Truecrypt licensing and codebase woes

Since the discontinuation of Truecrypt (a platform-independent encryption utility that has had some Linux distros reject it due to not completely compatible open source licencing), several groups, companies and interested parties have started forking it – both from the community of opensource experts and from the industry that is near commercial or governmental interest – latest to the show: Sirrix.

Communication with the developers that have abandoned the project have proven to be difficult, but Matthew Green, cryptographer and research professor at Johns Hopkins University has been in contact with at least one of them during the audir of the first part of Truecrypt.

On Pastebin, he published a communication stream, that clearly states the developers prefer Truecrypt not to be forked.

 

Original message:
Hi,
I hope you’re well. I understand from seeing some previous emails that you were one of the Truecrypt developers, and that you’re no longer interested in continuing work on the project. I understand and can sympathize with that.
For the past several months we’ve been (very slowly) auditing the TC code. Now that you’re no longer maintaining it, there seems to be a great deal of interest in forking it. I think this interest has reached the point where a fork is virtually inevitable. This makes me somewhat worried.
We think Truecrypt is an important project — no proprietary disk encryption system offers cross-platform support and the same feature set. Moreover, Truecrypt is unlikely to ‘go away’ just because the developers have abandoned the project. In fact, it may become significantly less secure if it goes forward as samizdat or as part of some unauthorized fork.” (…)

 

The unnamed developer answers back:

I am sorry, but I think what you’re asking for here is impossible. I don’t feel that forking truecrypt would be a good idea, a complete rewrite was something we wanted to do for a while. I believe that starting from scratch wouldn’t require much more work than actually learning and understanding all of truecrypts current codebase.
I have no problem with the source code being used as reference.”

 

As the developers prefer to stay incognito, it will be hard for them to legally protect the source and their IP without coming out of the woodwork. This explains, why so many forks exist and some may have a dubious quality or legal clearness: After the latest  pastebin comments it is clear that Sirrix like so many others is unauthorized to do what they intend to do, except if they go ahead and re-write from scratch using the codebase as a reference.

 

Source: http://pastebin.com/RS0f8gwn

Advertisements