After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org)

← Back to Stories (view on slashdot.org)

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org)

Posted by EditorDavid on Sunday March 26, 2017 @10:59AM from the open-encryption dept.

After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.

"The Linux Foundation is excited to see the OpenSSL project re-licensing under the Apache License. Using a standard and well-understood license is a huge benefit when incorporating a FOSS project into other projects and products... this license move will further help to ensure it remains one of the most important and relied-upon open source projects in the world."

-- Nicko van Someren, Chief Technology Officer, the Linux Foundation

"Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography. OpenSSL is a critical component in both Oracle products and the infrastructure of the Internet, and we strongly believe the increased use of cryptography fostered by OpenSSL will benefit the entire enterprise software community."

-- Jim Wright, Chief Architect of Open Source Policy, Strategy, Compliance and Alliances, Oracle

"Intel is thrilled to see OpenSSL moving to the standard Apache 2.0 license, improving license compatibility within the Open Source ecosystem. This will help defragment the open source cryptography ecosystem, leading to stronger and more pervasive use of crypto to improve privacy and security in the global technology infrastructure."

-- Imad Sousou, Vice President and General Manager of the Open Source Technology Center, Intel

26 of 110 comments (clear)

Min score:

Reason:

Sort:

What was the old license model? by NFN_NLN · 2017-03-26 11:03 · Score: 5, Insightful

What was the old license model?
1. Re:What was the old license model? by Anonymous Coward · 2017-03-26 11:15 · Score: 2, Interesting
  
  OpenSSL has 2 licenses. Must follow both, not one or the other!
  About half of OpenSSL has some kind of BSD on steroids license. The other half has a homebrew open source BSD-style license made by the original author/contributor.
  Ref: https://www.openssl.org/source/license.html
2. Re:What was the old license model? by mysidia · 2017-03-26 12:44 · Score: 4, Informative
  
  Basically two Extended 3-Part BSD licenses WITH Advertising Clause, therefore the Purists would
  claim they are GPL-Incompatible, and GPL Software should not link with OpenSSL --- Although I do not
  agree with that assessment. No issues linking to OpenSSL so long as you obey the terms of the OpenSSL license
  in the binary distribution of OpenSSL, and the GPL in the terms of the distribution of the software linking to openssl.
  https://www.openssl.org/source...
3. Re:What was the old license model? by Eunuchswear · 2017-03-26 17:29 · Score: 2
  
  LibreSSL is no better in this sense, and seems to have the exact OpenSSL license.
  Well, of course, one thing you can't do when forking is change the license
  
  --
  Watch this Heartland Institute video
4. Re:What was the old license model? by Kjella · 2017-03-26 20:11 · Score: 2
  
  No issues linking to OpenSSL so long as you obey the terms of the OpenSSL license in the binary distribution of OpenSSL, and the GPL in the terms of the distribution of the software linking to openssl.
  Doesn't work that way... then you could say that your "licensed for non-commercial use" code is distributed for $0, I'm just charging for my code and your restriction can't extend to my code. You'd get rid of all license restrictions by "librarifying" it. Distribution is not the only exclusive right in copyright, so is preparing derived works and running something as one program in the same memory space is definitively that.
  Granted you've moved the primary violation over to the end user, who may or may not be able to claim fair use but as an organized means of license circumvention I'd say you'd get in legal trouble for vicarious copyright infringement. That's the legal theory they've used to go after centralized P2P and torrent sites, even though the torrent sites themselves don't commit primary violations they just benefit from them.
  Consider it a bit this way, many things can be created from legal chemicals. That doesn't mean you can create one-click "meth lab kits" and act like you're just selling bits and pieces that by themselves are legal. Not even you split them into "Meth lab part 1" and "Meth lab part 2". It would be the same with OpenSSL and GPL code, legally you can distribute one or the other. But once it becomes a DIY copyright violation kit, you get in trouble.
  
