Slashdot Mirror

← Back to Stories (view on slashdot.org)

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org)

Posted by EditorDavid on from the open-encryption dept.

After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.
  • "The Linux Foundation is excited to see the OpenSSL project re-licensing under the Apache License. Using a standard and well-understood license is a huge benefit when incorporating a FOSS project into other projects and products... this license move will further help to ensure it remains one of the most important and relied-upon open source projects in the world."

    -- Nicko van Someren, Chief Technology Officer, the Linux Foundation
  • "Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography. OpenSSL is a critical component in both Oracle products and the infrastructure of the Internet, and we strongly believe the increased use of cryptography fostered by OpenSSL will benefit the entire enterprise software community."

    -- Jim Wright, Chief Architect of Open Source Policy, Strategy, Compliance and Alliances, Oracle
  • "Intel is thrilled to see OpenSSL moving to the standard Apache 2.0 license, improving license compatibility within the Open Source ecosystem. This will help defragment the open source cryptography ecosystem, leading to stronger and more pervasive use of crypto to improve privacy and security in the global technology infrastructure."

    -- Imad Sousou, Vice President and General Manager of the Open Source Technology Center, Intel

110 comments

  1. What was the old license model? by NFN_NLN · · Score: 5, Insightful

    What was the old license model?

    1. Re:What was the old license model? by Anonymous Coward · · Score: 2, Interesting

      OpenSSL has 2 licenses. Must follow both, not one or the other!

      About half of OpenSSL has some kind of BSD on steroids license. The other half has a homebrew open source BSD-style license made by the original author/contributor.

      Ref: https://www.openssl.org/source/license.html

    2. Re:What was the old license model? by mysidia · · Score: 4, Informative

      Basically two Extended 3-Part BSD licenses WITH Advertising Clause, therefore the Purists would
      claim they are GPL-Incompatible, and GPL Software should not link with OpenSSL --- Although I do not
      agree with that assessment. No issues linking to OpenSSL so long as you obey the terms of the OpenSSL license
      in the binary distribution of OpenSSL, and the GPL in the terms of the distribution of the software linking to openssl.

      https://www.openssl.org/source...

    3. Re:What was the old license model? by Antique+Geekmeister · · Score: 1

      It was a dual license. One of the licenses was unique to OpenSSL. LibreSSL is no better in this sense, and seems to have the exact OpenSSL license, as listed here:

      * https://github.com/libressl/li...

      The Apache license has been more portable and more acceptable to many developers and software publishers. It will be very interesting to see how this plays out.

    4. Re:What was the old license model? by Eunuchswear · · Score: 2

      LibreSSL is no better in this sense, and seems to have the exact OpenSSL license.

      Well, of course, one thing you can't do when forking is change the license

      --
      Watch this Heartland Institute video
    5. Re:What was the old license model? by Kjella · · Score: 2

      No issues linking to OpenSSL so long as you obey the terms of the OpenSSL license in the binary distribution of OpenSSL, and the GPL in the terms of the distribution of the software linking to openssl.

      Doesn't work that way... then you could say that your "licensed for non-commercial use" code is distributed for $0, I'm just charging for my code and your restriction can't extend to my code. You'd get rid of all license restrictions by "librarifying" it. Distribution is not the only exclusive right in copyright, so is preparing derived works and running something as one program in the same memory space is definitively that.

      Granted you've moved the primary violation over to the end user, who may or may not be able to claim fair use but as an organized means of license circumvention I'd say you'd get in legal trouble for vicarious copyright infringement. That's the legal theory they've used to go after centralized P2P and torrent sites, even though the torrent sites themselves don't commit primary violations they just benefit from them.

      Consider it a bit this way, many things can be created from legal chemicals. That doesn't mean you can create one-click "meth lab kits" and act like you're just selling bits and pieces that by themselves are legal. Not even you split them into "Meth lab part 1" and "Meth lab part 2". It would be the same with OpenSSL and GPL code, legally you can distribute one or the other. But once it becomes a DIY copyright violation kit, you get in trouble.

      --
      Live today, because you never know what tomorrow brings
    6. Re:What was the old license model? by Anonymous Coward · · Score: 0

      And that's 20 years too late. Fuck OpenSSL. They're still the mismanaged arcaneness exploit of the month club. And there are MUCH better implementations out there. Including those that suport TLSv1.3.

    7. Re:What was the old license model? by Antique+Geekmeister · · Score: 1

      You can't safely relicense without negotiating the new license with the copyright holders.

      The "advertising clause" embedded in the existing OpenSSL license does present an awkward confusion for LibreSSL. I'm curious to see if this is partly an attempt to clarify the licensing for LibreSSL and for commercial forks, for whom the advertising clause can be difficult to explain to clients.

    8. Re:What was the old license model? by Anonymous Coward · · Score: 0

      So, can we call this the Heartbleed of licensing? Not only do they fuck up crypto regularly, they even wrote their own license?

      Maybe we should throw more money at them. That should help.

    9. Re: What was the old license model? by Anonymous Coward · · Score: 0

      Op

  2. Not everyone is happy... by Anonymous Coward · · Score: 4, Informative

    Some of the contributors are upset about the way that this license change is being pushed through. See

    http://marc.info/?l=openbsd-tech&m=149028593819547

    1. Re:Not everyone is happy... by Mitreya · · Score: 5, Interesting

      Some of the contributors are upset

      Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.

