Re: [openssl-dev] License change agreement

2017-03-24 Thread Dirk-Willem van Gulik
On 24 Mar 2017, at 20:03, Quanah Gibson-Mount  wrote:
> --On Friday, March 24, 2017 12:30 PM -0700 James Bottomley 
>  wrote:
> 
> 
>>> Probably illegal and definitely immoral, in my opinion. Copyright law
>>> exists to protect authors from these kind of practises.
>> 
>> I think you misunderstand the legal situation.  Provided notice is
>> sufficiently widely distributed and a reasonable period is allowed for
>> objections it will become an estoppel issue after the licence is
>> changed, which means anyone trying to object after the fact of the
>> change will have to get a court order based on irreperable harm and
>> show a good faith reason for not being able to object in the time
>> period allowed.  In the US, this sort of notice plus period for
>> objection is standard for quite a few suits and the range of things
>> which qualify as "good faith reason" are correspondingly very limited.
> 
> It's not clear to me that that's correct.  From 
>  (See update), it appears you need an 
> explicit 95% permission rate to legally relicense and zero objections.  So 
> far one objection has already surfaced.

I have a hard time imagining there to be any 'legal' basis for those numbers or 
that stark approach; the the US, UK or Europe. Even for well defined processes 
in publishing like for orphaned works.

In the real world these sort of things happen often - and are never quite that 
black and white. 

Open source foundations often have to take certain risks (and document these) 
when accepting contributions. People may have died, businesses may have gone 
under, (ex) spouses or decedents may have rights that are naught impossible to 
reconstruct, contributors may be under court orders or the legally appointed 
owner after a bankruptcy case may have rights, etc, etc.

So in the end it you need to be rational about those things - "veto"s and "not 
legal" are rarely, if ever, applicable. We learned that in the past 30 years. 
And even when things are fairly black and white or ironclad - the result can 
still befuddle us. 

Of particular importance is also *this* case is that the shift is relatively 
modest - from the current license to the ASL. Rather than, say, to the GPL, 
Affero or a midway house like the MPL.  That, continuing honouring past & 
present contributors and the 0 $ fee/license costs,  curtails the irreparable 
harm harm sharply.

Dw
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 1:49 PM -0700 James Bottomley 
 wrote:



On Fri, 2017-03-24 at 20:24 +0100, Kurt Roeckx wrote:

On Fri, Mar 24, 2017 at 12:22:14PM -0700, James Bottomley wrote:
>
> This is my understanding as well.  From the GPL side, for both
> dynamic
> and static linking of openssl to GPLv2 code, the section 3 system
> exception applies.

Not everybody agrees that it applies.


debian-legal is OK with shipping other libraries which require the
system exception to link with GPLv2 code, so I don't find their
position to be entirely self consistent.  Regardless, if you move to
Apache-2.0 you'll still use the system exception to link with GPLv2
code, but it will be much more acceptable.



If you mean , I would 
note that not all software includes such an exception.  I ran into that a 
few times in the past, and had to work with the authors to adjust their 
license (in one case) and move to alternatives for other cases.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread James Bottomley
On Fri, 2017-03-24 at 20:24 +0100, Kurt Roeckx wrote:
> On Fri, Mar 24, 2017 at 12:22:14PM -0700, James Bottomley wrote:
> > 
> > This is my understanding as well.  From the GPL side, for both
> > dynamic
> > and static linking of openssl to GPLv2 code, the section 3 system
> > exception applies.
> 
> Not everybody agrees that it applies.

debian-legal is OK with shipping other libraries which require the
system exception to link with GPLv2 code, so I don't find their
position to be entirely self consistent.  Regardless, if you move to
Apache-2.0 you'll still use the system exception to link with GPLv2
code, but it will be much more acceptable.

James


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Florian Weimer
* Quanah Gibson-Mount:

> --On Friday, March 24, 2017 9:02 PM +0100 Florian Weimer  
> wrote:
>
>> * Quanah Gibson-Mount:
>>
>>> Zero people that I know of are saying to switch to the GPL.  What is
>>> being pointed out is that the incompatibility with the current
>>> OpenSSL license with the GPLv2 has been a major problem.
>>
>> The alleged incompatibility of OpenSSL with the GPLv2 has been used to
>> promote GNUTLS in the past (and to a much lesser extent, a certain
>> crypto consolidation effort intending to switch everything to NSS).
>> But GNUTLS has since left the GNU project, and I'm not aware of anyone
>> on the distribution side still saying that the old OpenSSL license
>> (particular when used as a dynamically-linked system library) and the
>> GPLv2 are incompatible.  It's just not considered a problem anymore.
>
> So that would imply then that moving to the APL would be a step backward, 
> since it is explicitly GPLv2 incompatible. ;)

It's certainly not “explicitly” GPL-incompatible.  Doesn't the Apache
Software Foundation maintain that the intent was it to be compatible?
(Which doesn't mean the result of the license design process actually
is, but it sheds some light on the “explicitly” part.)
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Florian Weimer
* Kurt Roeckx:

> On Fri, Mar 24, 2017 at 08:02:25PM +0100, Florian Weimer wrote:
>> * Quanah Gibson-Mount:
>> 
>> > Zero people that I know of are saying to switch to the GPL.  What is
>> > being pointed out is that the incompatibility with the current
>> > OpenSSL license with the GPLv2 has been a major problem.
>> 
>> The alleged incompatibility of OpenSSL with the GPLv2 has been used to
>> promote GNUTLS in the past (and to a much lesser extent, a certain
>> crypto consolidation effort intending to switch everything to NSS).
>> But GNUTLS has since left the GNU project, and I'm not aware of anyone
>> on the distribution side still saying that the old OpenSSL license
>> (particular when used as a dynamically-linked system library) and the
>> GPLv2 are incompatible.  It's just not considered a problem anymore.
>
> As far as I know, for Debian it's still a problem that a GPL
> application links to openssl.
>
> A few examples:
> - We have multiple curl versions, linked to openssl, gnutls, nss.
>   And you then have to build against the correct one for license
>   reasons.
> - QT (which is LGPL?) does not itself link to libssl but can
>   dynamically load it so that GPL applications can use QT assuming
>   they don't use SSL.
> - We have asked upstream projects to add an openssl exception to
>   their GPL license.

