Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Open Source Intel Oracle

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors (openssl.org) 110

After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.
  • "The Linux Foundation is excited to see the OpenSSL project re-licensing under the Apache License. Using a standard and well-understood license is a huge benefit when incorporating a FOSS project into other projects and products... this license move will further help to ensure it remains one of the most important and relied-upon open source projects in the world."

    -- Nicko van Someren, Chief Technology Officer, the Linux Foundation
  • "Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography. OpenSSL is a critical component in both Oracle products and the infrastructure of the Internet, and we strongly believe the increased use of cryptography fostered by OpenSSL will benefit the entire enterprise software community."

    -- Jim Wright, Chief Architect of Open Source Policy, Strategy, Compliance and Alliances, Oracle
  • "Intel is thrilled to see OpenSSL moving to the standard Apache 2.0 license, improving license compatibility within the Open Source ecosystem. This will help defragment the open source cryptography ecosystem, leading to stronger and more pervasive use of crypto to improve privacy and security in the global technology infrastructure."

    -- Imad Sousou, Vice President and General Manager of the Open Source Technology Center, Intel
This discussion has been archived. No new comments can be posted.

After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Past Contributors

Comments Filter:
  • by NFN_NLN ( 633283 ) on Sunday March 26, 2017 @06:03PM (#54115037)

    What was the old license model?

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      OpenSSL has 2 licenses. Must follow both, not one or the other!

      About half of OpenSSL has some kind of BSD on steroids license. The other half has a homebrew open source BSD-style license made by the original author/contributor.

      Ref: https://www.openssl.org/source/license.html

    • by mysidia ( 191772 ) on Sunday March 26, 2017 @07:44PM (#54115439)

      Basically two Extended 3-Part BSD licenses WITH Advertising Clause, therefore the Purists would
      claim they are GPL-Incompatible, and GPL Software should not link with OpenSSL --- Although I do not
      agree with that assessment. No issues linking to OpenSSL so long as you obey the terms of the OpenSSL license
      in the binary distribution of OpenSSL, and the GPL in the terms of the distribution of the software linking to openssl.

      https://www.openssl.org/source... [openssl.org]

      • by Kjella ( 173770 )

        No issues linking to OpenSSL so long as you obey the terms of the OpenSSL license in the binary distribution of OpenSSL, and the GPL in the terms of the distribution of the software linking to openssl.

        Doesn't work that way... then you could say that your "licensed for non-commercial use" code is distributed for $0, I'm just charging for my code and your restriction can't extend to my code. You'd get rid of all license restrictions by "librarifying" it. Distribution is not the only exclusive right in copyright, so is preparing derived works and running something as one program in the same memory space is definitively that.

        Granted you've moved the primary violation over to the end user, who may or may not

    • It was a dual license. One of the licenses was unique to OpenSSL. LibreSSL is no better in this sense, and seems to have the exact OpenSSL license, as listed here:

      * https://github.com/libressl/li... [github.com]

      The Apache license has been more portable and more acceptable to many developers and software publishers. It will be very interesting to see how this plays out.

      • LibreSSL is no better in this sense, and seems to have the exact OpenSSL license.

        Well, of course, one thing you can't do when forking is change the license

        • You can't safely relicense without negotiating the new license with the copyright holders.

          The "advertising clause" embedded in the existing OpenSSL license does present an awkward confusion for LibreSSL. I'm curious to see if this is partly an attempt to clarify the licensing for LibreSSL and for commercial forks, for whom the advertising clause can be difficult to explain to clients.

  • by Anonymous Coward on Sunday March 26, 2017 @06:12PM (#54115075)

    Some of the contributors are upset about the way that this license change is being pushed through. See

    http://marc.info/?l=openbsd-tech&m=149028593819547 [marc.info]

    • by Mitreya ( 579078 ) <mitreya.gmail@com> on Sunday March 26, 2017 @06:24PM (#54115133)

      Some of the contributors are upset

      Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.

      The last sentence of the email is particularly enlightening:

      If we do not hear from you, we will assume that you have no objection.

      Even the most obnoxious EULAs do not assume consent if they cannot get your response.

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Personally, I would have thought that would not be legally enforceable?
        If such language is legal, then that allows anyone to send a spam-like message to anyone and then receive their agreement for anything; I mean, how many people actually read the email in their spam folder?

        I await the serious legal ramifications that stem from this with interest.

        • by skids ( 119237 )

          Projects might want to learn from this, and start to ask developers if they'd be OK with allowing future project governance to change the license. Not everyone would say OK to that, but it could drastically reuce the number of contributers that need to e contacted.

