Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Quanah Gibson-Mount]

--On Saturday, March 25, 2017 6:16 PM -0400 Theodore Ts'o  
wrote:



And indeed, different Linux distributions have already come to
different conclusions with respect to various license compatibility
issues.  (Examples: dynamically linking GPL programs with OpenSSL
libraries under the old license, distributing ZFS modules for Linux,
etc.)


This makes the completely unfounded assumption that only distributions 
build and ship OpenSSL.  Many companies build and use products based on top 
of OpenSSL, which they distribute, that is entirely and appropriately 
separate from whatever OS their application may be running on top of.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[James Bottomley]

On Sat, 2017-03-25 at 21:48 +0100, Florian Weimer wrote:
> * James Bottomley:
> 
> > On Sat, 2017-03-25 at 16:10 +, Salz, Rich via openssl-dev
> > wrote:
> > >  
> > > > Please, in the final OpenSSL license text add the paragraph 
> > > > linked in the above LLVM mailing list as an exception to the 
> > > > Apache license.
> > > > 
> > > > We should make sure using OpenSSL in GPLv2-only projects its 
> > > > possible without any trouble or concern for developers.
> > > 
> > > The problem is that if it is distributed under the GPLv2 there is 
> > > no patent protection, and that is important to us.
> > 
> > I've already told you once that this is a factually incorrect 
> > statement because (L)GPLv2 contains an implicit patent licence:
> 
> I think the fact that Richard rejects dual licensing indicates that
> it's not the lack of a licence that concerns him, but something else.
> He calls it “patent protection”; I assume he refers to the weak
> mutually assured destruction clause in the Apache license (the “If 
> You institute patent litigation against any entity” part).

Oh, OK ... and Rich confirms that below.  So I agree, GPLv2 doesn't
have a patent retaliation clause.

> I don't think the GPL, version 2, contains anything remote close to
> *that*, implied or otherwise.

No; the closest is clause 7 which basically shuts down distribution for
everyone in the event of a successful patent assertion.  You could also
characterise that as a mutually assured destruction clause.

However both of these only work if the asserting entity needs the
rights that are blocked.  Unfortunately the most problematic assertions
nowadays are done by troll entities who don't need any rights from us.

James

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Theodore Ts'o]

On Sat, Mar 25, 2017 at 07:47:23PM +0100, Carlos Alberto Lopez Perez wrote:
> Unfortunately, dynamically linking is not a solution.
> 
> My understanding is that the GPLv2 considers any library used by the
> GPLv2 program (it doesn't make a difference between dynamic or static
> linking) part of the same whole covered work. [1]
> Therefore the respective licenses of each one of this libraries, can't
> impose any further restrictions on the rights granted by the GPLv2 itself.
> And the obligations that the Apache 2.0 license imposes over patent
> related rights, are considered a further restriction in this context.

It's complicated.

It's fair to say that the FSF adopts a copyright maximalist position,
and by their interpretation, the two licenses are incompatible, and it
doesn't matter whether the two pieces of code are linked staticaly,
dynamically, or (according to at least one very extereme apologist)
one calls the other over an RPC call.

Not everyone agrees with their legal analysis.  May I suggest that we
not play amateur lawyer on the mailing list, and try to settle this
here?  Each Linux distribution can make its own decision, which will
be based on its legal advice, the local laws and legal precedents in
which they operate, whether the code is owned by the an extremely
litigious entity, etc.

And indeed, different Linux distributions have already come to
different conclusions with respect to various license compatibility
issues.  (Examples: dynamically linking GPL programs with OpenSSL
libraries under the old license, distributing ZFS modules for Linux,
etc.)

We don't expect lawyers to debug edge cases in a compiler's code
generation.  Programmers shouldn't try to parse edge cases in the law,
or try to use a soldering iron, unless they have explicit training and
expertise to do so.  :-)

- Ted
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Salz, Rich via openssl-dev]

> > The problem is that if it is distributed under the GPLv2 there is no
> > patent protection, and that is important to us.
> 
> I've already told you once that this is a factually incorrect statement 
> because
> (L)GPLv2 contains an implicit patent licence:

By patent protection, I mean "you lose your rights to use this if you sue"

That seems to be typical use of patent protection, when talking about FOSS 
licenses.  Sorry if I was too casual in my wording. 
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Florian Weimer]

* James Bottomley:

> On Sat, 2017-03-25 at 16:10 +, Salz, Rich via openssl-dev wrote:
>>  
>> > Please, in the final OpenSSL license text add the paragraph linked 
>> > in the above LLVM mailing list as an exception to the Apache
>> > license.
>> > 
>> > We should make sure using OpenSSL in GPLv2-only projects its 
>> > possible without any trouble or concern for developers.
>> 
>> The problem is that if it is distributed under the GPLv2 there is no
>> patent protection, and that is important to us.
>
> I've already told you once that this is a factually incorrect statement
> because (L)GPLv2 contains an implicit patent licence:

I think the fact that Richard rejects dual licensing indicates that
it's not the lack of a licence that concerns him, but something else.
He calls it “patent protection”; I assume he refers to the weak
mutually assured destruction clause in the Apache license (the “If You
institute patent litigation against any entity” part).