A few examples from Debian for the reverse:

- cgit links against libssl1.1 and is GPLv2
- tcpflow has GPLv2 pieces and links against libssl1.1
- many GPLv1 and GPLv2 programs which link against libgcc
  (which is GPLv3 with an exception, but one that arguably
  does not make it GPLv2-compatible)

I also found a few packages with an OpenSSL exception which have
merged GPL code from other sources who may or may not have agreed to
the exception.

It's probably marginally more productive to continue this discussion
on a Debian list (not that I think anymore that this discussion
matters).
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Kurt Roeckx
On Fri, Mar 24, 2017 at 12:22:14PM -0700, James Bottomley wrote:
> 
> This is my understanding as well.  From the GPL side, for both dynamic
> and static linking of openssl to GPLv2 code, the section 3 system
> exception applies.

Not everybody agrees that it applies.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread James Bottomley
On Fri, 2017-03-24 at 20:02 +0100, Florian Weimer wrote:
> * Quanah Gibson-Mount:
> 
> > Zero people that I know of are saying to switch to the GPL.  What 
> > is being pointed out is that the incompatibility with the current
> > OpenSSL license with the GPLv2 has been a major problem.
> 
> The alleged incompatibility of OpenSSL with the GPLv2 has been used 
> to promote GNUTLS in the past (and to a much lesser extent, a certain
> crypto consolidation effort intending to switch everything to NSS).
> But GNUTLS has since left the GNU project, and I'm not aware of 
> anyone on the distribution side still saying that the old OpenSSL 
> license (particular when used as a dynamically-linked system library) 
> and the GPLv2 are incompatible.  It's just not considered a problem
> anymore.

This is my understanding as well.  From the GPL side, for both dynamic
and static linking of openssl to GPLv2 code, the section 3 system
exception applies.

James


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Kurt Roeckx
On Fri, Mar 24, 2017 at 08:02:25PM +0100, Florian Weimer wrote:
> * Quanah Gibson-Mount:
> 
> > Zero people that I know of are saying to switch to the GPL.  What is
> > being pointed out is that the incompatibility with the current
> > OpenSSL license with the GPLv2 has been a major problem.
> 
> The alleged incompatibility of OpenSSL with the GPLv2 has been used to
> promote GNUTLS in the past (and to a much lesser extent, a certain
> crypto consolidation effort intending to switch everything to NSS).
> But GNUTLS has since left the GNU project, and I'm not aware of anyone
> on the distribution side still saying that the old OpenSSL license
> (particular when used as a dynamically-linked system library) and the
> GPLv2 are incompatible.  It's just not considered a problem anymore.

As far as I know, for Debian it's still a problem that a GPL
application links to openssl.

A few examples:
- We have multiple curl versions, linked to openssl, gnutls, nss.
  And you then have to build against the correct one for license
  reasons.
- QT (which is LGPL?) does not itself link to libssl but can
  dynamically load it so that GPL applications can use QT assuming
  they don't use SSL.
- We have asked upstream projects to add an openssl exception to
  their GPL license.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread James Bottomley
On Fri, 2017-03-24 at 12:03 -0700, Quanah Gibson-Mount wrote:
> --On Friday, March 24, 2017 12:30 PM -0700 James Bottomley 
>  wrote:
> 
> 
> > > Probably illegal and definitely immoral, in my opinion. Copyright
> > > law
> > > exists to protect authors from these kind of practises.
> > 
> > I think you misunderstand the legal situation.  Provided notice is
> > sufficiently widely distributed and a reasonable period is allowed
> > for
> > objections it will become an estoppel issue after the licence is
> > changed, which means anyone trying to object after the fact of the
> > change will have to get a court order based on irreperable harm and
> > show a good faith reason for not being able to object in the time
> > period allowed.  In the US, this sort of notice plus period for
> > objection is standard for quite a few suits and the range of things
> > which qualify as "good faith reason" are correspondingly very
> > limited.
> 
> It's not clear to me that that's correct.  From 
>  (See update), it appears you 
> need an explicit 95% permission rate to legally relicense and zero
> objections.

There's no legal basis for those figures (I think they're just
examples: Mozilla was happy with 95% but that doesn't mean everyone
else doing the same thing would have to gain 95%).  The more explicit
responses you get, the greater your case for having given proper
notice, but there's no case law that I'm aware of on the exact
percentages.

>   So far one objection has already surfaced.

This is a more compelling problem: if a contributor actively objects
within the notice period, the only real recourse is to rewrite their
code (or reason them in to acquiescence).

James


-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 9:02 PM +0100 Florian Weimer  
wrote:



* Quanah Gibson-Mount:


Zero people that I know of are saying to switch to the GPL.  What is
being pointed out is that the incompatibility with the current
OpenSSL license with the GPLv2 has been a major problem.


The alleged incompatibility of OpenSSL with the GPLv2 has been used to
promote GNUTLS in the past (and to a much lesser extent, a certain
crypto consolidation effort intending to switch everything to NSS).
But GNUTLS has since left the GNU project, and I'm not aware of anyone
on the distribution side still saying that the old OpenSSL license
(particular when used as a dynamically-linked system library) and the
GPLv2 are incompatible.  It's just not considered a problem anymore.


So that would imply then that moving to the APL would be a step backward, 
since it is explicitly GPLv2 incompatible. ;)


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 12:30 PM -0700 James Bottomley 
 wrote:




Probably illegal and definitely immoral, in my opinion. Copyright law
exists to protect authors from these kind of practises.


I think you misunderstand the legal situation.  Provided notice is
sufficiently widely distributed and a reasonable period is allowed for
objections it will become an estoppel issue after the licence is
changed, which means anyone trying to object after the fact of the
change will have to get a court order based on irreperable harm and
show a good faith reason for not being able to object in the time
period allowed.  In the US, this sort of notice plus period for
objection is standard for quite a few suits and the range of things
which qualify as "good faith reason" are correspondingly very limited.


It's not clear to me that that's correct.  From 
 (See update), it appears you need an 
explicit 95% permission rate to legally relicense and zero objections.  So 
far one objection has already surfaced.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Florian Weimer
* Quanah Gibson-Mount:

> Zero people that I know of are saying to switch to the GPL.  What is
> being pointed out is that the incompatibility with the current
> OpenSSL license with the GPLv2 has been a major problem.

