Talk:VeraCrypt

Latest comment: 10 months ago by Guy Macon Alternate Account in topic Discontinued

Keep

edit

Loyd. I am not an expert in any of this including what constitutes an ad. However, as a long time truecrypt user, this article has been very helpful about what to do since Trucrypt is no longer. Thus I feel it should be retained. Loydfoofoo (talk) 20:33, 4 February 2015 (UTC)Reply

I agree with Loydfoofoo. Pwolverine (talk) 09:34, 7 February 2015 (UTC)Reply

The VeraCrypt entry in Wikipedia

edit

1) The article does not read like an advertisement to me, and if I've read it correctly is not a commercial product - its not 'for sale' but it is available. Seems to me more like a straightforward & neutral communication of information.

2) It relies too heavily on primary sources? Not sure what other sources it COULD rely on... So unconvinced that this is a valid criticism.

3) Needs additional citations for verification? Frankly I'm not even sure what this means. Verified in what sense? I will say no more since I may well simply expose further my ignorance.

(but - secret private thoughts hmmm... verified... that it exists? that the information is true? that it works? that its produced by the people who claim to be responsible?)

4) Too technical? I'd describe it as admirably concise. I wouldn't claim to fully understand the information given, and am at the opposite end of the 'techno nerd computer geek' spectrum, indeed at the opposite end of the age spectrum that implies.

I have a smart phone - it took me over a month to discover how to accept an incoming call. So, NOT tec savy.

However since the Snowden revelations and with a strong interest in the Bletcheley Park story from WW2 I have tried to educate myself to some degree in this area. More explanation could be given, but it would make it a much longer article. My supposition would be that anyone wishing to understand more about the information given would follow the available links. 86.184.230.77 (talk) 11:31, 8 February 2015 (UTC)Reply

Problem with speed claims.

edit

We have a quote from a reliable source that doesn't make sense. The quote is

"In technical terms, when a system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1,000 iterations. For standard containers and other (i.e. non system) partitions, TrueCrypt uses at most 2,000 iterations.

What Idrassi did was beef up the transformation process. VeraCrypt uses 327,661 iterations of the PBKDF2-RIPEMD160 algorithm for system partitions, and for standard containers and other partitions it uses 655,331 iterations of RIPEMD160 and 500,000 iterations of SHA-2 and Whirlpool, he said.

While this makes VeraCrypt slightly slower at opening encrypted partitions, it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force. "Effectively, something that might take a month to crack with TrueCrypt might take a year with VeraCrypt," Idrassi said."

Source: [ http://www.esecurityplanet.com/open-source-security/veracrypt-a-worthy-truecrypt-alternative.html ].

We use this quote in the Security improvements section.

Two problems. First, anyone who has used both knows that the speed difference is not slight. Second, how is doing 327 times more work "10 times harder"?

At [ http://www.theinquirer.net/inquirer/news/2375599/veracrypt-fork-of-truecrypt-tips-up ] the same quote is used, but it is attributed as "On the VeraCrypt website, Idrassi explained". I cannot find the quote on veracrypt.codeplex.com.

I think we should drop the esecurityplanet citation and quote and instead use this one from [ https://veracrypt.codeplex.com/ ]:

"As an example, when the system partition is encrypted, TrueCrypt uses PBKDF2-RIPEMD160 with 1000 iterations whereas in VeraCrypt we use 327661. And for standard containers and other partitions, TrueCrypt uses at most 2000 iterations but VeraCrypt uses 655331 for RIPEMD160 and 500000 iterations for SHA-2 and Whirlpool.

This enhanced security adds some delay only to the opening of encrypted partitions without any performance impact to the application use phase. This is acceptable to the legitimate owner but it makes it much harder for an attacker to gain access to the encrypted data."

--Guy Macon (talk) 07:43, 7 July 2015 (UTC)Reply

"it makes the software a minimum of 10 and a maximum of about 300 times harder to brute force" is a really weird statement.

1) PBKDF2 iterations have zero effect on brute force attacks. A brute force attack by definition will iterate over the whole keyspace, so it would be stupid to use PBKDF2 at all when you can just skip the step. The PBKDF2 iterations do increase the difficulity of password guessing though, e.g. dictionary attacks.

2) It makes it sound like the software itself will be brute forced, while in reality the software doesn't matter at all. It's all about the header data.

In light of these shortcomings I removed that part of the quote and replaced it with a simpler "While this makes VeraCrypt slower at opening encrypted partitions, it also makes password guessing based attacks slower."

- KaurKuut (talk) 00:32, 23 November 2015 (UTC)Reply

Licensing of VeraCrypt

edit

If the license is Apache 2.0, doesn't that make VeraCrypt "Free Software", as opposed to "Source available freeware"?