      The last sentence of the email is particularly enlightening:

      If we do not hear from you, we will assume that you have no objection.

      Even the most obnoxious EULAs do not assume consent if they cannot get your response.

    2. Re:Not everyone is happy... by Anonymous Coward · · Score: 3, Insightful

      Personally, I would have thought that would not be legally enforceable?
      If such language is legal, then that allows anyone to send a spam-like message to anyone and then receive their agreement for anything; I mean, how many people actually read the email in their spam folder?

      I await the serious legal ramifications that stem from this with interest.

    3. Re:Not everyone is happy... by nanoflower · · Score: 1

      I can see both sides of that last bit. They need to make such an assumption if they want to make progress as some people may no longer be reachable (no known email address, passed away). Making that assumption that no response equals acquiescence lets them move forward.

      The problem is that some people that they weren't able to reach may not like the new license agreement. Also I'm not sure if such an assumption would stand up in court should it come to that.

    4. Re:Not everyone is happy... by skids · · Score: 1

      Projects might want to learn from this, and start to ask developers if they'd be OK with allowing future project governance to change the license. Not everyone would say OK to that, but it could drastically reuce the number of contributers that need to e contacted.

      --
      Someone had to do it.
    5. Re: Not everyone is happy... by Entrope · · Score: 2

      Theo de Raadt is not the world most reasonable person, but I don't think any lawyer would say that the OpenSSL people are on solid legal footing with opt-opt relicensing.

    6. Re: Not everyone is happy... by Entrope · · Score: 3, Insightful

      Pragmatism is not sufficient to legally justify the assumption that people are okay with the relicensing unless they object. I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.

    7. Re:Not everyone is happy... by uncqual · · Score: 1

      Even if the contributor has passed away, they may have signed over whatever remaining rights they had in their software to heirs. Good luck figuring that out.

      --
      Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
    8. Re: Not everyone is happy... by Anonymous Coward · · Score: 3, Interesting

      I used to think the same before I talked to some legal people -- you might be surprised. Making a good-faith, reasonable effort to contact everyone involved and give them a chance to object, and get agreement from all significant contributors with the unknown portion driven down to a miniscule portion, and apparently it can be viable. It's not a situation I would count out without actually talking with an expert for each specific situation.

    9. Re: Not everyone is happy... by BarbaraHudson · · Score: 1

      Bullshit. Copyright licensing is ONLY assignable in writing. That's the law, as anyone who followed groklaw would know. Also, good luck getting approval from all 400 - after 20 years some are going to be dead.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    10. Re: Not everyone is happy... by tepples · · Score: 1

      Is it illegal to rewrite from scratch the contributions of those few authors who cannot be reached if alive or whose estate cannot be reached if deceased?

    11. Re:Not everyone is happy... by maglor_83 · · Score: 4, Interesting

      Especially since one of the licenses that all contributors have agreed to specifically states that the licence CANNOT BE CHANGED.

    12. Re:Not everyone is happy... by sg_oneill · · Score: 1

      Even the most obnoxious EULAs do not assume consent if they cannot get your response.

      Its a politeness thing, not a a requirement. OpenSSL has always required contributors to assign copyright to the OpenSSL foundation. They don't *have* to ask permission.

      --
      Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.
    13. Re:Not everyone is happy... by Anonymous Coward · · Score: 1

      I have altered the license. Pray I do not alter it further.

    14. Re:Not everyone is happy... by mysidia · · Score: 1

      So then encourage as many authors as possible to write a Reply:

      I Do Not consent at this time to the license change regarding my contribution Nor any derivative work, added, or modified versions thereof.
      Derivative work includes all code added or to the project after my contributions which extended any functionality on
      top of OpenSSL based on any derivative of my earlier code, Including any non-literal copying of design style, naming conventions, or other aesthetic and miscellaneous aspects of my work found in later contributions by other authors.

    15. Re:Not everyone is happy... by mysidia · · Score: 2

      They need to make such an assumption if they want to make progress as some people may no longer be reachable

      Regardless of what is convenient for the project, the DEFAULT Under copyright is ALL RIGHTS RESERVED.
      The licensing for the contributions were not implicit.... OpenSSL contributions were made under a specific license
      https://www.openssl.org/source...

      The license they put it under has a SPECIFIC statement Barring license changes:
      * The licence and distribution terms for any publically available version or

        * derivative of this code cannot be changed. i.e. this code cannot simply be

        * copied and put under another distribution licence

        * [including the GNU Public Licence.]

        */

    16. Re:Not everyone is happy... by mysidia · · Score: 2

      They don't have to "Sign it away to heirs". Copyrights automatically become property of their estate, Unless they put in a legal structure to explicitly donate that asset, and their heirs will ultimately direct the disposition.

    17. Re: Not everyone is happy... by mysidia · · Score: 2

      Some contributors contributions may be so small they cannot actually claim copyright.
      As usual: it depends.

    18. Re: Not everyone is happy... by Kjella · · Score: 1

      I used to think the same before I talked to some legal people -- you might be surprised.

      It's the sort of thing legal people can blabber on and on about, but when you consider that anyone distributing this project can be sued in 100+ jurisdictions with different laws and legal systems most of them will get very quiet. And at least in the US there are statutory damages, who ever is "hurt" doesn't have to prove that, they just have to prove infringement and they can cash in which could be tempting for a greedy heir. And not necessarily just liability either, fraudulent removal or alteration of a copyright license is a criminal act under USC 17506(d) and possibly many other nations.