The alleged incompatibility of OpenSSL with the GPLv2 has been used to
promote GNUTLS in the past (and to a much lesser extent, a certain
crypto consolidation effort intending to switch everything to NSS).
But GNUTLS has since left the GNU project, and I'm not aware of anyone
on the distribution side still saying that the old OpenSSL license
(particular when used as a dynamically-linked system library) and the
GPLv2 are incompatible.  It's just not considered a problem anymore.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Salz, Rich via openssl-dev
> It's not clear to me that that's correct.  From
>  (See update), it appears you need an
> explicit 95% permission rate to legally relicense and zero objections.  So
> far one objection has already surfaced.

And code from people who object will most likely have their commits reverted 
making their objection moot.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Kurt Roeckx
On Fri, Mar 24, 2017 at 11:43:17AM -0700, Quanah Gibson-Mount wrote:
> --On Friday, March 24, 2017 7:47 PM +0100 Kurt Roeckx 
> wrote:
> 
> > On Fri, Mar 24, 2017 at 10:18:40AM -0700, Quanah Gibson-Mount wrote:
> > > --On Friday, March 24, 2017 6:12 PM + "Salz, Rich" 
> > > wrote:
> > > 
> > > > > Thanks Rich, that's a more useful starting point.  Has dual licensing
> > > > > been considered?  Both in 2015 and now, the lack of GPLv2
> > > > > compatibility has shown to be a serious drawback to the APLv2.
> > > >
> > > > Dual licensing means that it is also available under a
> > > > no-patent-protection license which is an issue for us.
> > > 
> > > APLv2 and MPLv2 both have patent protections.  How would a dual license
> > > of APL+MPL result in a no-patent-protection license?
> > 
> > As far as I understand the MPLv2 is only compatible with the GPLv2
> > in a very specific case which makes it not useful for people that
> > would actually want to link their application with it.
> 
> Reference?  I certainly don't see that in
> 

Then I suggest you read that FAQ again.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Salz, Rich via openssl-dev
> It doesn't mean the code is no longer covered by the MPL.  See
> ,

That is very complicated as can be seen by the multiple cases, all of which we 
would expect to apply to OpenSSL at one point or another.  Our legal advice 
discouraged this.  Our discussions with various folks did not encourage it.

At any rate, GPLv2 folks can continue to use the current code, dual-license or 
add an exception for their application, decide to agree with the ASF that it's 
okay, or use alternatives such as GnuTLS.

Again, we are sorry that we cannot solve all issues at this time.  We didn't 
create this situation, we have to live with it like everyone else.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread James Bottomley
On Fri, 2017-03-24 at 13:17 +, Salz, Rich via openssl-dev wrote:
> > As was noted back when this was brought up in 2015, there are 
> > other, better, licenses than the APLv2 which are also GPLv2 
> > compatible.  The MPLv2 being an example of such a license.  There 
> > is also BSD, MIT/X11, etc.   The GPLv2 incompatibility of OpenSSL
> > is a major problem.
> 
> Better in one dimension, not in the multiple dimensions that we are
> concerned about.  For example, one of the major things that is an
> issue for GPLv2 is the patent protection.  Patent protection is
> important to us.  At least now we're compatible with GPL3, which is
> hopefully seen as a major step forward.

There seems to be a misunderstanding here: for starters licensing any
library under GPLv2 is problematic because of the viral nature (it's
mostly done as a ploy for open core business models), so I'm assuming
you mean LGPLv2 (or 3) which would allow linking to non GPL code?

Secondly the GPLv2 family of licences has strong implicit patent
licences which GPLv3 made explicit.  In terms of broad protection
there's no real difference (as long as the patent owner ships the code,
they can't sue).  Explicit gives you a measure of protection on
contributions if the owner leaves the community for some reason, but
it's a much weaker protection than if they remain in the community
(applies only to contributions as opposed to entire code base).

James

> Yes, it is too bad we can't please all communities right now.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 7:47 PM +0100 Kurt Roeckx  
wrote:



On Fri, Mar 24, 2017 at 10:18:40AM -0700, Quanah Gibson-Mount wrote:

--On Friday, March 24, 2017 6:12 PM + "Salz, Rich" 
wrote:

> > Thanks Rich, that's a more useful starting point.  Has dual licensing
> > been considered?  Both in 2015 and now, the lack of GPLv2
> > compatibility has shown to be a serious drawback to the APLv2.
>
> Dual licensing means that it is also available under a
> no-patent-protection license which is an issue for us.

APLv2 and MPLv2 both have patent protections.  How would a dual license
of APL+MPL result in a no-patent-protection license?


As far as I understand the MPLv2 is only compatible with the GPLv2
in a very specific case which makes it not useful for people that
would actually want to link their application with it.


Reference?  I certainly don't see that in 



--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 6:30 PM + "Salz, Rich"  
wrote:



> Dual licensing means that it is also available under a
> no-patent-protection license which is an issue for us.

APLv2 and MPLv2 both have patent protections.  How would a dual license
of APL+MPL result in a no-patent-protection license?


MPL allows GPL which has no patent protection.


It doesn't mean the code is no longer covered by the MPL.  See 
, "Unmodified 
MPL-licensed Files - MPL-only".