Yogesh Girikumar 03:17, 10 July 2015 (UTC) — Preceding unsigned comment added by Yogeshg1987 (talkcontribs)

VC includes TC code which is not released under a license recognized by FSF — Preceding unsigned comment added by 79.200.206.4 (talk) 12:45, 1 September 2015 (UTC)Reply

User:Palosirkka, five days ago, you made an edit that designated the app as "not open-source," saying that "license isn't OSI approved." Now, excuse me, but last time I checked, both OSI and FSF had approved Apache License version 2. VeraCrypt's license is also Apache License v2.[1] Would you kindly care to explain yourself? Waysidesc (talk) 01:40, 17 March 2022 (UTC)Reply

@Waysidesc: Apache is a free software license, no disagreement there. But as described in VeraCrypt#License_and_source_model, that only covers parts of the software. The rest come with a vanity license that is not free. --Palosirkka (talk) 10:29, 17 March 2022 (UTC)Reply
That's a rather odd conclusion. I remember reading such things from skeptics who thought TrueCrypt is ineligible for forking and derivative works. And yet, VeraCrypt is the living counterexample. They accept pull requests, so they are open-source. Example: #815. These new contributions have been placed under the Apache License v2. Here; have a look at one of their files: CoreBase.cpp.

Modifications and additions to the original source code (contained in this file) and all other portions of this file are Copyright (c) 2013-2017 IDRIX and are governed by the Apache License 2.0 the full text of which is contained in the file License.txt included in VeraCrypt binary and source code distribution packages.

Overall, it appears VeraCrypt has no inherited the licensing flaws of TrueCrypt. Waysidesc (talk) 23:45, 17 March 2022 (UTC)Reply
@Waysidesc: Not odd at all and not my conclusion either. You do realize that forking and derivatives don't require someting to be open source? And people also do illegal things every day. Whether vera is illegal or not I do not know or care but I do know it is not open source. Some parts of it certainly are but the whole, including TrueCrypt code is not. --Palosirkka (talk) 08:21, 18 March 2022 (UTC)Reply
With all due respect, did you even read the article to which you are linking? To wit:
  • It is about TrueCrypt, not VeraCrypt.
  • It predate TrueCrypt License 3.1.
  • Simon Phipps's recommended course of action is exactly what VeraCrypt has done. I quote:

    As OSI director and open source expert Karl Fogel said, "The ideal solution is not to have them remove the words 'open source' from their self-description, but rather for their software to be under an OSI-approved open source license."