      Basically it's the kind of thing they can bill lots of hours for but try asking them if they'll put their money where their mouth is and take the bill if their legal interpretation is wrong and I think you'll find them disappear in a puff of smoke. Get permission from those you can get permission from, rewrite the rest. Maybe even document a cleanroom implementation if you know some are militantly opposed to the re-licensing. My guess is the formulation is a legally meaningless taunt, it didn't say they would re-license without your permission. It just implied it so they'd provoke a response.

      --
      Live today, because you never know what tomorrow brings
    19. Re: Not everyone is happy... by phantomfive · · Score: 1

      OpenSSL can only be improved by rewriting.

      --
      "First they came for the slanderers and i said nothing."
    20. Re:Not everyone is happy... by Anonymous Coward · · Score: 0

      Would you somehow prevent that from applying to forks?

      Because if you don't, there's nothing to stop me from forking it and changing it to closed-source, making modifications, and licensing it out as proprietary. That hardly seems fair.

    21. Re:Not everyone is happy... by mysidia · · Score: 1

      I know for a fact they haven't "ALWAYS" required contributors to assign any rights.
      Even if they have, assignment without consideration may be non-binding.

      Also, I'm fairly sure Eric Young and Hudson haven't assigned copyright to them,
      they're using the code in a commercial SSL library for $$$, after all.....

    22. Re: Not everyone is happy... by Antique+Geekmeister · · Score: 1

      > OpenSSL can only be improved by rewriting.

      Given the lack of portability demonstrated by LibreSSL, this is not as certain as you may think.

    23. Re:Not everyone is happy... by arglebargle_xiv · · Score: 2

      Some of the contributors are upset

      Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.

      "Informative" in the sense that it shows Theo acting within character? He never says what his problem with the change is, just "I don't like it". I'm an OpenSSL contributor and I've OK'd the change, it's long past time they updated the license from that awkward not-really-BSD one to something more standard.

    24. Re:Not everyone is happy... by arglebargle_xiv · · Score: 1

      Yeah, that puzzled me too. As far as I could see they were stuck with that license forever, I can understand that they can change the license for contributions but not for the original code.

    25. Re: Not everyone is happy... by arglebargle_xiv · · Score: 1

      It depends, I guess they could if they could find enough monkeys who can type.

    26. Re:Not everyone is happy... by Phronesis · · Score: 3, Informative

      FSF has required, for many years, that contributors to FSF projects assign copyright to FSF so they don't need to contact a zillion people for permission in managing GPL issues. Coding Standards for Accepting Contributions and Lawyer's Explanation

    27. Re:Not everyone is happy... by Anonymous Coward · · Score: 0

      Personally, I would have thought that would not be legally enforceable? If such language is legal, then that allows anyone to send a spam-like message to anyone and then receive their agreement for anything; I mean, how many people actually read the email in their spam folder? I await the serious legal ramifications that stem from this with interest.

      You've not dealt with legal issues in the real world, then. The few legal notices that are still required to be delivered via Snail Mail assume that you've received it within 30 days and further assume you have no objections if they haven't received a response from you within the subsequent 30 days.

    28. Re: Not everyone is happy... by Anonymous Coward · · Score: 1

      I've seen it done for a codebase with an indeterminate number of contributors and *no* existing license. The 5 major developers agreed on what the new license should be, told the community and asked that anyone who disagreed tell them what lines of code they owned (and demonstration it was theirs - the records weren't good for anyone). I was among the minor contributors, and posted that I thought my add-on scripts and a few little bugfixes were below the threshold for copyright and was fine with that. There were no objections, they published a new tarball with the new license, and some 25 years on there still hasn't been an objection. In 25 years, much of the original code has been rewritten. In just a few more decades the code will start passing into the public domain.

            If there had been objections with lines of code affected, they'd have prioritized replacing those lines and then removed the objector from the project credits before it ever saw a court. For a free project with no monetary incentives, even losing the court case and going straight to damages when you'd made a good faith effort like that would likely have been affordable.

          With industry backing, responsive developers on payroll, and a legal team and ability to pay out if necessary, OpenSSL's relicensing should be pretty solid. And it's very welcome - thanks OpenSSL!

    29. Re:Not everyone is happy... by Maxwell'sSilverLART · · Score: 1

      That would cover unilateral changes, such as the GPL's provision that the code can be relicensed under future versions of the GPL. Modification of a contract--and a license is just a contract--is allowed by mutual assent of the parties. That's basic contract law.

      --
      Moderate drunk! It's more fun that way!
    30. Re:Not everyone is happy... by arglebargle_xiv · · Score: 2

      Right, and neither of the two original license holders, Eric Young or Tim Hudson, have given consent to the change AFAIK.

    31. Re:Not everyone is happy... by Anonymous Coward · · Score: 1

      The license they put it under has a SPECIFIC statement Barring license changes

      That's changes by third parties. The authors of the work can change the license at any time (but not retroactively for past versions), if they can reach a consensus.

    32. Re:Not everyone is happy... by Anonymous Coward · · Score: 0

      Well, the author CAN change the license of past code, but only the code that he/she possesses. Any code that has already been released under a particular license in the past can not be changed. Basically the past versions would become dual licensed.

