www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Todd Lipcon <t...@cloudera.com>
Subject Re: Dependency on OpenSSL
Date Wed, 02 Nov 2016 20:32:44 GMT
Yea, turns out the contributor misinterpreted that as a deprecated license
for an older version of the product. We'll include both in our LICENSE.
Thanks for the catch!

-Todd

On Wed, Nov 2, 2016 at 10:11 AM, Todd Lipcon <todd@cloudera.com> wrote:

> On Wed, Nov 2, 2016 at 4:18 AM, Jim Wright <jim.wright@oracle.com> wrote:
>
>> Todd, while I wait to catch up with Mishi about it, is there a reason you
>> inserted only part of the OpenSSL license into the LICENSE.TXT file (the
>> first of two licenses)?
>>
>>
> I think that's probably an oversight. Let me check with the patch author.
>
> -Todd
>
> On Oct 31, 2016, at 4:53 PM, Todd Lipcon <todd@cloudera.com> wrote:
>>
>> On Mon, Oct 31, 2016 at 1:29 PM, Jim Wright <jim.wright@oracle.com>
>> wrote:
>>
>>> When Todd says "we're copy-paste importing it" do you mean cut and
>>> pasting into an existing file, and if so (or in either event really) where
>>> does the original license go when you do that?
>>>
>>
>> We created a new source file to copy-paste the code into. There are a few
>> trivial modifications that we had to make (eg using strlen() instead of
>> OPENSSL_strlen()) but otherwise it's just copy-pasted. So, we were planning
>> to keep the original OpenSSL license header and copyright on that file
>> rather than applying the Apache 2.0 one. You can see what we're planning on
>> committing here:
>>
>> https://gerrit.cloudera.org/#/c/4789/7/src/kudu/util/x509_check_host.cc
>>
>>
>>> Apologies for my ignorance here, I just want to confirm a complete copy
>>> of the OpenSSL license ends up in both the complete source and in binary
>>> distributions.
>>>
>>>
>> https://gerrit.cloudera.org/#/c/4789/7/LICENSE.txt shows the diff for
>> LICENSE.txt
>> and https://gerrit.cloudera.org/#/c/4789/7/NOTICE.txt for NOTICE.txt
>>
>> Does that seem sufficient?
>>
>> -Todd
>>
>>
>>> > On Oct 30, 2016, at 8:40 AM, Jim Jagielski <jim@jaguNET.com
>>> <jim@jagunet.com>> wrote:
>>> >
>>> > Yes, that's correct, and +1 on adding it to the Resolved page.
>>> >
>>> >> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <todd@cloudera.com> wrote:
>>> >>
>>> >> Just to revive this thread from a few months ago:
>>> >>
>>> >> In Apache Kudu we're pulling in a little bit of code from OpenSSL
>>> (x509 certificate hostname validation) into our source repository. In
>>> general we prefer to just link against the system's OpenSSL, but this
>>> particular code is new and not available in most commonly deployed
>>> versions, so we're copy-paste importing it.
>>> >>
>>> >> Based on reading of this thread, we need to put the following in
>>> NOTICE.txt:
>>> >>
>>> >> <begin>
>>> >> This product includes software developed by the OpenSSL Project
>>> >> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>>> >>
>>> >> This product includes cryptographic software written by Eric Young
>>> >> (eay@cryptsoft.com).  This product includes software written by Tim
>>> >> Hudson (tjh@cryptsoft.com).
>>> >> <end>
>>> >>
>>> >> Is my understanding of the resolution here correct? Would be great to
>>> have this listed on the legal "resolved" page.
>>> >>
>>> >> -Todd
>>> >>
>>> >> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <bayard@apache.org>
>>> wrote:
>>> >> So I can update resolved.html; is there a link to where OpenSSL
>>> agreed that NOTICE was sufficient in the archives (or their archives)?
>>> >>
>>> >> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <jim@jagunet.com>
>>> wrote:
>>> >> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL,
>>> etc
>>> >> that have agreed that NOTICE is sufficient.
>>> >>
>>> >>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <marvin@rectangular.com>
>>> wrote:
>>> >>>
>>> >>> Roy, then Justin:
>>> >>>
>>> >>>>> I did not mean OpenSSL, specifically. I meant the things
we have
>>> included
>>> >>>>> in our own packages that used to be under original BSD or
AL 1.0.
>>> >>>>
>>> >>>> So how do you recommend we change the current legal resolved
>>> questions to
>>> >>>> make this clear ow to handle these licenses? Add them to category
A
>>> but add
>>> >>>> that they need to be called out in NOTICE?
>>> >>>
>>> >>> The approach I hope we can take is to grandfather in harmless
>>> existing usage,
>>> >>> including an exception for OpenSSL in particular, but explicitly
>>> deprecate
>>> >>> licenses with advertising clauses to discourage future usage.
>>> >>>
>>> >>> Marvin Humphrey
>>> >>>
>>> >>> ------------------------------------------------------------
>>> ---------
>>> >>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> >>> For additional commands, e-mail: legal-discuss-help@apache.org
>>> >>
>>> >>
>>> >> ---------------------------------------------------------------------
>>> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> >> For additional commands, e-mail: legal-discuss-help@apache.org
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Todd Lipcon
>>> >> Software Engineer, Cloudera
>>> >
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>>> >
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>
>>>
>>
>>
>> --
>> Todd Lipcon
>> Software Engineer, Cloudera
>>
>>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
>



-- 
Todd Lipcon
Software Engineer, Cloudera

Mime
View raw message