Despite all of this, you have opined that it is definitely not open-source! I'm sorry, but may I see the Wikipedia policy that says your opinion is important? Waysidesc (talk) 04:41, 19 March 2022 (UTC)Reply
Veracrypt is a fork, apparently containing a large amount of Truecrypt code under Truecrypt license. As mentioned in the article, the former Truecrypt license versions were just as far from or even further away from the open source designation. Veracrypt cannot and has not changed the licensing of the Truecrypt parts... The Phipps's quote obviously meant Truecrypt has to change the license, which they have not done. This is getting borderline ridiculous. You seem to desperately want to claim this is open source even the linked article has the president of OSI telling you it is not open source! --Palosirkka (talk) 08:11, 20 March 2022 (UTC)Reply
Let me rewrite your last sentence with annotations: "You seem to desperately want to claim this [=VeraCrypt] is open source even [though] the linked article has the president of OSI telling you it [=TrueCrypt] is not open source!" Yes, indeed. Also, in the same vein, I believe Nikola Tesla invented the AC power, even though no history book says Isaac Newton did it. Nikola Tesla is not Isaac Newton, VeraCrypt is not TrueCrypt.
VeraCrypt has an FSF-approved, OSI-approved license (Apache License v2), has exposed its source-code, and accepts pull requests from the public. It fulfills all criteria of being both free and open-source. Title 17 of United States Code, Section 106, grants the owner of VeraCrypt copyright the exclusive rights to do or authorize reproducing it, preparing derivative works based on it, and distribute copies of it. Waysidesc (talk) 16:59, 20 March 2022 (UTC)Reply
Don't go edit the article and especially don't lie about references! Phipps said Truecrypt license IS NOT a free software license, contrary to what you wrote. And don't falsely claim in your edit summary that your edit is based on discussion because it certainly was not... But Veracrypt IS Truecrypt, because it shares code with it. And the Truecrypt license says:
e. You must not change the license terms of This Product in any way (adding any new terms is considered changing the license terms even if the original terms are retained), which means, e.g., that no part of This Product may be put under another license. You must keep intact all the legal notices contained in the source code files. You must include the following items with every copy of Your Product that You make and distribute: a clear and conspicuous notice stating that Your Product or portion(s) thereof is/are governed by this version of the TrueCrypt License, a verbatim copy of this version of the TrueCrypt License (as contained herein), a clear and conspicuous notice containing information about where the included copy of the License can be found, and an appropriate copyright notice.
So the code from Truecrypt will always be under the Truecrypt license, not open source. Hence Veracrypt cannot be open source. You do realize it's not enough if parts of a software package are open source for the whole to be open source? Any amount of code that doesn't qualify taints the whole. --Palosirkka (talk) 06:12, 21 March 2022 (UTC)Reply
> Don't go edit the article and especially don't lie about references! Phipps said Truecrypt license IS NOT a free software license, contrary to what you wrote.
Look again! I quote: "While it's accurate to describe the software as "free" ... the license is also not a free software license according to the FSF license list"
> And don't falsely claim in your edit summary that your edit is based on discussion because it certainly was not...
You mistake "based on discussion" with "based on agreement". Per your own WP:BRD policy, I can revert you without having ever discussed with you. R comes before D. Out of respect, however, I started a discussion first. But you first refused to get the point and now you are resorting to incivility. Yes, my revert is based on a discussion (even though it doesn't have to be) but not based on an agreement.
> But Veracrypt IS Truecrypt, because it shares code with it. And the Truecrypt license says: ...
And here where you are wrong and pretend not hear me. Title 17 of the United States Code, section 106, empowers TrueCrypt authors to directly authorize IDRIX to fork VeraCrypt under a different license. As far as us, the customers, are concerned, we can choose between Apache License v2 and TrueCrpyt License version 3.0.
Summary of my arguments so far:
  1. Being open-source is not a function of the license. It is a function of accessible source code and open collaboration. VeraCrypt has both. (TrueCrypt didn't.)
  2. VeraCrypt is multi-licensed. One of the options is Apache License version 2. It is an FSF-approved, OSI-approved license. Is it legal? That's not for us to decide. We have no grounds to assume bad faith in IDRIX.
  3. VeraCrypt is multi-licensed. One of the options is TrueCrypt License v3. It is not the license about which Phillip Simmons spoke, That was TrueCrypt License v2. Maybe if Mr. President of OSI should have used fewer weasel words and wrote one of the flaws of the TrueCrypt license in that article.
- Waysidesc (talk) 08:18, 21 March 2022 (UTC)Reply
You look again... you wrote: Simon Phipps]], director of the OSI, agreed that TrueCrypt license is a [[free software license]] which is a complete and utter lie. He said it is gratis, which does not mean "free software license".
If you have a reference that says Truecrypt did relicense, provide it. I don't believe one exists since Veracrypt lists Truecrypt license...
  1. What you say about the open source definition makes no sense at all. The OSI defines open source, not you or anybody else...
  2. You completely misunderstand the multi-license. NEW PARTS OF THE SOFTWARE are apache and free. THE PARTS FROM TRUECRYPT are as non-free as ever, that's what a fork means.
  3. No version of truecrypt license are OSI certified open source, so completely pointless. --Palosirkka (talk) 11:17, 22 March 2022 (UTC)Reply
> He said it is gratis, which does not mean "free software license".
In the OSI guideline, all freedoms besides price are part of the open-source concept. As far as OSI is concerned, "free software" and "gratis" are the same thing. They don't recognize freeware vs. free software distinction. That's because OSD is derivation of Debian Free Software Guideline. Naturally, FSF disagrees on many definitions with OSI. Of course, you've changed the context each time it suits you, so, now you yourself are confused. You have even changed the context in your last message. (See below.)
> If you have a reference that says Truecrypt did relicense, provide it.
Open the License.txt and use your browser's search function to find this piece of text: "VeraCrypt is multi-licensed under Apache License 2.0 and"
> What you say about the open source definition makes no sense at all. The OSI defines open source, not you or anybody else...
Pro-OSI bias is against Wikipedia's policy. Per WP:NPOV, the definitions of FSF, DFSG, Microsoft (largest producer of open-source apps in the world), and every other significant entity is also important.
Be that as it may, per Wikipedia's WP:SYNTH policy, I'll take OSI's view into consideration if and when they spoke about VeraCrypt directly.
> You completely misunderstand the multi-license. NEW PARTS OF THE SOFTWARE are apache and free. THE PARTS FROM TRUECRYPT are as non-free as ever, that's what a fork means.
We're talking about "open-source," not "free." See? You changed the context again. Keep this charade up and soon you won't know north from south.
Now, according to the Title 17 of the United States Code, 'a "derivative work" is a work based upon one or more preexisting works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which a work may be recast, transformed, or adapted. A work consisting of editorial revisions, annotations, elaborations, or other modifications, which, as a whole, represent an original work of authorship, is a "derivative work".' VeraCrypt, therefore, is a derivative work. According to section 106 of this title, IDRIX has exclusive rights in this derivative work, but according to section 103, this exclusive right does not extent to per-existing material, i.e. TrueCrypt.
> No version of truecrypt license are OSI certified open source, so completely pointless.
I'm glad you finally agreed on this. So, am I to assume every argument you've made based on OSI's approval is now null and void? Let me guess: Your answer is no. You're going to say something that amounts to "OSI is the king of the world and if the king doesn't approve, you cannot exist."
Somehow, you seem to think VeraCrypt went through the trouble of changing its licensing intending not to make a difference. Waysidesc (talk) 13:13, 22 March 2022 (UTC)Reply
Skipping your undeeded insults, weird POV and general crazytalk, how exactly is USC relevant here? --Palosirkka (talk) 07:29, 23 March 2022 (UTC)Reply
LOL. 😂 USC 17 is the Copyright law of the United States. It is the sole law that makes licenses meaningful. Waysidesc (talk) 09:11, 23 March 2022 (UTC)Reply
And VeraCrypt is French. --Palosirkka (talk) 09:41, 23 March 2022 (UTC)Reply
The TrueCrypt Foundation is a registered US non-profit organization last filed tax returns in 2010. TrueCrypt was under the protection of the U.S. copyright laws. Did you forget all of your TrueCrypt-based fallacies all of a sudden? Waysidesc (talk) 11:15, 23 March 2022 (UTC)Reply
We're not talking TrueCrypt but VeraCrypt which is developed by a French entity. Leave the silly attacks aside, please. --Palosirkka (talk) 12:37, 23 March 2022 (UTC)Reply
Thank you. I agree. Dispute resolved. Waysidesc (talk) 17:13, 23 March 2022 (UTC)Reply
No, not resolved. So you don't know how VeraCrypt could relicense TrueCrypt code? I still believe they could not. It's OK for you not to know how. Just don't claim to know if you don't. The United States law you proposed earlier doesn't apply in France. Maybe they have a similar clause in French law on derivatives. Maybe not. In case they do it will certainly, just like US law, also note that "protection for a work employing preexisting material in which copyright subsists does not extend to any part of the work in which such material has been used unlawfully" (17 U.S. Code § 103). Unlawfully here being relicensing code originally under a license, like the TrueCrypt license, that states "no part of This Product may be put under another license". As you see, by relicensing, they are in breach of the TrueCrypt license and so infringing TrueCrypt authors' copyright. Which is unlawful. They legally cannot relicense.
There is another TrueCrypt fork, Ciphershed. They wrote in 2015 that they wanted to "transition to an OSI-approved license" but it "involves replacing the code almost entirely". Also, if one looks at their current license, they state very clearly that the new code and old code are under different licenses. --Palosirkka (talk) 22:29, 23 March 2022 (UTC)Reply
No, kid. I'm doing playing your word games. I don't even want read what you write anymore. Waysidesc (talk) 12:25, 24 March 2022 (UTC)Reply
Ciphershed is dead. The last CipherShed release was 0.7.4.0 (February 1, 2016). The last post to the CipherShed Forum was in 2016. Also see Project Dead? and Giving Up on CipherShed 2600:1700:D0A0:21B0:B858:3590:F10E:CA10 (talk) 22:47, 24 March 2022 (UTC)Reply