  --
  Live today, because you never know what tomorrow brings
Not everyone is happy... by Anonymous Coward · 2017-03-26 11:12 · Score: 4, Informative

Some of the contributors are upset about the way that this license change is being pushed through. See
http://marc.info/?l=openbsd-tech&m=149028593819547
1. Re:Not everyone is happy... by Mitreya · 2017-03-26 11:24 · Score: 5, Interesting
  
  Some of the contributors are upset
  Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.
  
  The last sentence of the email is particularly enlightening:
  
  If we do not hear from you, we will assume that you have no objection.
  Even the most obnoxious EULAs do not assume consent if they cannot get your response.
2. Re:Not everyone is happy... by Anonymous Coward · 2017-03-26 11:30 · Score: 3, Insightful
  
  Personally, I would have thought that would not be legally enforceable?
  If such language is legal, then that allows anyone to send a spam-like message to anyone and then receive their agreement for anything; I mean, how many people actually read the email in their spam folder?
  I await the serious legal ramifications that stem from this with interest.
3. Re: Not everyone is happy... by Entrope · 2017-03-26 11:37 · Score: 2
  
  Theo de Raadt is not the world most reasonable person, but I don't think any lawyer would say that the OpenSSL people are on solid legal footing with opt-opt relicensing.
4. Re: Not everyone is happy... by Entrope · 2017-03-26 11:40 · Score: 3, Insightful
  
  Pragmatism is not sufficient to legally justify the assumption that people are okay with the relicensing unless they object. I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.
5. Re: Not everyone is happy... by Anonymous Coward · 2017-03-26 11:48 · Score: 3, Interesting
  
  I used to think the same before I talked to some legal people -- you might be surprised. Making a good-faith, reasonable effort to contact everyone involved and give them a chance to object, and get agreement from all significant contributors with the unknown portion driven down to a miniscule portion, and apparently it can be viable. It's not a situation I would count out without actually talking with an expert for each specific situation.
6. Re:Not everyone is happy... by maglor_83 · 2017-03-26 12:32 · Score: 4, Interesting
  
  Especially since one of the licenses that all contributors have agreed to specifically states that the licence CANNOT BE CHANGED.
7. Re:Not everyone is happy... by mysidia · 2017-03-26 12:58 · Score: 2
  
  They need to make such an assumption if they want to make progress as some people may no longer be reachable
  Regardless of what is convenient for the project, the DEFAULT Under copyright is ALL RIGHTS RESERVED.
  The licensing for the contributions were not implicit.... OpenSSL contributions were made under a specific license
  https://www.openssl.org/source...
  The license they put it under has a SPECIFIC statement Barring license changes:
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed. i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
8. Re:Not everyone is happy... by mysidia · 2017-03-26 13:01 · Score: 2
  
  They don't have to "Sign it away to heirs". Copyrights automatically become property of their estate, Unless they put in a legal structure to explicitly donate that asset, and their heirs will ultimately direct the disposition.
9. Re: Not everyone is happy... by mysidia · 2017-03-26 13:03 · Score: 2
  
  Some contributors contributions may be so small they cannot actually claim copyright.
  As usual: it depends.
10. Re:Not everyone is happy... by arglebargle_xiv · 2017-03-26 14:24 · Score: 2
  
  Some of the contributors are upset
  Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.
  "Informative" in the sense that it shows Theo acting within character? He never says what his problem with the change is, just "I don't like it". I'm an OpenSSL contributor and I've OK'd the change, it's long past time they updated the license from that awkward not-really-BSD one to something more standard.
11. Re:Not everyone is happy... by Phronesis · 2017-03-26 14:46 · Score: 3, Informative
  
  FSF has required, for many years, that contributors to FSF projects assign copyright to FSF so they don't need to contact a zillion people for permission in managing GPL issues. Coding Standards for Accepting Contributions and Lawyer's Explanation
12. Re:Not everyone is happy... by arglebargle_xiv · 2017-03-26 17:17 · Score: 2
  
  Right, and neither of the two original license holders, Eric Young or Tim Hudson, have given consent to the change AFAIK.
Re:It will not happen by queazocotal · 2017-03-26 11:36 · Score: 4, Informative

