[needs-packaging] TrueCrypt

Bug #109701 reported by David Futcher
264
This bug affects 40 people
Affects Status Importance Assigned to Milestone
Debian
Fix Released
Unknown
Ubuntu
Invalid
Wishlist
Unassigned
Declined for Lucid by Felix Geyer
Declined for Maverick by Felix Geyer

Bug Description

TrueCrypt is an extremely useful tool for any security conscious Ubuntu User. It allows you to create an extremely secure "virtual drive" where you can store important documents with a much lower risk of them being read by malicious attackers. It should be included in Ubuntu because it will greatly improve security, which means a higher reputation for the distribution.

URL: http://www.truecrypt.org/
Licensing: Program released under "Truecrypt License", non OSI, and the different crypto-algorithm implementations are licensed differently. So far this is the biggest problem packaging this.

Revision history for this message
Lukas Fittl (lfittl) wrote :

Problems with packaging truecrypt I encountered a few months ago:

- It has all sorts of licenses on it, and it seems like some of them are not compatible
- The kernel module is a mess, and not properly implemented

Revision history for this message
Pavan kumar (dotpavan) wrote :

Hi Lukas, I am new to the devel side of Ubuntu, but eager to make some contributions. Please let me know in what way I could help, say, by starting with checking licenses? How would I go about that?

Revision history for this message
Lukas Fittl (lfittl) wrote :

You might be interested in the following links:

http://lists.debian.org/debian-legal/2006/06/msg00294.html
http://lists.debian.org/debian-legal/2006/07/msg00008.html

I have not checked the copyright thing properly, I just took a quick look over the source, and especially for the different crypto algorithms there seem to be various licenses, so make sure to check that they are all free and compatible with each other.

Revision history for this message
Wally Valters (wvalters) wrote :

I can start looking through this stuff too. I have been wanting to get involved, and use Truecrypt so I have an interest.

Revision history for this message
Wally Valters (wvalters) wrote :

This looks a little nightmarish. There is a lot of discussion on the truecrypt license it self on the lists from Debian, and until that license itself is changed I think there is not much chance of this getting in

Revision history for this message
llivne (jklasd7) wrote :

i read the license and as far i can see (correct me if im wrong) what it says that you can download and use it for free and that you can distribute it provided you give them credit (which is understandable) and that you can modify it as long as you dont use there name or logo (still understandable) and that you state that it was based on truecrypt (still understood) so what is really the problem here?

Revision history for this message
David Futcher (bobbo) wrote :

llivne, i think the main problem is the different crypto-algorithms being used, though i may be mistaken. From that summary of the license it seems to agree with the 10 terms of the OSI Open-Source definition so that shouldnt be a problem. The problem will be the crypto-algorithms. Im willing to bet some of them aren't properly open-source and some of their licenses are incompatible.

Revision history for this message
llivne (jklasd7) wrote :

algorithms aren't software there are no such thing as an open source algorithm
algorithm is a math formla - (like a+b=c) you cant copyright it so its ok to use everywhere so whats the problem?

Revision history for this message
Serra (jose-ramon-casal) wrote :

Algorithm aren't software but its implementation is software.

All the crypto-algorithms implementation has its own license.

You can see the AES algorithm implementation which state:

Copyright (c) 1998-2006, Brian Gladman, Worcester, UK. All rights reserved.

 LICENSE TERMS

 The free distribution and use of this software in both source and binary
 form is allowed (with or without changes) provided that:

   1. distributions of this source code include the above copyright
      notice, this list of conditions and the following disclaimer;

   2. distributions in binary form include the above copyright
      notice, this list of conditions and the following disclaimer
      in the documentation and/or other associated materials;

   3. the copyright holder's name is not used to endorse products
      built using this software without specific written permission.

 ALTERNATIVELY, provided that this notice is retained in full, this product
 may be distributed under the terms of the GNU General Public License (GPL),
 in which case the provisions of the GPL apply INSTEAD OF those given above.

