Re: twitter.el, anyone?

[Bastien <bzg@gnu.org>]

Richard Stallman <rms@gnu.org> writes:

> [[[ To any NSA and FBI agents reading my email: please consider    ]]]
> [[[ whether defending the US Constitution against all enemies,     ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
>
>     - twittering-mode uses CA certificates provided by Symantec here
>       https://www.symantec.com/page.jsp?id=roots
>
> Could you explain how twittering-mode relates to those certificates?

I'm quoting Tadashi:

  According to https://dev.twitter.com/discussions/24239 , connections
  to api.twitter.com are now restricted to TLS/SSL connections only.
  
  CA certificates are required for verifying the server certificates
  and establishing SSL connection. Since SSL connection is established
  by an external program such as curl, wget, gnutls-cli or openssl,
  such a program refers to certificates.
  
  Therefore, an external program must be able to refer to valid
  certificates that can verify the Twitter server certificates.  Of
  course, if a system has such certificates and an external program
  can refer to it, twittering-mode do not have to include
  certificates.
  
  I have embedded them for convenience of various platforms.

>     The first blocker is strong: using these certificates requires
>     the authors to sign Symantec Root Certificate license agreement,
>     which is not compatible with GPL:
>
> I don't follow this statement.  Who exactly has to agree to that license?

The developer who uses the certificates and redistribute them.

> What effect does this have on users of twittering mode?

None.

> What effect does this have on redistributors of twittering mode?

Developers have to agree with these restrictions:

  3. RESTRICTIONS.
  
  You may not: (a) modify or create any derivative works of Root
  Certificates; (b) assign, sublicense, sell, rent, or lease
  Symantec's root keys or Root Certificates; (c) use such Root
  Certificates except as expressly permitted under this Agreement; (d)
  remove or alter any trademark, logo, copyright, or other proprietary
  notices, legends, symbols, or labels provided in the Root
  Certificates; or (e) certify, or cause a third party to certify, the
  public key contained in the Root Certificates by issuing or creating
  a Certificate containing such public key.

The full license is here:
https://www.symantec.com/content/en/us/about/media/repository/root-certificate-license-agreement.pdf

> As for incompatibility with the GPL, is that issue relevant?  The
> certificate need not be covered by the GPL, and it is not software,
> is it?  Isn't it data?

Yes, certificates are data.

I've not read the Symantec license in its entirety, I just focused
on some part and they read as not being free software friendly in
general.  I cannot judge in details.

There is the possibility to use certificates from Mozilla :
http://curl.haxx.se/ca/

I suggested the author to give it a try and see if it works.

> Anyway, without understanding how the certificate relates to
> the software, I can't tell what the issue is.

I hope it's clearer now.

-- 
 Bastien