If references are there stating that parts of the software are covered under a vanity license which is chargeable then the issue of free is settled (it is partly free) Then issue is whether it is open source. Does it fail any criteria here [2]? - Abdul Muhsy talk 18:12, 22 March 2022 (UTC)Reply

We're talking free software here, nothing to do with price. I guess the discussion at this hour boils down to whether VeraCrypt can take TrueCrypt code and relicense it under Apache. --Palosirkka (talk) 07:31, 23 March 2022 (UTC)Reply
The answer is yes. Title 17 of the United States Code, section 106 enables this transition. But we've already talked about this. Waysidesc (talk) 09:11, 23 March 2022 (UTC)Reply
@Abdul Muhsy: No. It doesn't. VeraCrypt binaries are now under the Apache License v2, which fulfills all OSD requirements. But you might be asking: What's the point of including the TrueCrypt license? It is simple, really. In the United States, the copyright law is called "Title 17 of the United States Code" or USC 17. This title defines VeraCrypt as a derivative work. In accordance to section 103 of this title (USC 17 § 103) the protection of Apache License v2 does not retrospectively extend back to TrueCrypt. In other words, the old TrueCrypt is still bound by its own license, even if you somehow download its code from the VeraCrypt repo and reconstitute it. Waysidesc (talk) 09:24, 23 March 2022 (UTC)Reply
OSD requirements have nothing to do with binaries... --Palosirkka (talk) 09:42, 23 March 2022 (UTC)Reply
Yes, it does. I quote: "The program must include source code, and must allow distribution in source code as well as compiled form." Waysidesc (talk) 11:15, 23 March 2022 (UTC)Reply
If it passes all the criteria it should be classified as open source. Our article on open source cites this criteria in its second sentence. May I suggest adding the sentence 'VeraCrypt is open source as per the criteria listed by opensource.org'. - Abdul Muhsy talk 13:31, 23 March 2022 (UTC)Reply

It appears the dispute has finally resolved itself. You can find the essence of disagreement in revision 1078366517, where User:Palosirkka shouted "Veracrypt IS Truecrypt" (sic). That has changed a recently, in revision 1078807536, where he finally conceded that "We're not talking TrueCrypt but VeraCrypt," finally taking back his original statement.

Waysidesc (talk) 17:26, 23 March 2022 (UTC)Reply

The dispute is still very much unresolved. My original statement was VeraCrypt is not free and open source software. You certainly have not convinced me otherwise. --Palosirkka (talk) 22:29, 23 March 2022 (UTC)Reply
I agree that no consensus has been achieved. Your opinion is valuable, but similarly other people's opinions are valuable as well. Article need not be edited in a hurry. Let's wait for some time. I feel it is open source, others may disagree. We need to value everyone's opinion. - Abdul Muhsy talk 03:13, 24 March 2022 (UTC)Reply

Section break

edit

The thing to do ought to be, at this juncture, not to argue the case anymore because that is simply not productive. Instead one can cite reliable sources in support of their stance and let consensus develop slowly. For example, this [3] calls veracrypt opensource. Hence it may be deemed opensource-- Abdul Muhsy talk 04:13, 24 March 2022 (UTC)Reply