Revision history for this message
Serra (jose-ramon-casal) wrote :

I've been refreshing what I read some month ago...

All the discusion about this Package request is also being discussed on Debian [1]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364034

On Jun 2006 there was lot of discussion and finally Debian-Legal [2] think that the license isn't free at all because there are a lot of unclear and imprecise paragraphs which makes it impossible to distribute TrueCrypt within Debian.
[2] http://lists.debian.org/debian-legal/2006/06/msg00295.html

On Feb 7th 2007, the license of Truecrypt [3] was partially corrected [4].
[3] http://www.truecrypt.org/license.php
[4] http://lists.debian.org/debian-legal/2006/07/msg00009.html

Revision history for this message
llivne (jklasd7) wrote :

serra you makes a good point that it is filled with lawyer only lenguge and that it is needlessly complicated but that doesn't makes him not free it just makes him needlessly complicated(why cant lawyers speak english?)

but the new license seems to make it agreeable by open source standards (by what i can understand)

i also dont think that the information posted by you about the old license is relevant to this discussion (no offense i just don't want people to get confused and read the old one thinking its the current one)

Revision history for this message
Jordan Reese (jordanmreese) wrote :

Each portion of the license contains a release to redistribute either under the GPL or with the copyright notice included in the documentation, and each allows modification as desired, so we should be in the clear to package the software as long as each of the developers are mentioned in the docs.

Revision history for this message
Giles Weaver (gweaver) wrote :

Ok, so if you are going to package Truecrypt are you going to choose:

4.3a) no gui, but full cli support. (ext2/3 & gui support through easycrypt)

5) kernel abstraction and gui but only partial cli support, no ext2/3 support.

Hopefully by the time someone comes to package it there will be a Truecrypt 5.1 with all of the above features...

David Futcher (bobbo)
description: updated
Revision history for this message
llivne (jklasd7) wrote :

giles the way i see it linux is about choice so why not give the end user the choice and package both of them?

Revision history for this message
Giles Weaver (gweaver) wrote :

You are right, giving the end user choice is always good.
However, Truecrypt 5.1a is now available and it has all of the knobs and whistles (and cli support) of previous versions. So as far as I am aware there is no need to package previous versions, 5.1a does the lot.

Revision history for this message
llivne (jklasd7) wrote :

so now all that is needed is someone to package it

Revision history for this message
Ruben Romero (huayra) wrote :

actually just adding the deb package from their site would do:

http://www.truecrypt.org/downloads.php

It worked nicely under Hardy (requires dmsetup as the only dependency besides the package itself).

And it is version 6.0

Revision history for this message
Xavier Guillot (valeryan-24) wrote :

New version with graphical front-end included and powerful encryption works very fine on Ubuntu 8.04, and yes I would also like to see TrueCrypt on official packages.

Revision history for this message
Jose (josea.munoz) wrote :

I installed yesterday the new Truecrypt release 6.0a and works really well in Hardy.

Revision history for this message
James Westby (james-w) wrote :

Hi,

I am closing this bug, as all the evidence seems to point to there
being significant licensing concerns with Truecrypt, and until they
are resolved it should not be included in Ubuntu.

For instance there are the debian-legal discussions, along with
this:

  http://lists.freedesktop.org/archives/distributions/2008-October/000273.html

It seems at this point the only way that the package could enter
Ubuntu is if Truecrypt clarify their license and remove the points
of concern.

Thanks,

James

Revision history for this message
Aaron Whitehouse (aaron-whitehouse) wrote :

After spending quite a bit of time looking into this, the Fedora wiki is probably the best place to look for current information:
http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt
So much of the other information is quickly out of date as the licence changes.

Revision history for this message
Tony Yarusso (tonyyarusso) wrote :

I would like to re-open this for a fresh evaluation, as it appears the license has changed significantly since the last go-through. It appears likely that TrueCrypt would only be suitable for multiverse, not universe, and would require re-branding similar to what was done with IceWeasel in Debian, but I think it can be included now. Thus, please take a look at the new license at http://www.truecrypt.org/legal/license and see if qualifies for inclusion yet. If not, please contact upstream at <email address hidden> about any remaining concerns.