    33. Re: Not everyone is happy... by Anonymous Coward · · Score: 0

      I've already refused to consent when this was being discussed. and I offered licenses I would agree to. But no response yet. I suspect someone will rewrite my contributions. Or in the cases of the more obscure algorithm, remove them.

    34. Re:Not everyone is happy... by Anonymous Coward · · Score: 0

      So if a contributor to an Open Source project dies, the project can never re-license? What if they changed their email address and it's difficult to track them down? At some point, one needs to attempt a "best effort" to contact everyone for consent and leave it at that.

    35. Re:Not everyone is happy... by TemporalBeing · · Score: 1

      They don't have to "Sign it away to heirs". Copyrights automatically become property of their estate, Unless they put in a legal structure to explicitly donate that asset, and their heirs will ultimately direct the disposition.

      And the Executor of the Estate has to usually be convinced of to do what is being asked, they often have not understanding of the field, etc - so it's usually a very long, hard road; usually code gets rewritten in those cases.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    36. Re: Not everyone is happy... by Anonymous Coward · · Score: 0

      Pragmatism is not sufficient to legally justify the assumption that people are okay with the relicensing unless they object.

      Sure it is. If you do not respond or you object, your code gets the boot and will be replaced.
      The assumption is that OpenSSL *WILL* be re-licensing, not that your code will necessarily be.

      It's perfectly acceptable to assume no response means you don't wish your code to be under the new license and thus not included in future versions of OpenSSL.
      But they are stating that the software as a whole will be changing license, and if you don't respond they will assume you have no objection to your code being removed in order to do that.

      Besides, the only code they can forcibly re-license would be code the author of already transferred copyright ownership of to the OpenSSL project. In that case it, legally speaking, doesn't matter what the original author desires anymore.

      I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.

      You have no legal right for your code to be included in OpenSSL in the first place, let alone after you do not grant them the right to re-license your code.

      I can't see any court in most any country forcing OpenSSL to continue to include your code when you refuse to re-license it as requested.

      If you want your code to continue to remain in OpenSSL, you best reply and reply in the affirmative to the license change.
      Otherwise again it is perfectly acceptable to assume that no reply means you do not want your code included in their software, since their software will be re-licensing as a whole with or without you.

    37. Re:Not everyone is happy... by TechyImmigrant · · Score: 1

      Some of the contributors are upset about the way that this license change is being pushed through. See

      http://marc.info/?l=openbsd-tech&m=149028593819547

      There's always going to be a difficult one looking for any angle to complain and obstruct.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    38. Re:Not everyone is happy... by Anonymous Coward · · Score: 0

      We're going to install some rootkit malware on your system. If we do not hear from you, we will assume that you have no objection...Said Lenovo

      http://thehackernews.com/2015/08/lenovo-rootkit-malware.html

      This type of stuff shouldn't fly with license changes either.

    39. Re: Not everyone is happy... by swillden · · Score: 1

      Copyright licensing is ONLY assignable in writing.

      Copyright is only assignable in writing. The law doesn't require that copyright licenses be formal, written documents. Courts have upheld verbal and even implied licenses. This is a very good thing for open source, actually, since hardly any projects get written licenses from contributors. The mere act of sending a pull request (or sending a patch to a mailing list, or...) is taken as an implied license of the author's contribution, under the license or licenses that the project is using.

      Also, good luck getting approval from all 400 - after 20 years some are going to be dead.

      That only matters if the heirs object. In this case it's hard to see why they would. The only rational (and I use the word loosely) motivation I can see is a deep-seated dislike of the GPL, since the only real effect of this license change will be to make it completely clear that GPL programs can link OpenSSL.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    40. Re:Not everyone is happy... by gustygolf · · Score: 1

      Theo has voiced concerns specifically against the Apache 2.0 licence -- a decade ago.

      What is up with some free software providers?! They say "Here's something free! Oh wait, I changed my mind."

      While not exactly bait-and-switch, this is something which has been causing the community continual grief, and therefore we decided to honour a few of the projects that have decided to go non-free. After all.. having gone non-free, no one is going to remember them in the end.
      [...]
      The Apache group started from the humble beginnings of just being 'a patchy' set of changes to a completely free web server of dubious quality. But the years have changed them, and what they supply is now quite non-free... released under a license so entangled in legalese that we have absolutely no doubt that there are encumbrances hidden within. Legal terms protect. Who are they protecting? Not your freedom.

      (From https://www.openbsd.org/lyrics... ; I'm sure there's a relevant mailing list post somewhere.)

      Basically, they refused to update their in-tree Apache from 1.3.30 to anything newer, since 1.3.31 and so forth were Apache 2.0 licensed. Many years later, I believe they removed it and replaced it with something whose licence they could agree with (nginx IIRC).

      In general, the BSDs are really wary of incorporating anything that is 'less free' than the MIT/ISC/BSD license into their base system.

      --
      "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
    41. Re: Not everyone is happy... by BarbaraHudson · · Score: 1

      No. Remember Phoenix BIOS, written from scratch?

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    42. Re:Not everyone is happy... by Aighearach · · Score: 1

      It isn't enforceable if you have a significant interest in the software, but if you only have insignificant contributions then it probably is good enough.

      The court would have to balance each of those situations individually by its own merits, there isn't a general rule to smack it with. So some of the people who got that email, that is all they really need to get. Others, it is not enforceable because they have a significant interest in the code and would have to give express consent to any license changes.