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread James Bottomley
On Fri, 2017-03-24 at 10:06 +0100, Otto Moerbeek wrote:
> On Fri, Mar 24, 2017 at 09:40:16AM +0100, Kurt Roeckx wrote:
> 
> > On Fri, Mar 24, 2017 at 08:36:02AM +0100, Otto Moerbeek wrote:
> > > On Fri, Mar 24, 2017 at 08:21:49AM +0100, Marcus Meissner wrote:
> > > 
> > > > On Fri, Mar 24, 2017 at 07:48:58AM +0100, Otto Moerbeek wrote:
> > > > > On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri -
> > > > > 0553 - MITLL wrote:
> > > > > 
> > > > > > Apache license is fine for me, while GPL could be
> > > > > > problematic. Incompatibility with GPLv2 is not a problem
> > > > > > for us. 
> > > > > > 
> > > > > > If it is a problem for somebody - feel free to explain the
> > > > > > details. Though I think the decision has been made, and the
> > > > > > majority is OK with it. 
> > > > > 
> > > > > I like to mention that any license change cannot be made 
> > > > > based on a majority vote or any other method other than 
> > > > > getting each author (or its legal representative) to 
> > > > > *explicitly* allow the change. The method of "nothing heard 
> > > > > equals consent" is not valid in any jurisdiction I know of.
> > > > > 
> > > > > While I'm not a contributor (I think I only sent in a small 
> > > > > diff years ago), I would like to stress that the planned 
> > > > > relicensing procedure is not legal and can be challenged in
> > > > > court.
> > > > 
> > > > Well, emails were sent yesterday out to _all_ contributors for
> > > > ack/deny the change.
> > > 
> > > Read the last line of the mail, it says the no reactions equals
> > > consent. That is the illegal part.
> > 
> > The legal advice we got said that we should do our best to contact
> > people. If we contacted them, they had the possibility to say no.
> > We will give them time and go over all people that didn't reply to
> > try to reach them.
> > 
> > But if they don't reply, as said, we will assume they have no
> > problem with the license change. If at some later point in time
> > they do come forward and say no, we will deal with that at that
> > time.
> > 
> > 
> > Kurt
> 
> Probably illegal and definitely immoral, in my opinion. Copyright law
> exists to protect authors from these kind of practises.

I think you misunderstand the legal situation.  Provided notice is
sufficiently widely distributed and a reasonable period is allowed for
objections it will become an estoppel issue after the licence is
changed, which means anyone trying to object after the fact of the
change will have to get a court order based on irreperable harm and
show a good faith reason for not being able to object in the time
period allowed.  In the US, this sort of notice plus period for
objection is standard for quite a few suits and the range of things
which qualify as "good faith reason" are correspondingly very limited.

James

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Salz, Rich via openssl-dev
> > Dual licensing means that it is also available under a
> > no-patent-protection license which is an issue for us.
> 
> APLv2 and MPLv2 both have patent protections.  How would a dual license of
> APL+MPL result in a no-patent-protection license?

MPL allows GPL which has no patent protection.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Kurt Roeckx
On Fri, Mar 24, 2017 at 10:18:40AM -0700, Quanah Gibson-Mount wrote:
> --On Friday, March 24, 2017 6:12 PM + "Salz, Rich" 
> wrote:
> 
> > > Thanks Rich, that's a more useful starting point.  Has dual licensing
> > > been considered?  Both in 2015 and now, the lack of GPLv2 compatibility
> > > has shown to be a serious drawback to the APLv2.
> > 
> > Dual licensing means that it is also available under a
> > no-patent-protection license which is an issue for us.
> 
> APLv2 and MPLv2 both have patent protections.  How would a dual license of
> APL+MPL result in a no-patent-protection license?

As far as I understand the MPLv2 is only compatible with the GPLv2
in a very specific case which makes it not useful for people that
would actually want to link their application with it.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 6:12 PM + "Salz, Rich"  
wrote:



Thanks Rich, that's a more useful starting point.  Has dual licensing
been considered?  Both in 2015 and now, the lack of GPLv2 compatibility
has shown to be a serious drawback to the APLv2.


Dual licensing means that it is also available under a
no-patent-protection license which is an issue for us.


APLv2 and MPLv2 both have patent protections.  How would a dual license of 
APL+MPL result in a no-patent-protection license?


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Salz, Rich via openssl-dev
> Thanks Rich, that's a more useful starting point.  Has dual licensing been
> considered?  Both in 2015 and now, the lack of GPLv2 compatibility has
> shown to be a serious drawback to the APLv2.

Dual licensing means that it is also available under a no-patent-protection 
license which is an issue for us.  

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 5:40 PM + "Salz, Rich"  
wrote:



The required source  code disclosures of the MPL are problematic.  The
fact that the MPL allows distribution under a non-patent-protecting
license is problematic.

Ok?


Thanks Rich, that's a more useful starting point.  Has dual licensing been 
considered?  Both in 2015 and now, the lack of GPLv2 compatibility has 
shown to be a serious drawback to the APLv2.


--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Salz, Rich via openssl-dev
The required source  code disclosures of the MPL are problematic.  The fact 
that the MPL allows distribution under a non-patent-protecting license is 
problematic.

Ok?

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 6:00 PM +0100 Dirk-Willem van Gulik 
 wrote:



In 2 years time, I've yet to see one valid argument to using the APLv2
vs the MPLv2 originate from the OpenSSL team.


The two licenses are not identical.

Specifically the MPL goes one step further with respect to the disclosure
of the source code* -- The ASL stops just before that - and is more akin
to the MIT and BSD licenses.

From personal experience - and given how OpenSSL is commonly used as one
of many small components in a larger work - that does make (my) live in
the real world a lot easer.

Dw.

*: (though not as far as the Free software licences; it limits it to the
code under the MPL itself).


Yes, I'm certainly not saying they are the same.  But the reasons provided 
so far by the OpenSSL team have not shown why the APLv2 is a better choice 
for the downstream consumers of OpensSL vs the MPLv2, and there are 
definite reasons as to why the APLv2 is problematic.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Dirk-Willem van Gulik

> On 24 Mar 2017, at 16:14, Quanah Gibson-Mount  wrote:
> 
> --On Friday, March 24, 2017 2:17 PM + "Salz, Rich"  
> wrote:
> 
>>> As was noted back when this was brought up in 2015, there are other,
>>> better, licenses than the APLv2 which are also GPLv2 compatible.  The
>>> MPLv2 being an example of such a license.  There is also BSD, MIT/X11,
>>> etc.  The GPLv2 incompatibility of OpenSSL is a major problem.
>> 
>> Better in one dimension, not in the multiple dimensions that we are
>> concerned about.  For example, one of the major things that is an issue
>> for GPLv2 is the patent protection.  Patent protection is important to
>> us.  At least now we're compatible with GPL3, which is hopefully seen as
>> a major step forward.
>> 
>> Yes, it is too bad we can't please all communities right now.
> 
> Yes, you brought patent protection in 2015, and in 2015, I pointed out that 
> the MPLv2 also has patent protections, but here's a refresher:
> 
> 
> 
> 
> The MPLv2 of course has the advantage of being compatible with both the GPLv2 
> and the GPLv3, etc.  I.e., it has much broader compatibility than the APLv2.
> 
> In 2 years time, I've yet to see one valid argument to using the APLv2 vs the 
> MPLv2 originate from the OpenSSL team.