          • by Phronesis ( 175966 ) on Sunday March 26, 2017 @09:46PM (#54115915)
            FSF has required, for many years, that contributors to FSF projects assign copyright to FSF so they don't need to contact a zillion people for permission in managing GPL issues. Coding Standards for Accepting Contributions [gnu.org] and Lawyer's Explanation [gnu.org]
        • by maglor_83 ( 856254 ) on Sunday March 26, 2017 @07:32PM (#54115379)

          Especially since one of the licenses that all contributors have agreed to specifically states that the licence CANNOT BE CHANGED.

          • by Anonymous Coward

            I have altered the license. Pray I do not alter it further.

          • Yeah, that puzzled me too. As far as I could see they were stuck with that license forever, I can understand that they can change the license for contributions but not for the original code.
            • That would cover unilateral changes, such as the GPL's provision that the code can be relicensed under future versions of the GPL. Modification of a contract--and a license is just a contract--is allowed by mutual assent of the parties. That's basic contract law.

        • It isn't enforceable if you have a significant interest in the software, but if you only have insignificant contributions then it probably is good enough.

          The court would have to balance each of those situations individually by its own merits, there isn't a general rule to smack it with. So some of the people who got that email, that is all they really need to get. Others, it is not enforceable because they have a significant interest in the code and would have to give express consent to any license changes.

      • I can see both sides of that last bit. They need to make such an assumption if they want to make progress as some people may no longer be reachable (no known email address, passed away). Making that assumption that no response equals acquiescence lets them move forward.

        The problem is that some people that they weren't able to reach may not like the new license agreement. Also I'm not sure if such an assumption would stand up in court should it come to that.

        • by Entrope ( 68843 ) on Sunday March 26, 2017 @06:40PM (#54115193) Homepage

          Pragmatism is not sufficient to legally justify the assumption that people are okay with the relicensing unless they object. I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.

          • by raymorris ( 2726007 ) on Sunday March 26, 2017 @10:21PM (#54116071) Journal

            > I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.

            If they got the notice, estoppel by acquiescence may apply. "Estoppel by acquiescence" means one may not sue later if you were given a clear opportunity to object and chose to not object in any way. Georgia v. South Carolina is a well-known case. Georgia had legal claim to certain land based on a treaty. For many years, South Carolina treated it as part of South Carolina, levying taxes in the area, etc.Georgia did not object during these many years. Later Georgia attempted to assert their claim to the area. The court ruled that Georgia's failure to object for many years barred the action - their silence was basically implied permission.

            A related concept is laches. Laches means you have to assert your rights in a reasonable time frame, or not at all - an author who files suit regarding the license change ten years from now will probably be barred by laches.

            • Acquiescence requires that the party making the new claim not be aware that they are infringing the other party's rights. (In the GA/SC boundary disputes, there were reasonable and independent bases to declare that some of the islands were in SC under the treaty and usual rules of territory.). The OpenSSL group here is clearly aware that they do not hold the copyrights here, or have permission to change the license.

        • by uncqual ( 836337 )

          Even if the contributor has passed away, they may have signed over whatever remaining rights they had in their software to heirs. Good luck figuring that out.

          • by mysidia ( 191772 )

            They don't have to "Sign it away to heirs". Copyrights automatically become property of their estate, Unless they put in a legal structure to explicitly donate that asset, and their heirs will ultimately direct the disposition.

            • They don't have to "Sign it away to heirs". Copyrights automatically become property of their estate, Unless they put in a legal structure to explicitly donate that asset, and their heirs will ultimately direct the disposition.

              And the Executor of the Estate has to usually be convinced of to do what is being asked, they often have not understanding of the field, etc - so it's usually a very long, hard road; usually code gets rewritten in those cases.

        • by mysidia ( 191772 )

          They need to make such an assumption if they want to make progress as some people may no longer be reachable

          Regardless of what is convenient for the project, the DEFAULT Under copyright is ALL RIGHTS RESERVED.
          The licensing for the contributions were not implicit.... OpenSSL contributions were made under a specific license
          https://www.openssl.org/source... [openssl.org]

          The license they put it under has a SPECIFIC statement Barring license changes:
          * The licence and distribution terms for any publically available version

          • by Anonymous Coward

            The license they put it under has a SPECIFIC statement Barring license changes

            That's changes by third parties. The authors of the work can change the license at any time (but not retroactively for past versions), if they can reach a consensus.

      • Theo de Raadt is not the world most reasonable person, but I don't think any lawyer would say that the OpenSSL people are on solid legal footing with opt-opt relicensing.

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          I used to think the same before I talked to some legal people -- you might be surprised. Making a good-faith, reasonable effort to contact everyone involved and give them a chance to object, and get agreement from all significant contributors with the unknown portion driven down to a miniscule portion, and apparently it can be viable. It's not a situation I would count out without actually talking with an expert for each specific situation.