If you get enough, you can rewrite the remaining bits.
Sounds odd.... by QuietLagoon · 2017-03-26 12:18 · Score: 4, Informative

...They're now tracking down all 400 contributors to sign new license agreements...
From what I read, OpenSSL are saying that if you have contributed, and you don't respond to their request to change the license on the code you contributed, OpenSSL will take your code and change the license on your code without your explicit permission.
.
I really hope I am reading it incorrectly, because I would expect better behavior from a security-oriented project. Far better behavior.
1. Re:Sounds odd.... by dabadab · 2017-03-26 22:42 · Score: 3, Insightful
  
  You are reading it wrong.
  This article was about the decision about whether they should move to AL or not and "no response" was taken as a "yes" vote - but that's all.
  The actual license of the code can not be changed by the OpenSSL folks because they do not have the right to it - only the original contributor can do it.
  They have to do what every other license-changing project did: if the contributor does not respond or refuses the license change, his/her code will be removed and eventually rewritten by someone else.
  
  --
  Real life is overrated.
Re:On a 20 year old project, by Antique+Geekmeister · 2017-03-26 14:26 · Score: 4, Insightful

It's why the FSF is so very careful that the GPL grants licenses to existing users, and are transitive so that changes are _also_ under GPL and free for publication and modificaiton. It's also why various "you must advertise our name on this software" or "you may not make any changes to this software" have repeatedly proven confusing and dangerous to use.
Re:It will not happen by arglebargle_xiv · 2017-03-26 14:30 · Score: 2

Of course it won't happen. What's the likelihood that all 400 are still alive and mentally competent after a couple of decades?
Have you ever read the OpenSSL code? I don't think lack of mental competency has ever stopped anyone from contributing in the past.
Re:400 seems low by arglebargle_xiv · 2017-03-26 14:32 · Score: 2

There are lots of dups in there. So far I've received four different requests to OK the license change under different IDs.
Estoppel by acquiescence and laches by raymorris · 2017-03-26 15:21 · Score: 4, Informative

> I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.
If they got the notice, estoppel by acquiescence may apply. "Estoppel by acquiescence" means one may not sue later if you were given a clear opportunity to object and chose to not object in any way. Georgia v. South Carolina is a well-known case. Georgia had legal claim to certain land based on a treaty. For many years, South Carolina treated it as part of South Carolina, levying taxes in the area, etc.Georgia did not object during these many years. Later Georgia attempted to assert their claim to the area. The court ruled that Georgia's failure to object for many years barred the action - their silence was basically implied permission.
A related concept is laches. Laches means you have to assert your rights in a reasonable time frame, or not at all - an author who files suit regarding the license change ten years from now will probably be barred by laches.
Re:It will not happen by Kjella · 2017-03-26 21:02 · Score: 3, Informative

How the hell do you re-write something like that? An "if" statement keys on the value of a single variable and conditionally executes a function. There are some things for which there is only one solution. Someone might suggest "just cold-room it!" But how are they supposed to do that?
You mean cleanroom. Copyright protects one particular expression (implementation) not the underlying idea (functionality), so the point is not necessarily to come up with a different solution but to document that it has been done independently. Yes, that means they must find an "untainted" developer to write the new code but you can in great detail describe the functionality as long as you don't impose a particular implementation. It's even been done "after the fact" as evidence:

The court relied heavily on evidence NEC presented that compared a "clean room'' program with both the V20/30 and Intel 8086/88 microcode. NEC hired an independent engineer (Gary Davidian) to develop a set of microcode for the V20/30 without access to any other microcode. Because Davidian's version of the microcode was similar in many regards to both the Intel and NEC microcodes, the court found it likely that those similarities were dictated not by copying of Intel's microcode, but rather by functional constraints of the hardware, the architecture, and the need for 8086/88 compatibility.
The documentation is a pain in the butt, but the legal reasoning around it isn't so bad.

--
Live today, because you never know what tomorrow brings