The two licenses are not identical. 

Specifically the MPL goes one step further with respect to the disclosure of 
the source code* -- The ASL stops just before that - and is more akin to the 
MIT and BSD licenses.

>From personal experience - and given how OpenSSL is commonly used as one of 
>many small components in a larger work - that does make (my) live in the real 
>world a lot easer.

Dw.

*: (though not as far as the Free software licences; it limits it to the code 
under the MPL itself).
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 2:17 PM + "Salz, Rich"  
wrote:



As was noted back when this was brought up in 2015, there are other,
better, licenses than the APLv2 which are also GPLv2 compatible.  The
MPLv2 being an example of such a license.  There is also BSD, MIT/X11,
etc.  The GPLv2 incompatibility of OpenSSL is a major problem.


Better in one dimension, not in the multiple dimensions that we are
concerned about.  For example, one of the major things that is an issue
for GPLv2 is the patent protection.  Patent protection is important to
us.  At least now we're compatible with GPL3, which is hopefully seen as
a major step forward.

Yes, it is too bad we can't please all communities right now.


Yes, you brought patent protection in 2015, and in 2015, I pointed out that 
the MPLv2 also has patent protections, but here's a refresher:





The MPLv2 of course has the advantage of being compatible with both the 
GPLv2 and the GPLv3, etc.  I.e., it has much broader compatibility than the 
APLv2.


In 2 years time, I've yet to see one valid argument to using the APLv2 vs 
the MPLv2 originate from the OpenSSL team.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Dirk-Willem van Gulik

> On 24 Mar 2017, at 13:14, Otto Moerbeek  wrote:
> 
> On Fri, Mar 24, 2017 at 11:53:10AM +, Blumenthal, Uri - 0553 - MITLL 
> wrote:
> 
>> I personally think this issue is being blown way out of proportion and 
>> beyond the boundary of reason. 
>> 
>> Regards,
>> Uri
> 
> Is it reasonable to step on the rights of authors with the backing of
> large corporations?

I personally do not see this as something led, backed or driven by the large 
corporation. 

Rather, I see a community of developers, do a very reasonable, timely and 
sensible job to get their house in order; adapt to the realities of modern 
society - and thus allow the community to continue to operate as it wants in a 
changed world.

We understand a lot more about IPR, CLAs, patens and (software) licenses (their 
interaction with business and governance processes) than we did 30 years ago.

And just like we consider retiring support for say a PDP-11, AIX or SunOS & old 
compiler cruft — so do our licenses need maintenance.

>  Individual authors that might have chosen to
> change email address or are unable to be contacted for other reasons?

And as all things in life - this is not a black or white thing - but one where 
you need to trade one type of risk versus that of another. 

Long term health of the community is important; as are old contributions made 
once to that community. But to an outsider or reasonably observer - neither is 
done without context or absolute. Total stagnation is as much a risk as blindly 
pushing through a change unilaterally.

To me it seems that OpenSSL is doing a commendable job trying to find a 
balance. 

And ultimately a large part of the metric of success is wether this community 
survives; and continues to see the amplification loop of having its code use 
and thus garnering resources to keep the code usable work. Like bitrot - 
outdated & outmoded licenses too are an impediment too for this.  Also - know 
that outsiders who have to access the risks of these license changes won’t see 
this as a black and white thing - and are perfectly used to trade the 
advantages of a known license with the residuals of less than perfect 
provenance. We do that all the time.

With kind regards,

Dw.

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Salz, Rich via openssl-dev
> As was noted back when this was brought up in 2015, there are other, better,
> licenses than the APLv2 which are also GPLv2 compatible.  The MPLv2 being
> an example of such a license.  There is also BSD, MIT/X11, etc.  The
> GPLv2 incompatibility of OpenSSL is a major problem.

Better in one dimension, not in the multiple dimensions that we are concerned 
about.  For example, one of the major things that is an issue for GPLv2 is the 
patent protection.  Patent protection is important to us.  At least now we're 
compatible with GPL3, which is hopefully seen as a major step forward.

Yes, it is too bad we can't please all communities right now.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Stephan Seitz

On Fr, Mär 24, 2017 at 01:29:53 +0100, Richard Levitte wrote:

If I'm reading you correctly, *any* license change faces the exact
same problem.  My interpretation of what you say is that unless we can
successfully reach all contributors, no exception, we're stuck with
the current license, probably for life.


While I think you’re reading him correctly, I don’t see a big problem.

I mean, if the people you are mailing don’t accept die license change for 
their code part you are stuck with the same problem.


If this works the same way as in other projects this code parts have to 
be rewritten.


Shade and sweet water!

Stephan

--
| Public Keys: http://fsing.rootsland.net/~stse/keys.html |


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Richard Moore
On 24 March 2017 at 02:26, Quanah Gibson-Mount  wrote:

> --On Friday, March 24, 2017 1:37 AM + Peter Waltenberg <
> pwal...@au1.ibm.com> wrote:
>
>
>> OpenSSL has a LOT of commercial users and contributors. Apache2 they can
>> live with, GPL not so much.
>> There's also the point that many of the big consumers (like Apache :))
>> are also under Apache2.
>>
>> Least possible breakage and I think it's a reasonable compromise. Of
>> course I am biased because I work for the one of the commercial users.
>>
>
> Zero people that I know of are saying to switch to the GPL.  What is being
> pointed out is that the incompatibility with the current OpenSSL license
> with the GPLv2 has been a major problem.  Switching to the APLv2 does
> nothing to resolve that problem.  As has been noted, the current
> advertising is a huge problem with the existing license.  One of the
> reasons that has been a big problem is that it makes the license
> incompatible with the GPLv2.  So on the one hand, getting rid of that
> clause is great.  On the other hand, getting rid of it by switching to the
> APL is not great, because it doesn't resolve the fundamental problem of
> being incompatible with the GPLv2.
>
> As was noted back when this was brought up in 2015, there are other,
> better, licenses than the APLv2 which are also GPLv2 compatible.  The MPLv2
> being an example of such a license.  There is also BSD, MIT/X11, etc.  The
> GPLv2 incompatibility of OpenSSL is a major problem.


​Indeed, I don't think GPL2 itself would be a good choice.

