Why you should release your Crypto under GPL

Posted on: Feb 8, 2016

Notice: This post is 8 years old, thus it could contain old or incorrect information.

I’m not a Lawyer, the view expressed below is my own.

We see everyday new Crypto software. From IM Applications to Secure Storage programs, and many more. Crypto now a days is a vital part of our time spent in front of a PC Monitor.

Almost every site you visit on your Browser and App you use on your Smartphone use (or should use) Strong Cryptography because Crypto is not a crime

But, with Crypto also comes Trust. It’s easier to trust an Open-Source, Audited software that a Proprietary one. (Stay away from self-proclamed “Military-Grade Cryptography” and “Snake oil”)

So I will explain why in my opinion is better license Crypto Software under GPL.

Note That I love Public Domain. (in short PD)
Public domain software allows anyone to do whatever they want with software. In short software is not subject to copyright.

Other people can read your source code and use it whenever they want. And that’s good!

But like I said before, Crypto need Trust.

Under PD, the Cryptography Software you write can be used by everybody (and it’s still good) but It can be sublicensed or used into Proprietary Software.

When doing this, the Proprietary Vendor can insert backdoor or manipulate the software feature and it isn’t required to release the source code! And that new software may never see a security audit! But it still can feature the “based on X” label where X is a Public Domain software.

Instead, when using Copyleft licenses (like GNU GPL) forks (ed, software based on your source code) you MUST release the software source and MUST stating significant changes made to software.

This way, users can do Independent Code Review based on the changes made in the new source, (when the Fork is not so big) and maintain the Trust gained from the original software (ex. Security Audit)

Some example can be:

So do a favor to your Users, use the GPL license for your Crypto.

Source

Contacts

Signal: thezero.20
Github: @TheZ3ro
Mastodon: @thezero@infosec.exchange
Bluesky: @Th3Zer0