      Courts don't get flustered by the lack of a bright-line rule, in fact they usually insist on individual analysis in context.

    43. Re:Not everyone is happy... by Aighearach · · Score: 1

      Courts have already looked at that and didn't blink. It is hypothesizing of a very silly sort, because the answer is obvious and already known.

      When you license code to the world in return for conditions in a license, those conditions are the consideration you received. Done. This is not a mystery.

      If some business comes to me and asks for me to write some code for them, and I tell them that I'll do it for $100, and they agree, then I received $100 of consideration. If instead I tell them, you don't have to pay me, but you have to license back to me whatever derivative code you create, then that potential to receive code back itself has value. The courts view that like a speculative purchase, where you might make a lot of money or lose money. Even if in the end you lose money, the possibility was itself a valid consideration that a reasonable person might want to negotiate for. Same with open source; even with BSD, you're getting back an agreement that all the programmers or engineers who work with your code will see your name at the top of the source file! You will receive whatever fame and recognition from your peers results from that promotion. You might become famous, and have your pay go way up, because of that copyright notice; it has value! But a minor change in the license terms that still requires your copyright notice to remain intact wouldn't harm you, if that was the only consideration you received. So there is clearly consideration; harm from license changes is the hard thing to show here, not the consideration.

    44. Re: Not everyone is happy... by BarbaraHudson · · Score: 1

      What happens if you can't find the heirs? The code has to be abandoned, rewritten from scratch, or otherwise replaced or superceded. How would a stranger contact your heirs, given only your email address? Given that plenty of people don't have an email address that consists of only their proper name, you're going to be looking at a lot of potential candidates for email addresses of heirs. And it's not like you can just shoot off an email to the dead person and expect their heirs to answer it.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    45. Re: Not everyone is happy... by swillden · · Score: 1

      What happens if you can't find the heirs?

      You ignore the situation and go on. If at some point in the future the heirs object, then you identify and rewrite the code.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    46. Re:Not everyone is happy... by Anonymous Coward · · Score: 0

      Vader, is that you?

    47. Re: Not everyone is happy... by rich_salz · · Score: 1

      please contact license@openssl.org so we can make sure we handle your contributions properly.

  3. Re:GPL is DEAD! by 93+Escort+Wagon · · Score: 1

    OpenSSL isn't under the GPL - it has its own unique, dual license.

    --
    #DeleteChrome
  4. It will not happen by manu0601 · · Score: 0

    Finding hundreds of contributors and obtain a license change from them will not happen.

    The only workable solution is just to change it and hope nobody will complain.

    1. Re:It will not happen by queazocotal · · Score: 4, Informative

      If you get enough, you can rewrite the remaining bits.

    2. Re:It will not happen by BarbaraHudson · · Score: 1

      Of course it won't happen. What's the likelihood that all 400 are still alive and mentally competent after a couple of decades?

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    3. Re:It will not happen by Anonymous Coward · · Score: 0

      Here in the really real world, people don't merely move on with their lives. Real people abandon projects with extreme prejudice. Real people choose to ignore any and all attempts to contact them to discuss past contributions to projects which they have grown to hate. Real people go incommunicado and never ever come back.

    4. Re:It will not happen by toonces33 · · Score: 1

      Unwinding it all to figure out who contributed to what source files is the hardest part. I suppose at

      In reality my guess that of the 400 contributors, a much smaller number contributed to the bulk of the code. Some of the contributors might have only made one or two small contributions that would be easy to work around if they didn't give consent or they could not be located.

    5. Re:It will not happen by Anonymous Coward · · Score: 0

      If you get enough, you can rewrite the remaining bits.

      I always hear this refrain in situations like this. But suppose one of the contributions went something like this:

      if (flag1 != "value") {
              doIt();
      }

      How the hell do you re-write something like that? An "if" statement keys on the value of a single variable and conditionally executes a function. There are some things for which there is only one solution.

      Someone might suggest "just cold-room it!" But how are they supposed to do that? The OpenSSL guys have kinda already seen the codebase since they are OpenSSL. So they'd have to hire an entire second organization-worth of developers that have never seen any part of the OpenSSL codebase, teach them how to write SSL code, and wait for them to completely re-implement OpenSSL from scratch.

    6. Re:It will not happen by arglebargle_xiv · · Score: 2

      Of course it won't happen. What's the likelihood that all 400 are still alive and mentally competent after a couple of decades?

      Have you ever read the OpenSSL code? I don't think lack of mental competency has ever stopped anyone from contributing in the past.

    7. Re:It will not happen by Kjella · · Score: 3, Informative

      How the hell do you re-write something like that? An "if" statement keys on the value of a single variable and conditionally executes a function. There are some things for which there is only one solution. Someone might suggest "just cold-room it!" But how are they supposed to do that?

      You mean cleanroom. Copyright protects one particular expression (implementation) not the underlying idea (functionality), so the point is not necessarily to come up with a different solution but to document that it has been done independently. Yes, that means they must find an "untainted" developer to write the new code but you can in great detail describe the functionality as long as you don't impose a particular implementation. It's even been done "after the fact" as evidence:

      The court relied heavily on evidence NEC presented that compared a "clean room'' program with both the V20/30 and Intel 8086/88 microcode. NEC hired an independent engineer (Gary Davidian) to develop a set of microcode for the V20/30 without access to any other microcode. Because Davidian's version of the microcode was similar in many regards to both the Intel and NEC microcodes, the court found it likely that those similarities were dictated not by copying of Intel's microcode, but rather by functional constraints of the hardware, the architecture, and the need for 8086/88 compatibility.