Who died and made the FSF and OSI king, able to issue imperial decrees as to exactly what is and is not free and open source? That's not how Wikipedia works. We report what reliable sources say, which is that VeraCrypt is FOSS.
All we can say is that the OSI does not consider TrueCrypt license 3.0 to be FOSS and has not evaluated the updated TrueCrypt License v 3.1.
We also need to acknowledge that Computerworld[4], PC World[5], opensource.com[6], fossmint[7], Virginia Tech[8], ProPrivacy[9], Privacy Autralia[10], ghacks[11], Linuxhint[12], makeuseof[13], and Medium[14] all consider VeraCrypt to be FOSS.
The fact that reliable sources call it FOSS trumps any WP:OR we might do, but the OR is wrong as well. The reason why the OSI doesn't like TrueCrypt License v 3.1 is that it puts conditions on using the software that OSI-approved licenses don't have. TrueCrypt License v 3.1., which has never been evaluated by OSI removed some but not all of those conditions.
But the reality is that TrueCrypt is abandonware, and nobody is enforcing any conditions on anyone, even if in theory they might be able to. See The Fall of TrueCrypt and Rise of VeraCrypt, What Happened to TrueCrypt and What Do I Use Instead?, TrueCrypt Review 2021: What Happened to It and Its Best Alternative, TrueCrypt quits? Inexplicable, and TrueCrypt discontinued, is no longer secure The OSI is not well-equipped to handle edge cases like someone abandoning a project, presumably at gunpoint by a government agency, and someone else forking it under an OSI-approved license with zero effort to enforce the abandoned license. But again the fact that the OR is wrong doesn't matter. We go with what reliable sources say, not our own original research. 2600:1700:D0A0:21B0:4CE6:2E2D:F31B:1F0D (talk) 18:25, 26 March 2022 (UTC)Reply

Alternatively, we could say something along the lines: "VeraCrypt presents itself as free and open source software. However, code under the TrueCrypt license is not recognized as such by the FSF and OSI". Or maybe we could put this explanation in a footnote. - Daveout(talk) 00:49, 27 March 2022 (UTC)Reply

I think Daveout's suggestion is good. Give all the information, and let the reader interpret it in whichever way he/she wants.-- Abdul Muhsy talk 03:49, 27 March 2022 (UTC)Reply

Clear violation of WP:NPOV. Better: "VeraCrypt is considered free and open source software by most sources, including Opensource.com, Makeuseof, Fossmint, Linuxhint, Computerworld, PC World, and Medium. The FSF and OSI only accept those portions of the code that are released are under the Apache license as free and open source software but not those portions of the code that are released under the TrueCrypt license.
As long as the vast majority of reliable sources call VeraCrypt FOSS, the view that it isn't FOSS is clearly a WP:FRINGE view and should be handled as such. 2600:1700:D0A0:21B0:D5E3:C366:65D2:EDCE (talk) 05:00, 27 March 2022 (UTC)Reply
There is a problem with the suggestion of my esteemed colleagues, @Abdul Muhsy and @Daveout: It is bludgeoning the process. Wikipedia has articles on millions of apps. There is a process for deciding whether they are free software. There is another for deciding whether they are open-source. We can at least try following that process before we start making compromises.
To decide whether an app is free: We look at the app's license agreement. Here is a copy of license agreement that comes with VeraCrypt: [15] For the sake of reference, I quote the top sentence of the agreement:

VeraCrypt is multi-licensed under Apache License 2.0 and the TrueCrypt License version 3.0, a verbatim copy of both licenses can be found below.

