[openssl-dev] We're working on license changes

Brian Smith brian at briansmith.org
Tue Aug 4 20:02:37 UTC 2015 

On Tue, Aug 4, 2015 at 2:47 PM, Salz, Rich <rsalz at akamai.com> wrote:

> > It is natural for a lawyer to tell you to require lots of things to
> protect whatever entity is paying them.
>
> Well, yeah, sure.  But I would hope that the bono-fides of the SFLC and
> Eben Moglen  aren't being called into question.
>

Nope. What I'm saying is that lawyers work a lot like us: They help you
build a threat model, and then they help you create a defense for that
threat model. Basically, I'm asking for more considerations to be added to
the threat model:

* The new licensing should facilitate sharing code between the BoringSSL,
LibreSSL, and OpenSSL projects, and it should be clear how this is done.
* The new licensing should facilitate using OpenSSL code with GPLv2 code,
the LInux Kernel and GMP in particular. See [0] in the OpenSSL FAQ.
* The new license should treat every contributor equally. Contributors
should not have to grant privileges to any other contributor beyond the
privileges given in the license that everybody has.


> >Please let me know if you want me to put you in touch with the licensing
> people at Mozilla who can probably help you do the same.
>
> Sure, please contact me (rsalz at openssl.org)
>

Sure, will do (privately).


> > To be clear, I don't have any problem with the OpenSSL Foundation being
> a for-profit corporation. But, it does make for a very different situation
> than how the Apache Software Foundation[3] or even Mozilla operates, and I
> think that distinction is very important when it comes to licensing.
>
> Since Matt has explained that we're not a for-profit corporation, I assume
> that this is no longer a concern for you.  We are *not* a tax-exempt
> charitable organization, but we are not for profit.
>

The OpenSSL website says[1] "the OpenSSL Software Foundation (OSF) is
incorporated in the United States as a regular for-profit corporation," and
the proposed CLA[2] is an agreement between the contributor and that
for-profit corporation.

Anyway, I don't think we need to rathole on that, because my point is that
there should be a way to do the licensing that doesn't require any CLA for
future contributions, but only for past contributions.

[0] https://www.openssl.org/support/faq.html#LEGAL2
[1] https://openssl.org/support/donations.html
[2] https://www.openssl.org/licenses/openssl_icla.pdf

Cheers,
Brian
-- 
https://briansmith.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150804/5255224c/attachment.html>

More information about the openssl-dev mailing list