OpenSSL license change: A cautionary tale

OpenSSL license change: A cautionary tale

on Apr 26, 17 • by Valerie Douglas • with 2 Comments

OpenSSL recently announced it's changing its licensing. Let's look at what's driving this decision and how does it impact users and contributors...

Home » Featured, Open Source » OpenSSL license change: A cautionary tale

OpenSSL recently announced it’s changing its licensing to Apache License v2.0 for their popular open source package. While it’s generally a welcome change for many users of OpenSSL, some groups are not happy about the new licensing, or the process being used to change it.

Currently, the OpenSLL project is conjunctively dual licensed, meaning both OpenSSL License and the SSLeay License apply whenever OpenSSL is used in distributed software.

What’s driving this decision?

“This re-licensing activity will make OpenSSL, already the world’s most widely-used FOSS encryption software, more convenient to incorporate in the widest possible range of free and open source software,” said Mishi Choudhary, Legal Director of Software Freedom Law Center (SFLC) and counsel to OpenSSL, as explained in this recent announcement.

More specifically, the OpenSSL License contains clauses which are incompatible with GPLv2 clauses, meaning the conflict occurs if an organization is distributing its application under GPLv2 and it also contains OpenSSL. This type of licensing conflict is not uncommon for users of open source software.

Mark McLoughlin detailed the specific incompatible license clauses in his blog:

“…the OpenSSL license contains the following two clauses:

3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (www.openssl.org)”

6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (www.openssl.org)”

These clauses impose restrictions on people wishing to distribute your program. If your program is licensed under the GPLv2, these restrictions conflict with the following clause in the GPLv2:

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein.”

He goes on to conclude that if users “want to use OpenSSL with a GPL program you should consider whether an OpenSSL exemption to the license is viable – i.e. do all the copyright holders for the affected code agree? Failing that, you could distribute the GPL program using OpenSSL but you are effectively trusting that the copyright holders for that program don’t care. A much safer option is to use either the GNU TLS or Mozilla NSS library.”

Effectively, he is saying the easiest solution was to simply NOT use OpenSSL at all, and instead use alternative software that provides more permissive licensing.

So, this explains why OpenSSL has finally decided to make the change to Apache License v2.0, and they have created a site to facilitate the process of gathering agreements from past contributors, necessary to complete the change.

How does this impact users?

From a user’s perspective, it’s summed up nicely here by Josh Triplet: “This is a huge win. The incompatibility between OpenSSL and the GPL has been one of the most notable license incompatibilities regularly encountered in practice. With this change, OpenSSL will become compatible with GPLv3, which also makes it compatible with software licensed ‘version 2 or later’. People will no longer need to choose and port to another crypto library for license reasons.”

You may be familiar with OpenSSL only because of the infamous Heartbleed vulnerability that has made a lot of news, and as Thomas Clayborn from The Register points out in his recent blog post: “For years, OpenSSL went largely unappreciated, until the Heartbleed vulnerability surfaced in 2014 and shamed the large companies that depend on the software for online security to contribute funds and code. The planned licensing change comes with the endorsement of Intel and Oracle, among the companies that pledged $3.9 million to the Linux Foundation as atonement. A portion of that funding transformed OpenSSL into something more than the shoe-string operation it had been for years.”

He goes on to report, “… in the year before Heartbleed, two people were responsible for almost all of the changes being incorporated into OpenSSL. Now there are at least 150 contributing and making pull requests…”

What about OpenSSL contributors?

As part of the relicensing process, OpenSSL must attain approval from all past contributors, which is precisely why making such a change is a long and difficult process. If any contributors do not agree and accept the change, then their contributed code must be replaced.

According to Thomas Clayborn, Theo De Raadt, founder of OpenBSD, a contributor to OpenSSL, says OpenSSL is “failing to consult its community of authors.” Some are raising questions about the impact of OpenBSD to take patches from OpenSSL after re-licensing, an illustration of why some contributors may oppose the change. Others believe the choice of the Apache License is not permissive enough, and De Raadt stated he believes other contributors will not go along for this reason, and it will only serve to further divide the community.

Clayborn also says De Raadt has concerns with the way OpenSSL is handling the licensing change, saying OpenSSL has never had a contributor’s license agreement, and therefore he believes they do not own the right to make this licensing change. Additionally, he claims OpenSSL’s process is wrong by declaring that, when asking contributors for approval, “If we do not hear from you, we will assume that you have no objection.” De Raadt suggests this may not meet legal requirements.

This illustrates why a Contributor License Agreement (CLA) is so important. As OSSWatch has explained, a CLA establishes that each “contributor needs to – at a minimum – grant … the right to sub-license. When granting rights, it is common to grant a very broad range of rights. This is in order to avoid the need to return to the contributor for authorization to take the desired action with their contribution, such as releasing under a different license.”

Summary

In summary, the story is a reminder of the value in the foresight we see missing here: selecting the right license for your open source projects, as well as creating a flexible CLA up front, or at least early in the project’s life, are crucial actions that may payoff later.


Read more from our experts about OpenSSL.
Learn more about Rogue Wave Open Source Audit services.
Meet our open source auditors: Dave, Chavirat, Dennis, Jennifer, Shilpa

Related Posts

2 Responses to OpenSSL license change: A cautionary tale

  1. You are being less than transparent by using the Thomas Clayborn quote from The Register.

    It would be correct to say that at the time of the Heartbleed vulnerability, OpenSSL was indeed overlooked in large development build processes that shipped embedded Linux distributions with commercial products. We complied with license terms and were working in other parts of the open infrastructure.

    It is inaccurate to say that large companies were “shamed” into contributing funds and code.As one of the founding members, on behalf of Dell, when I was contacted by the Linux Foundation and we became aware of the problem. Dell, along with many other “large” companies at the time and since, we saw the Converged Infrastructure Initiative (CII) as an opportunity to support the community and contribute in a direct and transparent. There was no shaming.

    Large corporations pumping money into open source projects, always raises questions, and is often frowned upon, hence has never been generally acceptable. As far as I am aware, Oracle, as quoted, and Rogue Wave Software are NOT now and have never been a member of the Linux Foundation Core Infrastructure Initiative (CII) that has just passed it’s 3rd anniversary.

    For a full list of grants and projects supported by the CII : https://www.coreinfrastructure.org/grants

    Thanks for the opportunity to clear that up.

    Mark Cathcart, Louisville, CO

    • Valerie Douglas says:

      Thanks very much for your clarification, as there was no intention to be anything but transparent. I appreciate your perspective, and what it brings to the discussion.
      –Valerie Douglas

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scroll to top