www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Dependency on OpenSSL
Date Thu, 02 Jun 2016 22:59:25 GMT
On Thu, Jun 2, 2016 at 4:38 PM, Marvin Humphrey <marvin@rectangular.com>
wrote:

> On Thu, Jun 2, 2016 at 1:01 PM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
> > On Thu, Jun 2, 2016 at 1:13 PM, Steve Varnau <steve.varnau@esgyn.com>
> wrote:
> >>
> >> Hello,
> >>
> >> Per Justin's suggestion (below) I wanted to ask whether it is okay for
> our
> >> project to have a dependency on OpenSSL.
> >> OpenSSL is working on changing licensing[1], but is currently seems to
> be
> >> Category X.
> >
> > Welcome news, and there is lots of code to yet refactor to eliminate all
> > of the originally licensed code.  But as to Category "X" How do you come
> > to this conclusion?
> >
> > It is a BSD+Advertising Clause derivative license, which we've always
> > understood as permissible as a dependency... but with an important
> > caveat in the FAQ...
> >
> > "Please also ensure to comply with any attribution/notice requirements in
> > the specific license in question."
> >
> > BSD with no Advertising clause is Category "A", but the presence
> > of the clause triggers our Category "B" case.
>
> As far as I can tell, the 4-clause BSD license is not listed under any
> "category" -- it's not in "A", "B", or "X", it is simply not covered by
> <http://www.apache.org/legal/resolved>.
>
> Upon closer review, I lean towards adding it to "category X".  The
> advertising
> clause is uniquely onerous.
>
>     3. All advertising materials mentioning features or use of this
> software
>        must display the following acknowledgement:
>        This product includes software developed by the <organization>.
>
> Compare that against the the third clause of Apache 1.1, which is quite
> flexible about where acknowledgments must appear, as opposed to the "All
> advertising materials" requirement in 4-clause BSD...
>
>     3. The end-user documentation included with the redistribution,
>        if any, must include the following acknowledgment:
>           "This product includes software developed by the
>            Apache Software Foundation (http://www.apache.org/)."
>        Alternately, this acknowledgment may appear in the software itself,
>        if and wherever such third-party acknowledgments normally appear.
>
> ... or against the notification requirements from section 3 of the Mozilla
> Public License 2.0, which are also flexible:
>
>     https://www.mozilla.org/en-US/MPL/2.0/
>
>     [...] You must inform recipients that the Source Code Form of the
> Covered
>     Software is governed by the terms of this License, and how they can
> obtain
>     a copy of this License. [...]
>
>     If You distribute Covered Software in Executable Form then:
>
>     a.  such Covered Software must also be made available in Source Code
> Form,
>         as described in Section 3.1, and You must inform recipients of the
>         Executable Form how they can obtain a copy of such Source Code
> Form by
>         reasonable means in a timely manner [...]
>
> Both Apache 1.1 and Mozilla 2.0 can be satisfied for binary distributions
> by
> the propagation of the contents of NOTICE to
> META-INF/"About"-box/end-user-documentation/etc. -- but that's *not* true
> for
> 4-clause BSD, which insists on propagation to advertising materials.
>

FWIW, OpenSSL is a dependency of a number of Apache projects and
has long been vetted as acceptable by the board, and all of the Legal VP's
throughout our evolution.

You can suddenly decide to reclassify the scope of advertising clauses,
but we will be disabling major components of the Apache httpd, Tomcat,
and a number of other very visible projects in reaction to such a decision.
Somehow, both our organization and our many consumers have found their
way through this minefield up to this point, 15 years later.

Cheers,

Bill

Mime
View raw message