This is a huge win. The incompatibility between OpenSSL and the GPL has been one of the most notable license incompatibilities regularly encountered in practice. With this change, OpenSSL will become compatible with GPLv3, which also makes it compatible with software licensed "version 2 or later". People will no longer need to choose and port to another crypto library for license reasons.
It is also (according to the OpenBSD mailing list) a huge loss for LibreSSL and OpenBSD because they can no longer take patches from openssl.
There is no explicit mention of tools like OpenSSH that are part of OpenBSD, but are more widely distributed. I don't know enough details to know if they are impacted or not (but would love to hear from someone that does know).
You also need the permission of all the authors of the code those patches are based on, because almost all new patches are inevitably derived work of the existing codebase.
It's not practical unless you can maintain a near-100% approval rate from all OpenSSL contributors that their patches are dual-licensed.
This isn't relevant to LibreSSL and so isn't ported: no problem.
Then someone else realizes that the foo2 change should also apply to foo1:
foo1():
bar()
+ baz()
While this patch will apply cleanly to LibreSSL, the idea that after calling bar() you should call baz() is something they figured out in OpenSSL, and is plausibly a derivative work of OpenSSL.
The more copy-and-pasty the change is, the easier it is to be in a situation where a patch that would apply cleanly to pre-fork code would actually be dependent on post-fork code.
"Permissive" is a spectrum on many dimensions. This relicensing is less permissive than the old license in some ways (like patent requirements for developers) and more permissive in others (the advertising clause).
If the relicensing was done with the requirements of the whole open source community in mind, they would have dual-licensed or just removed the advertising clauses (and whatever else is GPL incompatible).
Why not turn the tables and relicense OpenSSL under the AGPL? Current users couldn't accept security patches unless they "chose" not to release a bunch of unrelated proprietary code under the AGPL, including things they don't have copyright to.
The only real difference is that service provider's rights would be trampled instead of developer's rights.
"Please note that this license is not compatible with GPL version 2, because it has some requirements that are not in that GPL version. These include certain patent termination and indemnification provisions. The patent termination provision is a good thing, which is why we recommend the Apache 2.0 license for substantial programs over other lax permissive licenses."
It's clear that keeping the patent clause was more important to them than keeping GPLv2 compatibility, because otherwise they could have just gone with MIT.
OpenSSL's license is _already_ incompatible with the GPL. The Apache license would make it compatible with the GPLv3, and thus with anything that is GPLv2 "or any later version".
A dual license as done with mbed TLS or other similar projects would be huge win for both parties.
ASL 2.0 only is a huge loss for LibreSSL and OpenBSD. It's even an outragious death threat to them.
OpenSSL could, starting tomorrow, drop the 4-clause BSD dual license and only keep the Apache v1 license. And they could do so without the approval of any of the copyright holders. In fact that's all that is being asked of the copyright holders---to drop an advertising clause that doesn't even mention their name.
So the supposed death that to LibreSSL that the license change constitutes is nothing but a red herring, or at least it's a red herring to tie it to the license change.
""Permissive" is a spectrum on many dimensions. This relicensing is less permissive than the old license in some ways (like patent requirements for developers) and more permissive in others (the advertising clause).
"
This represents a pretty severe misunderstanding of the practical legal views of both BSD and Apache 2.
"If the relicensing was done with the requirements of the whole open source community in mind, they would have dual-licensed or just removed the advertising clauses (and whatever else is GPL incompatible)."
Dual licensing doesn't actually fix your problems (since anyone using it has to choose one of the licenses. It's not the union of the good features of both licenses, it's "choose your poison), and "or just removed the advertising clauses (and whatever else is GPL incompatible)" represents another severe misunderstanding of what makes apache incompatible with gplv2 (which is pretty much the parts that make it a good license)
Though worth noting that ASLv2 is not compatible with straight GPLv2 (the "or later" part of "version 2 or later" is crucial). This is why some projects dual-license as MIT/ASLv2, because MIT is compatible with GPLv2.
LLVM's proposed switch included a provision to make it explicitly compatible with GPLv2. That seems like a nice precedent to follow for other projects that are considering Apache 2 as their license.
I'd say that works for LLVM only because Apple can afford lawyers who can argue that provision if it ever came to that (not that I think it ever would). AFAICT, ASLv2 is superior to BSD/MIT in all practical respects except for the GPLv2 compatibility, and if it were so trivially easy to make a version of ASLv2 that didn't have that downside, then I feel like some company would have already done that and instantly created The One Permissive License To Rule Them All (and in the eyes of the law, bind them).