          • Bullshit. Copyright licensing is ONLY assignable in writing. That's the law, as anyone who followed groklaw would know. Also, good luck getting approval from all 400 - after 20 years some are going to be dead.
            • by tepples ( 727027 )

              Is it illegal to rewrite from scratch the contributions of those few authors who cannot be reached if alive or whose estate cannot be reached if deceased?

            • by mysidia ( 191772 )

              Some contributors contributions may be so small they cannot actually claim copyright.
              As usual: it depends.

            • Copyright licensing is ONLY assignable in writing.

              Copyright is only assignable in writing. The law doesn't require that copyright licenses be formal, written documents. Courts have upheld verbal and even implied licenses. This is a very good thing for open source, actually, since hardly any projects get written licenses from contributors. The mere act of sending a pull request (or sending a patch to a mailing list, or...) is taken as an implied license of the author's contribution, under the license or licenses that the project is using.

              Also, good luck getting approval from all 400 - after 20 years some are going to be dead.

              That only matters

              • What happens if you can't find the heirs? The code has to be abandoned, rewritten from scratch, or otherwise replaced or superceded. How would a stranger contact your heirs, given only your email address? Given that plenty of people don't have an email address that consists of only their proper name, you're going to be looking at a lot of potential candidates for email addresses of heirs. And it's not like you can just shoot off an email to the dead person and expect their heirs to answer it.
                • What happens if you can't find the heirs?

                  You ignore the situation and go on. If at some point in the future the heirs object, then you identify and rewrite the code.

          • by Kjella ( 173770 )

            I used to think the same before I talked to some legal people -- you might be surprised.

            It's the sort of thing legal people can blabber on and on about, but when you consider that anyone distributing this project can be sued in 100+ jurisdictions with different laws and legal systems most of them will get very quiet. And at least in the US there are statutory damages, who ever is "hurt" doesn't have to prove that, they just have to prove infringement and they can cash in which could be tempting for a greedy heir. And not necessarily just liability either, fraudulent removal or alteration of a

          • by Anonymous Coward

            I've seen it done for a codebase with an indeterminate number of contributors and *no* existing license. The 5 major developers agreed on what the new license should be, told the community and asked that anyone who disagreed tell them what lines of code they owned (and demonstration it was theirs - the records weren't good for anyone). I was among the minor contributors, and posted that I thought my add-on scripts and a few little bugfixes were below the threshold for copyright and was fine with that.

      • Even the most obnoxious EULAs do not assume consent if they cannot get your response.

        Its a politeness thing, not a a requirement. OpenSSL has always required contributors to assign copyright to the OpenSSL foundation. They don't *have* to ask permission.

        • by mysidia ( 191772 )

          I know for a fact they haven't "ALWAYS" required contributors to assign any rights.
          Even if they have, assignment without consideration may be non-binding.

          Also, I'm fairly sure Eric Young and Hudson haven't assigned copyright to them,
          they're using the code in a commercial SSL library for $$$, after all.....

          • Courts have already looked at that and didn't blink. It is hypothesizing of a very silly sort, because the answer is obvious and already known.

            When you license code to the world in return for conditions in a license, those conditions are the consideration you received. Done. This is not a mystery.

            If some business comes to me and asks for me to write some code for them, and I tell them that I'll do it for $100, and they agree, then I received $100 of consideration. If instead I tell them, you don't have to p

      • Some of the contributors are upset

        Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.

        "Informative" in the sense that it shows Theo acting within character? He never says what his problem with the change is, just "I don't like it". I'm an OpenSSL contributor and I've OK'd the change, it's long past time they updated the license from that awkward not-really-BSD one to something more standard.

        • Theo has voiced concerns specifically against the Apache 2.0 licence -- a decade ago.

          What is up with some free software providers?! They say "Here's something free! Oh wait, I changed my mind."

          While not exactly bait-and-switch, this is something which has been causing the community continual grief, and therefore we decided to honour a few of the projects that have decided to go non-free. After all.. having gone non-free, no one is going to remember them in the end.
          [...]
          The Apache group started from the humble beginnings of just being 'a patchy' set of changes to a completely free web server of dubious quality. But the years have changed them, and what they supply is now quite non-free... released under a license so entangled in legalese that we have absolutely no doubt that there are encumbrances hidden within. Legal terms protect. Who are they protecting? Not your freedom.

          (From https://www.openbsd.org/lyrics... [openbsd.org] ; I'm sure there's a relevant mailing list post somewhere.)