      The documentation is a pain in the butt, but the legal reasoning around it isn't so bad.

      --
      Live today, because you never know what tomorrow brings
    8. Re:It will not happen by azrael29a · · Score: 1

      Unwinding it all to figure out who contributed to what source files is the hardest part. I suppose at

      Yeah, if only we had a tool that would track who wrote which line of code in which file. Something like a Version Control System.

    9. Re:It will not happen by Dragonslicer · · Score: 1

      I always hear this refrain in situations like this. But suppose one of the contributions went something like this:

      if (flag1 != "value") { doIt(); }

      How the hell do you re-write something like that? An "if" statement keys on the value of a single variable and conditionally executes a function. There are some things for which there is only one solution.

      If there's truly only one possible solution for something that simple, then it isn't copyrightable anyway. Copyright requires some amount of creative expression, and something like that wouldn't meet the minimum level of creativity.

    10. Re:It will not happen by Anonymous Coward · · Score: 0

      Cleanroom would be just fine. If it really is such a simple piece of code and as said before you can protect the code but not the idea then it's entirely possible that it could be rewritten in cleanroom style by a new developer, resulting in a block of code that is very similar and even possible identical, yet not by copyright infringement.

    11. Re: It will not happen by Anonymous Coward · · Score: 0

      If you put out public notices, like TFA. And Current plan is make a best effort to contact everyone and get the major contributes on board. Then silence is consent or the contributions are technically too small to be under copyright. For people who have passed away, their estates will receive notice. If someone truly has no heirs, then there is no one to enforce claims to their contributions.
      This can work. It is not impossible like some /. armchair attorneys claim.

    12. Re: It will not happen by dunkelfalke · · Score: 1

      while (flag1 != "value")
      {
              doIt();
              break;
      }

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    13. Re:It will not happen by Anonymous Coward · · Score: 0

      Simple code fragments like the above would not generally be copyrightable, and are thusly irrelevant to any relicensing effort. The same would also apply to small bugfixes and so on.

    14. Re:It will not happen by rich_salz · · Score: 1

      The tools we used to do this are at https://github.com/openssl/too...

  5. Hahahahah by PhrostyMcByte · · Score: 1

    We are asking for your permission to change the licence for your contribution.
    ...
    If we do not hear from you, we will assume that you have no objection.

    Yes, and I'm asking for the same permission to own all assets associated with openssl.org. If I don't hear back from you, I'll assume you have no objection.

  6. So far I've not convinced by Anonymous Coward · · Score: 1

    I'm willing to do public domain, unlicense. I could be persuaded to go to 2-clause BSD, MIT, ISC but there is not really any way I'd be happy with Apache license. I wasn't that happy with the OpenSSL licenses when I contributed but there wasn't a choice. But now that I've been given some influence, I'm going to use it to decide what happens to my contributions.

    This will likely end with my code being throw out and someone rewriting it, but I'd at least like to see how far I can take this.

    1. Re: So far I've not convinced by Anonymous Coward · · Score: 1

      We're listening.

      Had to scroll down to find this 1 lonely comment.

      Please tell us more what you dislike about the Apache license specifically.

    2. Re: So far I've not convinced by Anonymous Coward · · Score: 0

      It's too long. A lawyer is necessary for any developer or small shop to grasp it.

      Patent clause is problematic depending on the contributors access to patents. A developer can accidentally authorize a patent that her company does not own but merely has licensed through a patent swap.

      Trademark clause is redundant.

      Limitation of liability can trigger special situation for product warranty and consumer protection in some jurisdiction. Saying nothing here would have made the license exempt.

      At this time my corporation is not permitting our employees to publish under this license or under GPL 3.0. Fortunately that limitation was not in place when I contributed to OpenSSL, but I will have to check with legal to see if there is any further action required from me.

      (Going to take further discussion of /. because I don't feel like making an account here)

    3. Re: So far I've not convinced by Anonymous Coward · · Score: 0

      Talked to legal department again. They vaguely remembered that I asked about this some weeks ago. I guess it has to end up in the tech news before it became "real" to them.

      They'll review the notices(2) I've received, but their intention is to agree to them. We'll not make any further contributions to the project, but the existing ones can be relicensed if we determine they are not related to our patents. (Should not be under patent IMO)

  7. Sounds odd.... by QuietLagoon · · Score: 4, Informative

    ...They're now tracking down all 400 contributors to sign new license agreements...

    From what I read, OpenSSL are saying that if you have contributed, and you don't respond to their request to change the license on the code you contributed, OpenSSL will take your code and change the license on your code without your explicit permission.

    .
    I really hope I am reading it incorrectly, because I would expect better behavior from a security-oriented project. Far better behavior.

    1. Re:Sounds odd.... by Anonymous Coward · · Score: 0

      I would expect better behavior from a security-oriented project.

      Yes, but we're talking about OpenSSL.

    2. Re:Sounds odd.... by dabadab · · Score: 3, Insightful

      You are reading it wrong.

      This article was about the decision about whether they should move to AL or not and "no response" was taken as a "yes" vote - but that's all.