So, what does it mean? Does it mean we are bound to Apache License, TrueCrypt License, the most liberal terms afforded by a combination of both, or the most restrictive terms afforded by a combination of both?
  • Legal aspect: The law has provisions for such situations. The principle of the law is: In the case of ambiguity in a contract, the party that didn't draft it benefits. If it is ambiguous as to which one to pick, you can legally pick the permissive Apache License v2 and exclude the other.
  • Precedent: Wikipedia itself multi-licenses contents under GFDL and CC BY-SA 3.0 License. We can pick either. FFmpeg has a similar practice, multi-licensing itself as GPL, LGPL, and non-free. (Surely, nobody claims that FFmpeg is closed-source because there is a non-free license in its scheme.) x265 is also free and open-source despite being multi-licensed.
In general, multi-licensing means "pick whichever suits you." So, anyone is free to pick Apache License v2, and yes, this make VeraCrypt free software.
Question: Is IDRIX, the developer of VeraCrypt, allowed to change the license to Apache License v2, as they did version 1.19?
There is a legal way for them to do it. I have explained it earlier but it doesn't matter here. Unless a court strikes down the new license, it remains in force all the same. Personal suspicions have no weight.
To decide whether an app is open-source: Open-source software needs open collaboration, in addition to an appropriate license. IDRIX must accept pull requests for VeraCrypt to be entitled for open-source designation. They do. I have provided evidence in the article. Waysidesc (talk) 09:36, 27 March 2022 (UTC)Reply
"There is a process for deciding whether they are free software. There is another for deciding whether they are open-source. We can at least try following that process before we start making compromises." If there is such a process on wikipedia then it ought to be followed. But I am not aware of this wikipedia guideline of looking at the license, can you please provide a link to it. Also, if multiple sources are deeming it open source then as IMO we ought to do so too. But adding the bit about FSF, OSI only adds information to the article. To avoid confusing the reader, it may not be put in the lead though-- Abdul Muhsy talk 18:09, 27 March 2022 (UTC)Reply
> "But adding the bit about FSF, OSI only adds information to the article.
Thanks for attempting to come up with compromises. Yet, the compromises that you are offering have already been made. The bit about FSF and OSI is already smack-dab in the middle of the article. I put it there. And yet the dispute didn't go away. We cannot ignore the fact that one of the dispute parties believed (erroneously) that VeraCrypt's change of license in version 1.19 was effectively null.
Before challenging the allegation that "VeraCrypt is not open-source," we should ask, "who made that allegation in the first place?" An editor did, in violation of WP:SYNTH. OSI has never addressed VeraCrypt.
> "If there is such a process on wikipedia"
With respect, I never said "on Wikipedia." The process you are looking for is called the contract law. FYI, the majority of processes that we use in Wikipedia are not in WP: pages. For example, we respect the English irregular verbs. You can find them in a grammar book. In the File: namespace, we try our best to uphold copyrights laws. If you're looking for the processes that are "on Wikipedia," the comments of the esteemed 2600:1700:D0A0:21B0:D5E3:C366:65D2:EDCE highlight those adequately. Waysidesc (talk) 19:16, 27 March 2022 (UTC)Reply
Friendly reminder that original research is not permitted, so what do sources say? Stop trying to read the licenses, stop giving opinion on the software. Do provide Reliable Sources. And start an RfC since a wider audience would be useful.Slywriter (talk) 22:55, 27 March 2022 (UTC)Reply
> Stop trying to read the licenses
A license is a source. And the only people who say "don't read that source" members of a communist party who want to hide and censor things. Waysidesc (talk) 05:12, 28 March 2022 (UTC)Reply
You're missing the point. You're free to read whatever the fuck you want. However you cannot use use original research to make claims on wikipedia. There's no ifs or buts about it. If you don't agree with that, then sorry but Wikipedia isn't the place for you. You can talk whatever you want about communism etc but if you want to edit here, you need to abide by our policies and guidelines and WP:NOR is a fundamental one. Nil Einne (talk) 11:49, 28 March 2022 (UTC)Reply
  • Comment. I haven't fully read the OSI and the FSF objections to the TrueCrypt license yet, but I imagine they're taking issue with minor things. Most people will probably agree that VeraCrypt is FOSS. However, it isn't up to us to decide what is and what isn't FOSS. We just reproduce what relevant sources say.
IDRIX says that VeraCrypt is FOSS (without caveats) and most of the specialized media doesn't take issue with that. The FSF and the OSI say that parts of the code isn't FOSS. You may disagree with them, but you must admit that the opinions of those two organizations on this particular matter carry a lot of weight. (most people are interested on what they have to say). A footnote in the first sentence mentioning their view is probably the best way to go. - Daveout(talk) 06:24, 28 March 2022 (UTC)Reply
  • OSI never actually determined that Veracrypt wasn't FOSS. Per our aricle; "Discussion of the licensing terms on the Open Source Initiative (OSI)'s license-discuss mailing list in October 2013 suggests that the TrueCrypt License has made progress towards compliance with the Open Source Definition but would not yet pass if proposed for certification as Open Source software". It wasn't OSI. It was individuals on the OSI mailing list. It wasn't decided. It was suggested.
The FSF has unambiguously determined that Veracrypt is not FOSS. In my opinion FSF carries far less weight than OSI since the GPLv3 fiasco; (For years the FSF encouraged a "GPLv2 or any later version" license and then added a bunch of objectionable things to GPLv3. See Linus Torvalds says GPL v3 violates everything that GPLv2 stood for. 2600:1700:D0A0:21B0:C43A:7A9A:3A68:225A (talk) 07:25, 28 March 2022 (UTC)Reply
@Daveout
> "The FSF and the OSI say that parts of the code isn't FOSS."
Do they? Can I see your source for the FSF part, please? Waysidesc (talk) 08:01, 28 March 2022 (UTC)Reply
@Waysidesc: I was transcribing what I had read at TrueCrypt#License and source model. But now that I'm looking closer at it, the information is indeed inaccurate. The statement was apparently made by the FSF founder, not by the FSF proper. See. - Daveout(talk) 08:30, 28 March 2022 (UTC)Reply
https://www.gnu.org/licenses/license-list.en.html#Truecrypt-3.0 (which also says "This page is maintained by the Free Software Foundation's Licensing and Compliance Lab") covers the Truecrypt license. 2600:1700:D0A0:21B0:C43A:7A9A:3A68:225A (talk) 08:42, 28 March 2022 (UTC)Reply
Thank you both. Another matter: Can we please move the general discussions off the RfC area? Our RfC would be cleaner this way. Waysidesc (talk) 08:48, 28 March 2022 (UTC)Reply