Changed in ubuntu:
status: Invalid → Confirmed
Revision history for this message
A.Kromic (akromic) wrote :

I also use TrueCrypt and would really wish to see it included in the Ubuntu repositories.

Revision history for this message
Josh Brown (joshbrown) wrote :

If the licensing is causing so much trouble, couldn't we just make a compatible program by using their (uncopyrighted) algorithms?

Revision history for this message
Paillomams (aymeric-pallottini) wrote :

Josh I think this program already exists. It's called Easy Crypt you can find it in the repositories (Universe).

Revision history for this message
jhfhlkjlj (fdsuufijjejejejej-deactivatedaccount) wrote :

I may be wrong, but I think easycrypt is just a frontend of Truecrypt; it still needs truecrypt to function correctly (at least it asks if it wants to install truecrypt if you haven't already).

Revision history for this message
Josh Brown (joshbrown) wrote :

Easy Crypt is a GUI for True Crypt, it is not an encryption program in itself.

Revision history for this message
Atis (ubuntu-atis) wrote :

Why just don't add it to "restricted" and let the lawyers handle licensing later? Or at least some PPA? It could be very useful to have repository and automatic updates.

Revision history for this message
John Dong (jdong) wrote :

Neither the restricted archive nor PPA's are allowed to host packages that Ubuntu or Launchpad are not allowed to legally redistribute. Furthermore, putting things in the archive exposes all of our mirror partners to legal risks as well.

description: updated
summary: - [needs-packaging] Truecrypt
+ [needs-packaging] TrueCrypt
Revision history for this message
David (lofidevops) wrote :

The TrueCrypt license is now at v3.0 - afaik an update since the last evaluation - http://www.truecrypt.org/legal/license - is this now acceptable?

Revision history for this message
martinr (martinr1111) wrote :

Please review the new license version, because manually updating is becoming a hassle.

Revision history for this message
Tony Yarusso (tonyyarusso) wrote :

Bump?

Revision history for this message
David (lofidevops) wrote :

I have reopened the upstream (Debian) issue at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=364034 and summarized relevant input from this issue over there.

Changed in debian:
status: Fix Released → New
Revision history for this message
A.Kromic (akromic) wrote :

Any progress? It's still not there in Oneiric...

Revision history for this message
David Futcher (bobbo) wrote :

A possible solution to this is packaging Realcrypt, which is Truecrypt modified to be more free. It seems to be a Mandriva project, no idea if it's DFSG free but might be worth looking into: http://wiki.mandriva.com/en/RealCrypt

Revision history for this message
jhfhlkjlj (fdsuufijjejejejej-deactivatedaccount) wrote :

@David, if this is the case, please notify debian's mailing list as this may be something of interest.

Revision history for this message
David (lofidevops) wrote :

For anyone not following the related Debian bug, see http://threatpost.com/audit-aims-to-put-concerns-over-dubious-truecrypt-license-to-rest and (more specifically) http://istruecryptauditedyet.com for license and security auditing progress.

Revision history for this message
David (lofidevops) wrote :

See also:

tcplay, "Free and simple TrueCrypt Implementation based on dm-crypt" - seems to lack GUI. Development at https://github.com/bwalex/tc-play and packages at https://launchpad.net/ubuntu/+source/tcplay

TrueCrypt PPA, "TrueCrypt package with the tray icon replaced by a application indicator" https://launchpad.net/~stefansundin/+archive/truecrypt (with normal caveats for PPAs)

Revision history for this message
Bob Bib (bobbib) wrote :

TrueCrypt was discontinued in May 2014:
http://truecrypt.sourceforge.net/
at version 7.2:
http://sourceforge.net/projects/truecrypt/files/TrueCrypt/Other/

So now there're no good reasons left to package it.

David Futcher (bobbo)
Changed in ubuntu:
status: Confirmed → Invalid
Changed in debian:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.