      The actual license of the code can not be changed by the OpenSSL folks because they do not have the right to it - only the original contributor can do it.
      They have to do what every other license-changing project did: if the contributor does not respond or refuses the license change, his/her code will be removed and eventually rewritten by someone else.

      --
      Real life is overrated.
  8. Re:GPL is DEAD! by Anonymous Coward · · Score: 0

    FUCK GNU HlPPlE SCUM!!!

    DEATH T0 FREEDOM!!!!!!!!!

  9. LibreSSL by Anonymous Coward · · Score: 0

    According to the Wikipedia page for LibreSSL (I glanced at the git repo and couldn't see a central LICENSE file in the root of the repository, so I assume it's headers per file) https://en.wikipedia.org/wiki/... the primary fork of OpenSSL is presently licensed as a combination of:

    "Apache license 1.0, 4-clause BSD License, ISC license, and some are public domain"

    I assume some of that is inherited from OpenSSL directly, and that the BSD fork would be closer to having key components replaced to allow for a functional core component set that is licensed in a modern BSD license.

  10. Seriously? by Anonymous Coward · · Score: 0

    Slashdot finally got around to reporting on this, and they don't even mention the controversy regarding relicencing the code without explicit permission of all contributors?

  11. Sounds familiar by Anonymous Coward · · Score: 0

    "We are going to repeal and replace the current license with something terrific. Everybody will love it."

    Good luck getting that past 400 developers. The Freedom Coders may well have different ideas.

    Seriously, though: The reasons given for needing the license change are highly suspect. OpenSSL is somehow "the world’s most popular SSL/TLS and cryptographic toolkit" while at the same time having a license that is holding it back. This doesn't pass the smell test. Something else is afoot.

    1. Re: Sounds familiar by Anonymous Coward · · Score: 1

      All I need to be suspicious is the mention that Oracle is involved.

  12. On a 20 year old project, by Anonymous Coward · · Score: 0

    some of the contributors are going to be dead.

    I was under impression that license changes like this just didn't happen because it was impossible track down everyone and get them to agree.

    IANAL but, you can't change someone's license on them. This is just piracy, and they're relying on the contributors being too poor, disinterested or dead to sue!

    1. Re:On a 20 year old project, by Antique+Geekmeister · · Score: 4, Insightful

      It's why the FSF is so very careful that the GPL grants licenses to existing users, and are transitive so that changes are _also_ under GPL and free for publication and modificaiton. It's also why various "you must advertise our name on this software" or "you may not make any changes to this software" have repeatedly proven confusing and dangerous to use.

  13. 400 seems low by Anonymous Coward · · Score: 0

    400 seems awfully low for a long running projecting if they are counting everyone who ever contributed a patch.....I just did a little poking, and they seem to have uids up to 1477

    https://license.openssl.org/cgi-bin/lookup.py?uid=1477

    Now maybe some are duplicates, but I would think there are a bunch of people who only sent in a single patch. I wonder if you posted a patch on the mailing list and one of the regulars grabbed it and put it in if you got credit and are being asked your opinion. OpenSSL was around well before all the "sign-off" stuff many projects have been doing for the last decade or so.

    1. Re:400 seems low by arglebargle_xiv · · Score: 2

      There are lots of dups in there. So far I've received four different requests to OK the license change under different IDs.

  14. Is there anything wrong with Apache License 2.0? by Dan+Ost · · Score: 1

    If the devs were okay with the previous licenses, what are they likely to object to in the proposed license?

    I don't think I've ever heard anyone rant against Apache 2.0.

    --

    *sigh* back to work...
  15. A couple questions by jdavidb · · Score: 1

    What's the existing license? Is this a migration from copyleft to a more permissive license, or is this a migration from an unusual license (some kind of openbsd license?) to something more standard?

    Also:

    Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography

    What company that Oracle has bought originally contributed this?

    --
    Secession is the right of all sentient beings.
    1. Re: A couple questions by Anonymous Coward · · Score: 0

      That was probably Sun. They were involved in NSS and Java cryptography too...

    2. Re:A couple questions by gustygolf · · Score: 1

      or is this a migration from an unusual license (some kind of openbsd license?) to something more standard?

      OpenBSD has nothing to do with the OpenSSL project.

      OpenSSH and OpenNTPD and OpenBGPD are the projects they are responsible for IIRC. Yes, I know, it's confusing. (OpenNTPD is wonderful, by the way.)

      The current licence of OpenSSL is the four-clause BSD licence. It's not the most desirable licence but it's about as standard as you can get.

      It is a migration to a more complex licence, if we count by the number of words.

      --
      "Slow Down Cowboy! It's been 58 minutes since you last successfully posted a comment" -- slashdot, driving users away.
    3. Re:A couple questions by jdavidb · · Score: 1

      So the basic problem is the obnoxious advertising clause?

      --
      Secession is the right of all sentient beings.
    4. Re:A couple questions by Anonymous Coward · · Score: 0

      That's about it.

      People have been migrating to the simpler two- and three-clause variants for almost two decades now.

  16. Estoppel by acquiescence and laches by raymorris · · Score: 4, Informative

    > I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.

    If they got the notice, estoppel by acquiescence may apply. "Estoppel by acquiescence" means one may not sue later if you were given a clear opportunity to object and chose to not object in any way. Georgia v. South Carolina is a well-known case. Georgia had legal claim to certain land based on a treaty. For many years, South Carolina treated it as part of South Carolina, levying taxes in the area, etc.Georgia did not object during these many years. Later Georgia attempted to assert their claim to the area. The court ruled that Georgia's failure to object for many years barred the action - their silence was basically implied permission.