Cheers

Rich.​
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Otto Moerbeek
On Fri, Mar 24, 2017 at 01:29:53PM +0100, Richard Levitte wrote:

> In message <20170324121435.gq70...@colo.drijf.net> on Fri, 24 Mar 2017 
> 13:14:35 +0100, Otto Moerbeek  said:
> 
> otto> On Fri, Mar 24, 2017 at 11:53:10AM +, Blumenthal, Uri - 0553 - 
> MITLL wrote:
> otto> 
> otto> > I personally think this issue is being blown way out of proportion 
> and beyond the boundary of reason. 
> otto> > 
> otto> > Regards,
> otto> > Uri
> otto> 
> otto> Is it reasonable to step on the rights of authors with the backing of
> otto> large corporations? Individual authors that might have chosen to
> otto> change email address or are unable to be contacted for other reasons?
> otto> 
> otto> It is sad to see the corporate giants dictate the policies of yet
> otto> another open source project, without regard for the spirit of
> otto> copyright law which is to protect the individual author.
> 
> If I'm reading you correctly, *any* license change faces the exact
> same problem.  My interpretation of what you say is that unless we can
> successfully reach all contributors, no exception, we're stuck with
> the current license, probably for life.
> 
> Am I reading you correctly?

Yes, the default is "no, you're not allowed to change the license", not
"yes, you are allowed".

If you do not have explicit permission, the contribution(s) of an
auther must remain under the existing license or be removed. If you do
no want that, you should rewrite that piece so you can attach your
preferred license as author.

-Otto
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Richard Levitte
In message <20170324121435.gq70...@colo.drijf.net> on Fri, 24 Mar 2017 13:14:35 
+0100, Otto Moerbeek  said:

otto> On Fri, Mar 24, 2017 at 11:53:10AM +, Blumenthal, Uri - 0553 - MITLL 
wrote:
otto> 
otto> > I personally think this issue is being blown way out of proportion and 
beyond the boundary of reason. 
otto> > 
otto> > Regards,
otto> > Uri
otto> 
otto> Is it reasonable to step on the rights of authors with the backing of
otto> large corporations? Individual authors that might have chosen to
otto> change email address or are unable to be contacted for other reasons?
otto> 
otto> It is sad to see the corporate giants dictate the policies of yet
otto> another open source project, without regard for the spirit of
otto> copyright law which is to protect the individual author.

If I'm reading you correctly, *any* license change faces the exact
same problem.  My interpretation of what you say is that unless we can
successfully reach all contributors, no exception, we're stuck with
the current license, probably for life.

Am I reading you correctly?

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Otto Moerbeek
On Fri, Mar 24, 2017 at 11:53:10AM +, Blumenthal, Uri - 0553 - MITLL wrote:

> I personally think this issue is being blown way out of proportion and beyond 
> the boundary of reason. 
> 
> Regards,
> Uri

Is it reasonable to step on the rights of authors with the backing of
large corporations? Individual authors that might have chosen to
change email address or are unable to be contacted for other reasons?

It is sad to see the corporate giants dictate the policies of yet
another open source project, without regard for the spirit of
copyright law which is to protect the individual author.

-Otto
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Blumenthal, Uri - 0553 - MITLL
I personally think this issue is being blown way out of proportion and beyond 
the boundary of reason. 

Regards,
Uri

Sent from my iPhone

> On Mar 24, 2017, at 05:07, Otto Moerbeek  wrote:
> 
>> On Fri, Mar 24, 2017 at 09:40:16AM +0100, Kurt Roeckx wrote:
>> 
>>> On Fri, Mar 24, 2017 at 08:36:02AM +0100, Otto Moerbeek wrote:
 On Fri, Mar 24, 2017 at 08:21:49AM +0100, Marcus Meissner wrote:
 
> On Fri, Mar 24, 2017 at 07:48:58AM +0100, Otto Moerbeek wrote:
>> On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri - 0553 - MITLL 
>> wrote:
>> 
>> Apache license is fine for me, while GPL could be problematic. 
>> Incompatibility with GPLv2 is not a problem for us. 
>> 
>> If it is a problem for somebody - feel free to explain the details. 
>> Though I think the decision has been made, and the majority is OK with 
>> it. 
> 
> I like to mention that any license change cannot be made based on a
> majority vote or any other method other than getting each author (or
> its legal representative) to *explicitly* allow the change. The method
> of "nothing heard equals consent" is not valid in any jurisdiction I
> know of.
> 
> While I'm not a contributor (I think I only sent in a small diff years
> ago), I would like to stress that the planned relicensing procedure is
> not legal and can be challenged in court.
 
 Well, emails were sent yesterday out to _all_ contributors for ack/deny 
 the change.
>>> 
>>> Read the last line of the mail, it says the no reactions equals
>>> consent. That is the illegal part.
>> 
>> The legal advice we got said that we should do our best to contact
>> people. If we contacted them, they had the possibility to say no.
>> We will give them time and go over all people that didn't reply to
>> try to reach them.
>> 
>> But if they don't reply, as said, we will assume they have no
>> problem with the license change. If at some later point in time
>> they do come forward and say no, we will deal with that at that
>> time.
>> 
>> 
>> Kurt
> 
> Probably illegal and definitely immoral, in my opinion. Copyright law
> exists to protect authors from these kind of practises.
> 
>-Otto
> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Otto Moerbeek
On Fri, Mar 24, 2017 at 09:40:16AM +0100, Kurt Roeckx wrote:

> On Fri, Mar 24, 2017 at 08:36:02AM +0100, Otto Moerbeek wrote:
> > On Fri, Mar 24, 2017 at 08:21:49AM +0100, Marcus Meissner wrote:
> > 
> > > On Fri, Mar 24, 2017 at 07:48:58AM +0100, Otto Moerbeek wrote:
> > > > On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri - 0553 - 
> > > > MITLL wrote:
> > > > 
> > > > > Apache license is fine for me, while GPL could be problematic. 
> > > > > Incompatibility with GPLv2 is not a problem for us. 
> > > > > 
> > > > > If it is a problem for somebody - feel free to explain the details. 
> > > > > Though I think the decision has been made, and the majority is OK 
> > > > > with it. 
> > > > 
> > > > I like to mention that any license change cannot be made based on a
> > > > majority vote or any other method other than getting each author (or
> > > > its legal representative) to *explicitly* allow the change. The method
> > > > of "nothing heard equals consent" is not valid in any jurisdiction I
> > > > know of.
> > > > 
> > > > While I'm not a contributor (I think I only sent in a small diff years
> > > > ago), I would like to stress that the planned relicensing procedure is
> > > > not legal and can be challenged in court.
> > > 
> > > Well, emails were sent yesterday out to _all_ contributors for ack/deny 
> > > the change.
> > 
> > Read the last line of the mail, it says the no reactions equals
> > consent. That is the illegal part.
> 
> The legal advice we got said that we should do our best to contact
> people. If we contacted them, they had the possibility to say no.
> We will give them time and go over all people that didn't reply to
> try to reach them.
> 
> But if they don't reply, as said, we will assume they have no
> problem with the license change. If at some later point in time
> they do come forward and say no, we will deal with that at that
> time.
> 
> 
> Kurt

Probably illegal and definitely immoral, in my opinion. Copyright law
exists to protect authors from these kind of practises.