RfC on whether VeraCrypt is free software

edit

What is the licensing status of VeraCrypt? Chess (talk) (please use {{reply to|Chess}} on reply) 03:05, 28 March 2022 (UTC)Reply

  • Neutral. I'm here because of this [16] ANI thread where someone requested help and an RfC is the best way to break this logjam and prevent another edit war. I won't state an opinion here though for full disclosure I'll note that I am a VeraCrypt user (having switched from TrueCrypt). Chess (talk) (please use {{reply to|Chess}} on reply) 03:05, 28 March 2022 (UTC)Reply
  • Free and open-source, Apache License v2. See:
Also see the software license.
Waysidesc (talk) 05:33, 28 March 2022 (UTC)Reply
  • Free and Open Source There are 24(though at least one is a dupe on different platforms) sources listed above that use the terminology. The argument against using the label is not persuasive. OSI is a self-appointed authority and Wikipedia is not compelled to follow their labeling guidelines.Slywriter (talk) 18:35, 29 March 2022 (UTC)Reply
Also, the link Palosirkka gave above does not show that OSI has determined that Veracrypt is not FOSS. The link is to an editorial opinion in InfoWorld by the president of the Open Source Initiative speaking for himself about another product; Truecrypt. The only thing the actual OSI did was discuss the TrueCrypt License on their mailing list without making an official determination. It is Original research to interpret a 2013 editorial by an individual and a mailing list thread about a previous product that was published under the Truecrypt license and apply that original research to a different product in a different country released under a different license. The sources that discuss Veracrypt (not TrueCrypt) are near unanimous in calling it FOSS. 2600:1700:D0A0:21B0:8981:FEBD:4662:A3B0 (talk) 01:17, 31 March 2022 (UTC)Reply

It looks like we have four for free and open source, one for not open source, nor free, one for remove FOSS and explain the nuances of the project's license model, and one neutral. So per WP:SNOW, the result of this RfC is Free and Open Source in the lead paragraph, Free and Open Source followed by links to the two licenses in the infobox, explain the nuances of the project's license model -- attributing who says it is FOSS and who says it isn't -- in the License and source model section. 76.216.220.191 (talk) 03:59, 10 April 2022 (UTC)Reply

Confusing info in the "Physical Security" section and the "Trusted Platform Module" section

edit

Perhaps the information from VeraCrypt is confusing and so it's not the fault of this article, but note that in the "Physical Security" section it's stated that if possession of the computer is lost, an attacker can install a keylogger and compromise the security that way. Ok, fine, but then in the TPM section the same thing is stated and "for that reason TPM will never be supported." Well, that's dumb, but perhaps the conflict here - "we'll support our software, which may be compromised by a certain attack, but we won't support TPM, which may be compromised by the same attack" - could be explained or, if one of these sections has inaccurate info, it could be corrected. I'm reading this and thinking "WTH - are the VeraCrypt developers idiots or is this article somehow in error?" GTGeek88 (talk) 15:48, 28 January 2022 (UTC)Reply

That section needs to be rewritten. See WP:SOFIXIT.
The main problem is the phrase "such as a hardware keystroke logger" which misses the point of the previous sentence; "if the attacker has physical or administrative access to a computer".
Nothing can save you if you are facing a sophisticated and well-funded attacker (examples: You are Edward Snowden, your computer has military secrets, you have financial info worth billions, or you are the new leader of ISIS) and the attacker has physical access. The attacker can switch your computer with an identical-looking one that looks and acts exactly the same to your eyes.
Most of us are facing threats from attackers who are not willing to break into your room and switch your computer while you sleep. Compromising your PC over the Internet and gaining administrator access is far more likely for most people. As the FAQ says:
"If the attacker has administrator privileges, he can, for example, reset the TPM, capture the content of RAM (containing master keys) or content of files stored on mounted VeraCrypt volumes (decrypted on the fly), which can then be sent to the attacker over the Internet or saved to an unencrypted local drive (from which the attacker might be able to read it later, when he gains physical access to the computer)... The only thing that TPM is almost guaranteed to provide is a false sense of security (even the name itself, "Trusted Platform Module", is misleading and creates a false sense of security). As for real security, TPM is actually redundant (and implementing redundant features is usually a way to create so-called bloatware)."[44]
So the paragraph should be rewritten to make it clear that VeraCrypt is secure against someone with administrator rights but not against someone with physical access, and TPM is not secure in either of those two cases.
13:23, 29 January 2022 (UTC)2600:1700:D0A0:21B0:69AC:5512:473D:30FA (talk)

I tried to modify the TPM section to address this issue. I covered both angles: VeraCrypt's angle and the opposition's angle.

Quite frankly, I did expect some VeraCrypt fan or representative to revert or subvert my edit in a way that looks totally pro-VeraCrypt. It appears our lucky contender is User:Peterl. Peterl entirely removed the opposition's view point and wrote: "Others disagree with this" as if those others are trolls and their opinion is not worth considering. It goes without saying that censoring the valid views of the others is a violation of WP:NPOV that says:

All encyclopedic content on Wikipedia must be written from a neutral point of view (NPOV), which means representing fairly, proportionately, and, as far as possible, without editorial bias, all the significant views that have been published by reliable sources on a topic.