Until such an exceptional provision becomes established precedent, I'd suggest that small projects stick to vetted licenses rather than pitching in with anything novel.
AFAICT this is overstating the patent-related aspects of ASL. It doesn't require a patent grant or nullify any parents you hold, or even prevent you from suing others over misuse of those patents. All it does is provide mutually assured destruction: if you sue someone over the use of your patent within this software, then you forfeit any legal protection from others who have patents within this software. This is extremely company-friendly, because companies are the ones who tend to go around suing over patents, and also the ones who feel compelled to stock up on patents to use defensively.
Dual MIT/ASLv2 is how Rust achieves GPLv2 compatibility while requiring contributions to be under the superior (to MIT) ASLv2 language, too. ASLv2/GPLv2 dual would achieve the GPLv2 compat goal without potential unintended other consequences arising from the MIT part.
The old Mozilla tri-license had both LGPL and GPL to relieve recipients from following the (impractical) letter of LGPLv2.1 when choosing to do the LGPLv2.1 to GPLv2 step.
I wasn't thinking of OpenSSL specifically but rather as a general question. E.g. why is Rust ASL2/MIT licensed (my guess is that it's just what Graydon originally chose for whichever reasons and nobody cares enough to change it)?
A "huge win" being enacted by a complete disregard for the copyright holders who were kind enough to contribute to the project. I find this behavior utterly unacceptable. If more projects attempted this bullshit the whole world would be a mess. What's to stop someone from relicensing a GPL program to closed-source, and assuming that anyone who might object would have spoken up? This is breathtakingly idiotic.
> A "huge win" being enacted by a complete disregard for the copyright holders who were kind enough to contribute to the project.
Uh, no. That's not how this works.
OpenSSL cannot change the license without say-so from all of the contributors, unless a CLA was signed. They do have a CLA, but just one granting a license, not one transferring ownership (and the right to relicense). At least, doesn't look like it.
OpenSSL emailed everyone with commits on the project (e.g. me) a link to a page where you could say yes/no on this. In most cases this isn't a vote, it's all-or-nothing, though the choices of people with extremely minor (non copyrightable) contributions can be excluded IIRC.
IANAL.
(There is some discussion below about "if you don't reply we take that as a yes" being okay, though)
They're daring you to sue them, in which case you would be required to provide a list of the parts of the code that you claim copyright over, which they could then attempt to excise via black-box reimplementation. It's one of those "ask forgiveness rather than permission" things, and is pretty much how every large project relicensing operates (the exceptions being those projects that require copyright assignment via signed CLA).
> They're daring you to sue them, in which case you would be required to provide a list of the parts of the code that you claim copyright over, which they could then attempt to excise via black-box reimplementation
Reimplementing after you are sued for copyright violation doesn't get you off the hook for the past violations, including enhanced damages for willful infringement, for which this would seem to be an open and shut case.
Well, in the unlikely event the contributor chose to register their copyright on a timely basis, statutory damages would apply, independent of actual loss.
Of course, since it's a permissive license, you've also got potential downstream commercial infringement to which the unauthorized relicensing is contributory.
What happens if the Author dies? Are they and their heirs still the copyright holders? I always assumed anything licensed under the GPL would contain that license post mortem.
In USA the copyright holder (which might be the late author's estate) owns the IP for 70 years after death of the original author. After the 70 years have elapsed the work enters the public domain.
Those are new works. The old works are supposed to pass to the public domain.
And of course, Disney takes heavily FROM the public domain (Aladdin, Pocahontas, Beauty and the Beast, Hunchback of Notre Dame, Hercules, Tarzan, Snow White...)
They have trademarked it, but not copyrighted it. The trademark is a bit overstepping - no-one else can market something as Snow White - but anyone can do the Snow White story, as long as Ms White doesn't look like the Disney artwork.
The estate will own it for a time period.
Copyright law has a reclamation period after 35 years where, in a bunch of circmustances, you can terminate all exclusive and non-exclusive licenses and take it back
I would guess that if only a small number of contributors disagree, they'll follow-up by asking those contributors which parts they claim a copyright interest in. Then it can be determined if it's feasible to go forward without those contributions or not.
> What's to stop someone from relicensing a GPL program to closed-source.
Nothing, but it doesn't retroactively affect anyone who already has a copy of the software under the GPL. What might stand in the way is a copyright holder refusing to go along with the relicensing.