-Otto
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Kurt Roeckx
On Fri, Mar 24, 2017 at 08:36:02AM +0100, Otto Moerbeek wrote:
> On Fri, Mar 24, 2017 at 08:21:49AM +0100, Marcus Meissner wrote:
> 
> > On Fri, Mar 24, 2017 at 07:48:58AM +0100, Otto Moerbeek wrote:
> > > On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri - 0553 - MITLL 
> > > wrote:
> > > 
> > > > Apache license is fine for me, while GPL could be problematic. 
> > > > Incompatibility with GPLv2 is not a problem for us. 
> > > > 
> > > > If it is a problem for somebody - feel free to explain the details. 
> > > > Though I think the decision has been made, and the majority is OK with 
> > > > it. 
> > > 
> > > I like to mention that any license change cannot be made based on a
> > > majority vote or any other method other than getting each author (or
> > > its legal representative) to *explicitly* allow the change. The method
> > > of "nothing heard equals consent" is not valid in any jurisdiction I
> > > know of.
> > > 
> > > While I'm not a contributor (I think I only sent in a small diff years
> > > ago), I would like to stress that the planned relicensing procedure is
> > > not legal and can be challenged in court.
> > 
> > Well, emails were sent yesterday out to _all_ contributors for ack/deny the 
> > change.
> 
> Read the last line of the mail, it says the no reactions equals
> consent. That is the illegal part.

The legal advice we got said that we should do our best to contact
people. If we contacted them, they had the possibility to say no.
We will give them time and go over all people that didn't reply to
try to reach them.

But if they don't reply, as said, we will assume they have no
problem with the license change. If at some later point in time
they do come forward and say no, we will deal with that at that
time.


Kurt

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Otto Moerbeek
On Fri, Mar 24, 2017 at 08:21:49AM +0100, Marcus Meissner wrote:

> On Fri, Mar 24, 2017 at 07:48:58AM +0100, Otto Moerbeek wrote:
> > On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri - 0553 - MITLL 
> > wrote:
> > 
> > > Apache license is fine for me, while GPL could be problematic. 
> > > Incompatibility with GPLv2 is not a problem for us. 
> > > 
> > > If it is a problem for somebody - feel free to explain the details. 
> > > Though I think the decision has been made, and the majority is OK with 
> > > it. 
> > 
> > I like to mention that any license change cannot be made based on a
> > majority vote or any other method other than getting each author (or
> > its legal representative) to *explicitly* allow the change. The method
> > of "nothing heard equals consent" is not valid in any jurisdiction I
> > know of.
> > 
> > While I'm not a contributor (I think I only sent in a small diff years
> > ago), I would like to stress that the planned relicensing procedure is
> > not legal and can be challenged in court.
> 
> Well, emails were sent yesterday out to _all_ contributors for ack/deny the 
> change.
> 
> Ciao, Marcus
> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Read the last line of the mail, it says the no reactions equals
consent. That is the illegal part.

-Otto



-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-24 Thread Marcus Meissner
On Fri, Mar 24, 2017 at 07:48:58AM +0100, Otto Moerbeek wrote:
> On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri - 0553 - MITLL 
> wrote:
> 
> > Apache license is fine for me, while GPL could be problematic. 
> > Incompatibility with GPLv2 is not a problem for us. 
> > 
> > If it is a problem for somebody - feel free to explain the details. Though 
> > I think the decision has been made, and the majority is OK with it. 
> 
> I like to mention that any license change cannot be made based on a
> majority vote or any other method other than getting each author (or
> its legal representative) to *explicitly* allow the change. The method
> of "nothing heard equals consent" is not valid in any jurisdiction I
> know of.
> 
> While I'm not a contributor (I think I only sent in a small diff years
> ago), I would like to stress that the planned relicensing procedure is
> not legal and can be challenged in court.

Well, emails were sent yesterday out to _all_ contributors for ack/deny the 
change.

Ciao, Marcus
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Otto Moerbeek
On Fri, Mar 24, 2017 at 04:11:48AM +, Blumenthal, Uri - 0553 - MITLL wrote:

> Apache license is fine for me, while GPL could be problematic. 
> Incompatibility with GPLv2 is not a problem for us. 
> 
> If it is a problem for somebody - feel free to explain the details. Though I 
> think the decision has been made, and the majority is OK with it. 

I like to mention that any license change cannot be made based on a
majority vote or any other method other than getting each author (or
its legal representative) to *explicitly* allow the change. The method
of "nothing heard equals consent" is not valid in any jurisdiction I
know of.

While I'm not a contributor (I think I only sent in a small diff years
ago), I would like to stress that the planned relicensing procedure is
not legal and can be challenged in court.

-Otto
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Blumenthal, Uri - 0553 - MITLL
Apache license is fine for me, while GPL could be problematic. Incompatibility 
with GPLv2 is not a problem for us. 

If it is a problem for somebody - feel free to explain the details. Though I 
think the decision has been made, and the majority is OK with it. 

