[openssl-users] [openssl-announce] OpenSSL Versioning and License

Jakob Bohm jb-openssl at wisemo.com
Thu Nov 29 16:22:19 UTC 2018

On 28/11/2018 23:42, Jonathan Larmour wrote:
> On 28/11/18 21:41, Daniel Kahn Gillmor wrote:
>> On Wed 2018-11-28 19:54:34 +0000, Jonathan Larmour wrote:
>>> On 28/11/18 17:02, Matt Caswell wrote:
>>>> Please see the following blog post about OpenSSL Versioning and License:
>>>> https://www.openssl.org/blog/blog/2018/11/28/version/
>>> :-(
>>> The Apache license is incompatible with GPLv2:
>>> https://www.apache.org/licenses/GPL-compatibility.html
>>> Those of us using GPLv2 code in products will no longer be able to use
>>> OpenSSL. For many of us, GPLv3 is not an option.
>> The existing OpenSSL license is arguably incompatible with GPLv2 anyway,
>> in some analyses:
>>     https://people.gnome.org/~markmc/openssl-and-the-gpl.html
> Yes I believe any GPLv2 users have been relying on a license exception. I'm
> not sure the license exception in the GPL software I'm using would be
> sufficient if calls to OpenSSL are made from the GPL'd code:
> "As a special exception, if other files instantiate templates or use macros or
> inline functions from this file, or you compile this file and link it with
> other works to produce a work based on this file, this file does not by itself
> cause the resulting work to be covered by the GNU General Public License.[...]"
> If my own (non-GPL) code calls OpenSSL, that seems fine. But what if I have
> modified the GPL'd (with exception) code to call OpenSSL?

That's not the exception used for OpenSSL using software, that looks
more like the exception used when some software that should have been
LGPL was annoyingly marked as GPL instead.

The OpenSSL exceptions exist in very specific software packages and mention
"OpenSSL" or "The OpenSSL license" by name.  The problem (besides such an
exception only applying if all the used GPL code has it) is that such an
exception, depending on its wording, might not apply to an Apache-licensed
OpenSSL, and it may be very hard to track down every GPL copyright holder
and get them to sign off on a reworded exception that doesn't extend to
other large Apache-licensed code bases.

Another exception sometimes used is the "OS exception" (in the text of 
itself) applies only to an OS-bundled copy of OpenSSL, and only if the 
code is not bundled with the OS.  For example if using the specific 
builds of
OpenSSL distributed by Debian and RedHat, a GPLv2 program not packaged by
those systems can use that specific version of OpenSSL.

>> That said, I also would have liked something that is GPLv2-compatible in
>> addition to GPLv3-compatible.
> Yes, that would have made things unambiguous.
> Jifl


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list