Licensing and version issues #10
Description
So, if someone wants to use jsBCrypt on their own website, most likely the
first thing they'll do is go to
https://code.google.com/p/javascript-bcrypt/downloads/list and download
jBCrypt-v2.2.tar.gz.
That library depends on the Clipperz JavaScript Crypto Library, which is
licensed under the AGPL. I'm not a lawyer, but I'm pretty leery of any AGPL
code - I'm not sure if jsBCrypt can be BSD-licensed if it includes an
AGPL-licensed library. I think jsBCrypt would be considered a "derivative
work", and therefore must be licensed as AGPL (or maybe some other compatible
license? Not sure there).
On the other hand, if you look in the source, it appears that the newest
version of jsBCrypt instead depends on isaac.js, which is MIT-licensed. So,
maybe the downloads section just needs to be updated? The demo page uses the
version which uses isaac, so it appears to work.
That does have other implications, however. It looks to me like isaac.js uses
Math.random() as a seed, which I guess could make jsBCrypt less secure? I don't
exactly understand how the BCrypt algorithm uses the random number, so I don't
know if that's really a problem.
Finally, it seems to me that bCrypt.js should probably have a copy of the BSD
license at the top. As it is now, if I include bCrypt.js on my website, it
doesn't indicate to the client what license it is under.
Sorry if that rambled a bit - hope that was clear, though!
Original issue reported on code.google.com by xer...@gmail.com on 7 Apr 2013 at 1:10