    A related concept is laches. Laches means you have to assert your rights in a reasonable time frame, or not at all - an author who files suit regarding the license change ten years from now will probably be barred by laches.

    1. Re:Estoppel by acquiescence and laches by Anonymous Coward · · Score: 0

      But you have to prove actual notice on the part of the plaintiff. If someone doesn't realize they have rights, then they don't have actual notice even with all the news coverage. I'd guarantee that at least one person died and their heirs do not know of the contribution. Even if not true in fact, the whole point is to clear up the license, and OpenSSL wouldn't want the statute of limitations to toll due to a reasonable lack of opportunity to discover. Even if they can argue that it would work with OpenSSL, because of the news covering the transition, does not mean it will work in every situation.

    2. Re: Estoppel by acquiescence and laches by Entrope · · Score: 1

      Acquiescence requires that the party making the new claim not be aware that they are infringing the other party's rights. (In the GA/SC boundary disputes, there were reasonable and independent bases to declare that some of the islands were in SC under the treaty and usual rules of territory.). The OpenSSL group here is clearly aware that they do not hold the copyrights here, or have permission to change the license.

    3. Re:Estoppel by acquiescence and laches by Aighearach · · Score: 1

      There are additional problems that they would face in bringing a complaint; they would have to show actual harm just to get in the door. When you give away open source software, you're giving up much of your ability to profit based on exclusive control. So you're also giving up most of the harm that could be done to you by the others who also have an ownership stake.

      The reason that a copyright holder can sue even when they're not actively benefiting from some work, (maybe it is out of print or something) is that they still could benefit later; their rights have inherent cash value. They might be leaving it out of print now so that if interest is generated later, they can re-issue it to new excitement. So there are lots of copyright cases like that, that created precedent for strong copyright.

      But that doesn't mean that anybody with any copyright interest would be harmed by a case of not being able to control the work; in the case of open source where you've already granted a non-revocable free license to the whole world, losing control leaves you where you already were; without the ability to profit financially from the work. Surely you still have some interest that you can exercise by your prerogatives, but suing over it starts to get really hard. If the lawsuit is about somebody violating the license, then you can still sue over that because what those terms give you back (access to changes, or just retention of copyright notice and resulting fame) is the consideration that you got in return for the license. But when the dispute is with other copyright holders, who also have the same (weakened) interest in the code, now you have a hard time showing that you are harmed by their changes. Especially when the copyright is divided between a bunch of people, and the majority of them agree to the changes.

      Courts like to reduce everything to its cash equivalent, and then compare those. Following that principle here, it is easy to see what sort of result will be achieved.

  17. Oracle by Anonymous Coward · · Score: 0

    Anything that Oracle favors is probably bad for everyone else somehow...

  18. Can allow specific license changes (any version of by raymorris · · Score: 1

    There are many ways to allow for the possibility that the license may need to be changed in the future, without allowing just anyone to pick any license they choose.

    The standard GPL license has a clause allowing the code to be distributed under the current license *or any future version* of the GPL license.

    One could ask permission to distribute it under any OSI-approved license. I've received that permission before, the author granted me permission to use "any open source license", and the OSI list is reasonable, third-party definition of which licenses qualify as "any open source license".

    One could say that the license may be changed be unanimous agreement of the foundation board of directors, by 2/3rds vote of recent contributors, or some other planned method.

  19. Kinda moot... by Shark · · Score: 1

    Everything it provides will be integrated into systemd anyway, they need it as part of the upcoming systemd web browser.

    --
    Mind the frickin' laser...
  20. Re:Can allow specific license changes (any version by TemporalBeing · · Score: 1

    The standard GPL license has a clause allowing the code to be distributed under the current license *or any future version* of the GPL license.

    That's not part of the GPL AFAIK, rather it's the language some developers (not all) put into the code files that they are licensing. Personally, I don't do that and any version of the GPL that does auto-include such language is something I'd avoid. Sure, I trust the license that I am using now but I don't necessarily trust a newer version to do something I don't approve of.

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  21. no duh, idiot by Anonymous Coward · · Score: 0

    The OpenSSL group here is clearly aware that they do not hold the copyrights here, or have permission to change the license.

    that would be precisely why they are asking permission, no duh. if they held the copyrights then they would not need to ask permission from the contributors

  22. Re:Is there anything wrong with Apache License 2.0 by Anonymous Coward · · Score: 0

    Some people like the GPL provisions that require modifications and other extensions to also be released under the same license. Reasonable people can argue over whether or not those provisions are a "good thing" for open source users and/or developers. I was once in the "GPL is better because it makes more software more free" camp but I now find myself in the "it's really people that ought to be free" camp and like the AL2 license better because it is less restrictive on actual people.

  23. Good luck contacting some of those contributors... by Anonymous Coward · · Score: 0
  24. It is an option I avoid as well by raymorris · · Score: 1

    My post may have been a bit unclear. "Or any later version" is indeed an option used by many GPL programs, but certainly not all. GNU recommends including that. I don't in my software, because a) I object to the patent terms of GPLv3, as actually written and b) I no longer trust GNU to avoid adding objectionable clauses in future versions.