Regards,
Uri

Sent from my iPhone

> On Mar 23, 2017, at 22:27, Quanah Gibson-Mount  wrote:
> 
> --On Friday, March 24, 2017 1:37 AM + Peter Waltenberg 
>  wrote:
> 
>> 
>> OpenSSL has a LOT of commercial users and contributors. Apache2 they can
>> live with, GPL not so much.
>> There's also the point that many of the big consumers (like Apache :))
>> are also under Apache2.
>> 
>> Least possible breakage and I think it's a reasonable compromise. Of
>> course I am biased because I work for the one of the commercial users.
> 
> Zero people that I know of are saying to switch to the GPL.  What is being 
> pointed out is that the incompatibility with the current OpenSSL license with 
> the GPLv2 has been a major problem.  Switching to the APLv2 does nothing to 
> resolve that problem.  As has been noted, the current advertising is a huge 
> problem with the existing license.  One of the reasons that has been a big 
> problem is that it makes the license incompatible with the GPLv2.  So on the 
> one hand, getting rid of that clause is great.  On the other hand, getting 
> rid of it by switching to the APL is not great, because it doesn't resolve 
> the fundamental problem of being incompatible with the GPLv2.
> 
> As was noted back when this was brought up in 2015, there are other, better, 
> licenses than the APLv2 which are also GPLv2 compatible.  The MPLv2 being an 
> example of such a license.  There is also BSD, MIT/X11, etc.  The GPLv2 
> incompatibility of OpenSSL is a major problem.
> 
> --Quanah
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> 
> 
> -- 
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


smime.p7s
Description: S/MIME cryptographic signature
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Quanah Gibson-Mount
--On Friday, March 24, 2017 1:37 AM + Peter Waltenberg 
 wrote:




OpenSSL has a LOT of commercial users and contributors. Apache2 they can
live with, GPL not so much.
There's also the point that many of the big consumers (like Apache :))
are also under Apache2.

Least possible breakage and I think it's a reasonable compromise. Of
course I am biased because I work for the one of the commercial users.


Zero people that I know of are saying to switch to the GPL.  What is being 
pointed out is that the incompatibility with the current OpenSSL license 
with the GPLv2 has been a major problem.  Switching to the APLv2 does 
nothing to resolve that problem.  As has been noted, the current 
advertising is a huge problem with the existing license.  One of the 
reasons that has been a big problem is that it makes the license 
incompatible with the GPLv2.  So on the one hand, getting rid of that 
clause is great.  On the other hand, getting rid of it by switching to the 
APL is not great, because it doesn't resolve the fundamental problem of 
being incompatible with the GPLv2.


As was noted back when this was brought up in 2015, there are other, 
better, licenses than the APLv2 which are also GPLv2 compatible.  The MPLv2 
being an example of such a license.  There is also BSD, MIT/X11, etc.  The 
GPLv2 incompatibility of OpenSSL is a major problem.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Peter Waltenberg
 OpenSSL has a LOT of commercial users and contributors. Apache2 they can live with, GPL not so much. There's also the point that many of the big consumers (like Apache :)) are also under Apache2. Least possible breakage and I think it's a reasonable compromise. Of course I am biased because I work for the one of the commercial users.Peter-"openssl-dev"  wrote: -To: openssl-dev@openssl.orgFrom: Richard Moore Sent by: "openssl-dev" Date: 03/24/2017 07:34AMSubject: Re: [openssl-dev] License change agreementOn 23 March 2017 at 18:04, Salz, Rich via openssl-dev  wrote:> The new license also conflicts with the GPLv2.  This was immediately brought> up as a serious problem when this discussion began in July of 2015.  It> appears that the feedback that the APL does not solve these serious> problems with how OpenSSL was licensed was ignored.  Sad to see that.No it was not ignored.  (Just because we disagree doesn't mean we ignore the feedback.) The team felt that the Apache license better met our needs.​It's a fairly large elephant in the room that the press release does not address at all though. ​I think it's reasonable to expect some kind of reasoning.CheersRich.-- openssl-dev mailing listTo unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Richard Moore
On 23 March 2017 at 18:04, Salz, Rich via openssl-dev <
openssl-dev@openssl.org> wrote:

> > The new license also conflicts with the GPLv2.  This was immediately
> brought
> > up as a serious problem when this discussion began in July of 2015.  It
> > appears that the feedback that the APL does not solve these serious
> > problems with how OpenSSL was licensed was ignored.  Sad to see that.
>
> No it was not ignored.  (Just because we disagree doesn't mean we ignore
> the feedback.) The team felt that the Apache license better met our needs.
>


​It's a fairly large elephant in the room that the press release does not
address at all though. ​I think it's reasonable to expect some kind of
reasoning.

Cheers

Rich.
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Salz, Rich via openssl-dev
> The major problem with the existing license is that it conflicts with the 
> GPLv2.

Well, it's one of the problems.  The others includes that it is non-standard, 
and has an advertising clause.

> The new license also conflicts with the GPLv2.  This was immediately brought
> up as a serious problem when this discussion began in July of 2015.  It
> appears that the feedback that the APL does not solve these serious
> problems with how OpenSSL was licensed was ignored.  Sad to see that.

No it was not ignored.  (Just because we disagree doesn't mean we ignore the 
feedback.) The team felt that the Apache license better met our needs.

We can't please all parties, unfortunately.
 
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Quanah Gibson-Mount
--On Thursday, March 23, 2017 11:41 AM -0400 Rich Salz  
wrote:



If you have contributed code to OpenSSL, we'd like you to take a look
at our licensing website, https://license.openssl.org and give approval
to our converting to the Apache Software License.

You can find more details at our most recent blog entry,
https://www.openssl.org/blog


The major problem with the existing license is that it conflicts with the 
GPLv2.  The new license also conflicts with the GPLv2.  This was 
immediately brought up as a serious problem when this discussion began in 
July of 2015.  It appears that the feedback that the APL does not solve 
these serious problems with how OpenSSL was licensed was ignored.  Sad to 
see that.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:


--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Re: [openssl-dev] License change agreement

2017-03-23 Thread Nathaniel McCallum
I'm only a minor contributor. But as I regularly use OpenSSL in other
projects, I wholeheartedly embrace this change. Thank you for the
effort you are putting in to make this happen.

On Thu, Mar 23, 2017 at 10:41 AM, Rich Salz  wrote:
> If you have contributed code to OpenSSL, we'd like you to take a look
> at our licensing website, https://license.openssl.org and give approval
> to our converting to the Apache Software License.
>
> You can find more details at our most recent blog entry,
> https://www.openssl.org/blog
>
> Over the next couple of days we will be sending out emails to as many
> people as we can.
>
> Thank you!
> --
> openssl-dev mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev