www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marvin Humphrey <mar...@rectangular.com>
Subject Re: Dependency on OpenSSL
Date Thu, 02 Jun 2016 21:38:00 GMT
On Thu, Jun 2, 2016 at 1:01 PM, William A Rowe Jr <wrowe@rowe-clan.net> wrote:
> On Thu, Jun 2, 2016 at 1:13 PM, Steve Varnau <steve.varnau@esgyn.com> wrote:
>>
>> Hello,
>>
>> Per Justin's suggestion (below) I wanted to ask whether it is okay for our
>> project to have a dependency on OpenSSL.
>> OpenSSL is working on changing licensing[1], but is currently seems to be
>> Category X.
>
> Welcome news, and there is lots of code to yet refactor to eliminate all
> of the originally licensed code.  But as to Category "X" How do you come
> to this conclusion?
>
> It is a BSD+Advertising Clause derivative license, which we've always
> understood as permissible as a dependency... but with an important
> caveat in the FAQ...
>
> "Please also ensure to comply with any attribution/notice requirements in
> the specific license in question."
>
> BSD with no Advertising clause is Category "A", but the presence
> of the clause triggers our Category "B" case.

As far as I can tell, the 4-clause BSD license is not listed under any
"category" -- it's not in "A", "B", or "X", it is simply not covered by
<http://www.apache.org/legal/resolved>.

Upon closer review, I lean towards adding it to "category X".  The advertising
clause is uniquely onerous.

    3. All advertising materials mentioning features or use of this software
       must display the following acknowledgement:
       This product includes software developed by the <organization>.

Compare that against the the third clause of Apache 1.1, which is quite
flexible about where acknowledgments must appear, as opposed to the "All
advertising materials" requirement in 4-clause BSD...

    3. The end-user documentation included with the redistribution,
       if any, must include the following acknowledgment:
          "This product includes software developed by the
           Apache Software Foundation (http://www.apache.org/)."
       Alternately, this acknowledgment may appear in the software itself,
       if and wherever such third-party acknowledgments normally appear.

... or against the notification requirements from section 3 of the Mozilla
Public License 2.0, which are also flexible:

    https://www.mozilla.org/en-US/MPL/2.0/

    [...] You must inform recipients that the Source Code Form of the Covered
    Software is governed by the terms of this License, and how they can obtain
    a copy of this License. [...]

    If You distribute Covered Software in Executable Form then:

    a.  such Covered Software must also be made available in Source Code Form,
        as described in Section 3.1, and You must inform recipients of the
        Executable Form how they can obtain a copy of such Source Code Form by
        reasonable means in a timely manner [...]

Both Apache 1.1 and Mozilla 2.0 can be satisfied for binary distributions by
the propagation of the contents of NOTICE to
META-INF/"About"-box/end-user-documentation/etc. -- but that's *not* true for
4-clause BSD, which insists on propagation to advertising materials.

Marvin Humphrey

---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message