I don't think the GPL, version 2, contains anything remote close to
*that*, implied or otherwise.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[James Bottomley]

On Sat, 2017-03-25 at 16:10 +, Salz, Rich via openssl-dev wrote:
>  
> > Please, in the final OpenSSL license text add the paragraph linked 
> > in the above LLVM mailing list as an exception to the Apache
> > license.
> > 
> > We should make sure using OpenSSL in GPLv2-only projects its 
> > possible without any trouble or concern for developers.
> 
> The problem is that if it is distributed under the GPLv2 there is no
> patent protection, and that is important to us.

I've already told you once that this is a factually incorrect statement
because (L)GPLv2 contains an implicit patent licence:

https://mta.openssl.org/pipermail/openssl-dev/2017-March/009208.html

but you can have it from a more authoritative source if you like:

https://copyleft.org/guide/comprehensive-gpl-guidech7.html

Additionally, since under Apache-2.0 the explicit patent grants are
captured on contribution, they can't be lost again by the act of using
the LLVM exception to distribute a portion of the code under another
licence.

James

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Carlos Alberto Lopez Perez]

On 25/03/17 17:10, Salz, Rich via openssl-dev wrote:
>  
>> Please, in the final OpenSSL license text add the paragraph linked in the
>> above LLVM mailing list as an exception to the Apache license.
>>
>> We should make sure using OpenSSL in GPLv2-only projects its possible
>> without any trouble or concern for developers.
> 
> The problem is that if it is distributed under the GPLv2 there is no patent 
> protection, and that is important to us.
> 
> Sorry, we can't do that.
> 
> Options include: GPL authors adding an exception, using something with a 
> compatible license, treating OpenSSL as a system library, or deciding that 
> dynamically linking is sufficient.
> 

Unfortunately, dynamically linking is not a solution.

My understanding is that the GPLv2 considers any library used by the
GPLv2 program (it doesn't make a difference between dynamic or static
linking) part of the same whole covered work. [1]
Therefore the respective licenses of each one of this libraries, can't
impose any further restrictions on the rights granted by the GPLv2 itself.
And the obligations that the Apache 2.0 license imposes over patent
related rights, are considered a further restriction in this context.


[1] https://www.gnu.org/licenses/gpl-faq.en.html#GPLStaticVsDynamic



signature.asc
Description: OpenPGP digital signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Salz, Rich via openssl-dev]

 
> Please, in the final OpenSSL license text add the paragraph linked in the
> above LLVM mailing list as an exception to the Apache license.
> 
> We should make sure using OpenSSL in GPLv2-only projects its possible
> without any trouble or concern for developers.

The problem is that if it is distributed under the GPLv2 there is no patent 
protection, and that is important to us.

Sorry, we can't do that.

Options include: GPL authors adding an exception, using something with a 
compatible license, treating OpenSSL as a system library, or deciding that 
dynamically linking is sufficient.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] The new OpenSSL license should be made GPLv2 compatible

[Carlos Alberto Lopez Perez]

On 23/03/17 21:04, Brian Smith wrote:
> Hi,
> 
> I'm one of the people that received the email asking for permission to
> relicense code to the new license, Apache 2.0. 

Same here.

> A major problem with
> the Apache 2.0 license is that it is frequently seen as being
> incompatible with the GPL2 license. Although many people consider it
> to be compatible with the GPL3 license, many people also object to the
> GPL3 license for important (to them) reasons. Therefore, I think it is
> important for the OpenSSL license to be compatible with GPL2 too.
> 
> In the past, I created a library licensed under Apache 2.0,
> mozilla::pkix. However, Red Hat and Mozilla requested that I
> additionally license it under the GPLv2 so they could use it in
> GPLv2-licensed contexts, and I did so.
> 
> Similarly, LLVM is working on moving to the Apache 2.0 license and
> they ran into similar problems. They also made the effort to
> explicitly grant the right to use the relicensed code under the GPLv2.
> See [1] for details.
> 
> I think it is important that OpenSSL do something similar to
> explicitly allow using OpenSSL code under the GPLv2 before any
> relicensing takes place.
> 
> Thanks for your consideration.
> 
> [1] http://lists.llvm.org/pipermail/llvm-dev/2016-September/104778.html
> 
> Cheers,
> Brian
> 

I explicitly support this request.

Please, in the final OpenSSL license text add the paragraph linked in
the above LLVM mailing list as an exception to the Apache license.

We should make sure using OpenSSL in GPLv2-only projects its possible
without any trouble or concern for developers.





signature.asc
Description: OpenPGP digital signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev