this
> license is not safe to use. (...)"
>
> So as Veracrypt is basically licensed with the TrueCrypt license, I think
> it is better for Debian to not distribute such software, even in non-free.
>
>  Thorsten

Thus closing this ITP and tagging as "won't fix". Unfortunately...

Mike


[1]  
https://lists.freedesktop.org/archives/distributions/2008-October/000276.html

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Message #66 received at 814352@bugs.debian.org (full text, mbox, reply):

From: Eriberto <eriberto@eriberto.pro.br>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: 814352@bugs.debian.org

Subject: Re: Bug#814352: ITP: veracrypt -- Cross-platform on-the-fly encryption

Date: Mon, 11 Jul 2016 15:49:16 -0300

Thanks Mike. I will add a notice here[1].

[1] https://wiki.debian.org/Software%20that%20can't%20be%20packaged

Regards,

Eriberto

2016-07-10 15:15 GMT-03:00 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
> Control: close -1
> Control: tags -1 wontfix
>
> Hi Eriberto,
>
> On  So 10 Jul 2016 00:05:12 CEST, Eriberto Mota wrote:
>
>> Hi,
>>
>> What is the current status of this package?
>>
>> Regards,
>>
>> Eriberto
>
>
> Unfortunately, the ftp master team rejected the upload due to the dodgy
> license history of Veracrypt / Truecrypt:
>
> On  Fr 08 Jul 2016 02:00:09 CEST, Thorsten Alteholz wrote:
>
>> Hi Mike,
>>
>> unfortunately I have to reject your package.
>> According to [1] "(...)TrueCrypt seems to be reserving the right to sue
>> any licensee for copyright infringement, no matter whether they comply
>> with the conditions of the license or not. Based on this, our counsel
>> advised that above and beyond being non-free, software under this
>> license is not safe to use. (...)"
>>
>> So as Veracrypt is basically licensed with the TrueCrypt license, I think
>> it is better for Debian to not distribute such software, even in non-free.
>>
>>  Thorsten
>
>
> Thus closing this ITP and tagging as "won't fix". Unfortunately...
>
> Mike
>
>
> [1]
> https://lists.freedesktop.org/archives/distributions/2008-October/000276.html
>
> --
>
> DAS-NETZWERKTEAM
> mike gabriel, herweg 7, 24357 fleckeby
> mobile: +49 (1520) 1976 148
> landline: +49 (4354) 8390 139
>
> GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
> mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
>

Send a report that this bug log contains spam.