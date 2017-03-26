After 20 Years, OpenSSL Will Change To Apache License 2.0, Seeks Pasts Contributors (openssl.org) 19
After nearly 20 years and 31,000 commits, OpenSSL wants to change to Apache License v2.0. They're now tracking down all 400 contributors to sign new license agreements, a process expected to take several months. Slashdot reader rich_salz shares links to OpenSSL's official announcement (and their agreement-collecting web site). "This re-licensing activity will make OpenSSL, already the world's most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software," said Mishi Choudhary, Legal Director of Software Freedom Law Center and counsel to OpenSSL. "OpenSSL's team has carefully prepared for this re-licensing, and their process will be an outstanding example of 'how to do it right.'"
Click through for some comments on the significance of this move from the Linux Foundation, Intel, and Oracle.
- "The Linux Foundation is excited to see the OpenSSL project re-licensing under the Apache License. Using a standard and well-understood license is a huge benefit when incorporating a FOSS project into other projects and products... this license move will further help to ensure it remains one of the most important and relied-upon open source projects in the world."
-- Nicko van Someren, Chief Technology Officer, the Linux Foundation
- "Oracle is proud to extend its collaboration with the OpenSSL Foundation by relicensing its contributions of elliptic curve cryptography. OpenSSL is a critical component in both Oracle products and the infrastructure of the Internet, and we strongly believe the increased use of cryptography fostered by OpenSSL will benefit the entire enterprise software community."
-- Jim Wright, Chief Architect of Open Source Policy, Strategy, Compliance and Alliances, Oracle
- "Intel is thrilled to see OpenSSL moving to the standard Apache 2.0 license, improving license compatibility within the Open Source ecosystem. This will help defragment the open source cryptography ecosystem, leading to stronger and more pervasive use of crypto to improve privacy and security in the global technology infrastructure."
-- Imad Sousou, Vice President and General Manager of the Open Source Technology Center, Intel
What was the old license model?
OpenSSL isn't under the GPL - it has its own unique, dual license.
Some of the contributors are upset about the way that this license change is being pushed through. See
http://marc.info/?l=openbsd-tech&m=149028593819547 [marc.info]
Some of the contributors are upset
Parent link (http://marc.info/?l=openbsd-tech&m=149028593819547) is highly informative.
The last sentence of the email is particularly enlightening:
If we do not hear from you, we will assume that you have no objection.
Even the most obnoxious EULAs do not assume consent if they cannot get your response.
Personally, I would have thought that would not be legally enforceable?
If such language is legal, then that allows anyone to send a spam-like message to anyone and then receive their agreement for anything; I mean, how many people actually read the email in their spam folder?
I await the serious legal ramifications that stem from this with interest.
Projects might want to learn from this, and start to ask developers if they'd be OK with allowing future project governance to change the license. Not everyone would say OK to that, but it could drastically reuce the number of contributers that need to e contacted.
I can see both sides of that last bit. They need to make such an assumption if they want to make progress as some people may no longer be reachable (no known email address, passed away). Making that assumption that no response equals acquiescence lets them move forward.
The problem is that some people that they weren't able to reach may not like the new license agreement. Also I'm not sure if such an assumption would stand up in court should it come to that.
Pragmatism is not sufficient to legally justify the assumption that people are okay with the relicensing unless they object. I'm pretty sure both common law and civil law jurisdictions would side with a contributor who objects after the fact, even if they did get the notice.
Even if the contributor has passed away, they may have signed over whatever remaining rights they had in their software to heirs. Good luck figuring that out.
Theo de Raadt is not the world most reasonable person, but I don't think any lawyer would say that the OpenSSL people are on solid legal footing with opt-opt relicensing.
I used to think the same before I talked to some legal people -- you might be surprised. Making a good-faith, reasonable effort to contact everyone involved and give them a chance to object, and get agreement from all significant contributors with the unknown portion driven down to a miniscule portion, and apparently it can be viable. It's not a situation I would count out without actually talking with an expert for each specific situation.
It will not happen (Score:1)
Finding hundreds of contributors and obtain a license change from them will not happen.
The only workable solution is just to change it and hope nobody will complain.
If you get enough, you can rewrite the remaining bits.
Yes, and I'm asking for the same permission to own all assets associated with openssl.org. If I don't hear back from you, I'll assume you have no objection.