          Basically, they refused to update their in-tree Apache from 1.3.30 to anything newer, since 1.3.31 and so forth were Apache 2.0 licensed. Many years later, I believe they removed it and replaced it with something whose licence they could agree with (nginx IIRC).

          In general, the BSDs are really wary of incorporating anything tha

    • by mysidia ( 191772 )

      So then encourage as many authors as possible to write a Reply:

      I Do Not consent at this time to the license change regarding my contribution Nor any derivative work, added, or modified versions thereof.
      Derivative work includes all code added or to the project after my contributions which extended any functionality on
      top of OpenSSL based on any derivative of my earlier code, Including any non-literal copying of design style, naming conventions, or other aesthetic and miscellaneous aspects of my work f

    • Some of the contributors are upset about the way that this license change is being pushed through. See

      http://marc.info/?l=openbsd-tech&m=149028593819547 [marc.info]

      There's always going to be a difficult one looking for any angle to complain and obstruct.

  • Finding hundreds of contributors and obtain a license change from them will not happen.

    The only workable solution is just to change it and hope nobody will complain.

    • by queazocotal ( 915608 ) on Sunday March 26, 2017 @06:36PM (#54115169)

      If you get enough, you can rewrite the remaining bits.

      • Unwinding it all to figure out who contributed to what source files is the hardest part. I suppose at

        In reality my guess that of the 400 contributors, a much smaller number contributed to the bulk of the code. Some of the contributors might have only made one or two small contributions that would be easy to work around if they didn't give consent or they could not be located.

    • Of course it won't happen. What's the likelihood that all 400 are still alive and mentally competent after a couple of decades?
      • Of course it won't happen. What's the likelihood that all 400 are still alive and mentally competent after a couple of decades?

        Have you ever read the OpenSSL code? I don't think lack of mental competency has ever stopped anyone from contributing in the past.

  • We are asking for your permission to change the licence for your contribution.
    ...
    If we do not hear from you, we will assume that you have no objection.

    Yes, and I'm asking for the same permission to own all assets associated with openssl.org. If I don't hear back from you, I'll assume you have no objection.

  • by Anonymous Coward

    I'm willing to do public domain, unlicense. I could be persuaded to go to 2-clause BSD, MIT, ISC but there is not really any way I'd be happy with Apache license. I wasn't that happy with the OpenSSL licenses when I contributed but there wasn't a choice. But now that I've been given some influence, I'm going to use it to decide what happens to my contributions.

    This will likely end with my code being throw out and someone rewriting it, but I'd at least like to see how far I can take this.

    • by Anonymous Coward

      We're listening.

      Had to scroll down to find this 1 lonely comment.

      Please tell us more what you dislike about the Apache license specifically.

  • Sounds odd.... (Score:5, Informative)

    by QuietLagoon ( 813062 ) on Sunday March 26, 2017 @07:18PM (#54115313)

    ...They're now tracking down all 400 contributors to sign new license agreements...

    From what I read, OpenSSL are saying that if you have contributed, and you don't respond to their request to change the license on the code you contributed, OpenSSL will take your code and change the license on your code without your explicit permission.

    .
    I really hope I am reading it [theregister.co.uk] incorrectly, because I would expect better behavior from a security-oriented project. Far better behavior.

    • Re:Sounds odd.... (Score:4, Insightful)

      by dabadab ( 126782 ) on Monday March 27, 2017 @05:42AM (#54117295)

      You are reading it wrong.

      This article was about the decision about whether they should move to AL or not and "no response" was taken as a "yes" vote - but that's all.

      The actual license of the code can not be changed by the OpenSSL folks because they do not have the right to it - only the original contributor can do it.
      They have to do what every other license-changing project did: if the contributor does not respond or refuses the license change, his/her code will be removed and eventually rewritten by someone else.

  • If the devs were okay with the previous licenses, what are they likely to object to in the proposed license?

    I don't think I've ever heard anyone rant against Apache 2.0.

  • What's the existing license? Is this a migration from copyleft to a more permissive license, or is this a migration from an unusual license (some kind of openbsd license?) to something more standard?

    Also:

    Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography

    What company that Oracle has bought originally contributed this?

    • or is this a migration from an unusual license (some kind of openbsd license?) to something more standard?

      OpenBSD has nothing to do with the OpenSSL project.

      OpenSSH and OpenNTPD and OpenBGPD are the projects they are responsible for IIRC. Yes, I know, it's confusing. (OpenNTPD is wonderful, by the way.)

      The current licence of OpenSSL is the four-clause BSD licence. It's not the most desirable licence but it's about as standard as you can get.

      It is a migration to a more complex licence, if we count by the number of words.

  • Everything it provides will be integrated into systemd anyway, they need it as part of the upcoming systemd web browser.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...