Let's take a look at a couple of highly controversial things that Peterl has wrote in his edit summary:

  • "This is not the place to discuss the purpose or intent of TPM." Funny, because I did the opposite of discussing the intent of TPM and wrote "See 'Trusted Platform Module § Uses' for details."
  • "The discussion over whether that's true or not belongs on the TPM page." WP:NPOV says it belongs to this page exactly. "Not going off topic" is the Internet's general excuse for censoring relevant contents.
  • "The refs left don't adequately cover that 'others disagree with this'." This phrase appears in Peterl's edit, not mine! In fact, my edit states that others partially agree with TrueCrypt devs.

Waysidesc (talk) 01:44, 7 March 2022 (UTC)Reply

Please avoid attacking or being condescending to the editor, or any editor. It's not helpful and it's not constructive.
So, let's look at the issues at hand:
1. "VeraCrypt does not take advantage of Trusted Platform Module (TPM)." - stated fact
2. "VeraCrypt FAQ repeats the negative opinion of the original TrueCrypt developers verbatim." - stated fact
3. VeraCrypt developers "claim that TPM is entirely redundant" - stated in their doc.
Is TPM redundant? Can it be broken? Is it broken? That's a completely different question. All we have here is the VC devs claim. TPM is used in/by thousands of programs. The VeraCrypt page is not the place to discuss whether TPM is good, redundant, reliable or not; the TPM page is. Are there other developers that think TPM is redundant? Some of those links suggest that, others are glowing about TPM. They belong on the TPM page.
I see that these refs and most of that text has come from the Trusted Platform Module page. It's redundant to have such duplication, because wiki pages for other programs that avoid or have a position against TPM would also need this discussion. I've marked this section
Regarding WP:NPOV: The only fact we can state here is that VC doesn't use TPM, and the VC Devs have their reasons and don't like it. There's nothing debateable or un-NPOV in that. The viewpoints on whether they are right or not belongs on the TPM page.
peterl (talk) 06:11, 7 March 2022 (UTC)Reply
I'm disinclined to dance around the subject. You made an edit. What was your concern?
I think eliminating the perceived duplication was your concern, even though you tried not to show it in your original edit. I also think you first decided to remove the so-called "duplicate" content, then looked for justification after the fact. Rest assured, however, that your concern is null and void.
Two pages are are in favor this amount of "duplicate" contents:
1. WP:NPOV: If a little repetition is what it takes to ensure "representing fairly, proportionately, and, as far as possible, without editorial bias, all the significant views that have been published by reliable sources on a topic," then so be it. The dismissive way in which you wrote "others disagree" and proceeded to bunch up a few references that don't say such a thing was anything but fair. I could conceive that the next reviewer would remove the statement along with its sources, bitterly condemning me to be hypocrite, even though I was not the one responsible for this misrepresentation.
2. WP:CFORK: "Articles on distinct but related topics may well contain a significant amount of information in common with one another. This does not make either of the two articles a content fork. As an example, clearly Joséphine de Beauharnais will contain a significant amount of information also in Napoleon I of France; this does not make it a fork."
There is a third page that also advocates some content duplication, but it is not directly appropriate for this discussion. It is WP:LEAD. It says the lead section must consist of duplicate into exclusively. Still, I mention it to help you let go of the desire to delete "duplicate" contents. Waysidesc (talk) 05:36, 9 March 2022 (UTC)Reply
Rookie mistake: revealing your bias in an edit summary then later trying to find a Wikipedia policy that justifies the change.
Waysidesc's edits were correct and this edit[45] by Peterl violates NPOV.
Virtually nobody outside of some obsolete material from the early days of TPM and some marketing material from TPM vendors claims that TPM (or veracrypt for that matter) can protect a computer from an Evil Maid attack by a sophisticated opponent. See:
Note that some of the above attacks only work on older TPM implementations. So of course we are 100% sure that no future attack can possibly work on the TPMs they are shipping now...
--76.216.220.191 (talk) 11:10, 11 March 2022 (UTC)Reply

The article is still misleading. It says "TPM can, however, stop the cold boot attack described above." So can Veracrypt, but the option is off by default because protecting against a cold boot attack is worthless. A cold boot attack requires physical access. TPM does not protect against an attacker with physical access. Veracrypt does not protect against an attacker with physical access. Protecting against just one technique that requires physical access is like putting a high security deadbolt lock on a cardboard shoebox. 2600:1700:D0A0:21B0:8981:FEBD:4662:A3B0 (talk) 01:43, 31 March 2022 (UTC)Reply

WP:RSN Discussion of a source cited in this article

edit

is here FYI. -- Yae4 (talk) 18:37, 13 June 2023 (UTC)Reply

Discontinued

edit

Apparently, december 2023 (23 for that matter), the website .fr is dead. Is it discontinued ? Various versions of the setup file are still available for install. 79.115.183.141 (talk) 10:34, 23 December 2023 (UTC)Reply

https://veracrypt.fr/ works just fine for me. Here is a website that you can use the next time you thing a website has been discontinued: https://downforeveryoneorjustme.com --Guy Macon Alternate Account (talk) 02:32, 25 December 2023 (UTC)Reply