Re: OpenSSL license for new packages.

To: pvital@gmail.com
Cc: debian-legal@lists.debian.org, leitao@debian.org
Subject: Re: OpenSSL license for new packages.
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Fri, 28 Jul 2017 13:44:38 +0100
Message-id: <[🔎] 22907.12726.682508.426024@chiark.greenend.org.uk>
In-reply-to: <[🔎] b6c8e647-eba6-672e-fb9e-9444df1ff00e@gmail.com>
References: <[🔎] b6c8e647-eba6-672e-fb9e-9444df1ff00e@gmail.com>

Paulo Ricardo Paz Vital writes ("OpenSSL license for new packages."):
> I'm intending to package the openssl-ibmca library for s390 arch into
> Debian and I have a question about the license.

Thanks for getting in touch.

> Since this is an engine for OpenSSL, we have choose the license as
> OpenSSL License, which is based on BSD license.

Is "we" the upstream developers for openssl-ibmca, here ?
If so then I have some observations you may find helpful.

Firstly, OpenSSL itself is undergoing a relicensing effort:
  https://www.openssl.org/blog/blog/2017/03/22/license/
If you want to follow OpenSSL, I therefore strongly suggest you adopt
Apache 2.0, or at least dual licence with Apache 2.0 as an option.

Secondly, the OpenSSL licence is not generally very well-regarded for
a number of reasons.  I won't go into that here, but the OpenSSL
project's decision seems very good to me.

> The point is, two of the
> OpenSSL License [2] statements say the follow:
>
> " * 3. All advertising materials mentioning features or use of this
>  *    software must display the following acknowledgment:
>  *    "This product includes software developed by the OpenSSL Project
>  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
> 
> " * 6. Redistributions of any form whatsoever must retain the following
>  *    acknowledgment:
>  *    "This product includes software developed by the OpenSSL Project
>  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
> 
> I'd like to know if this is an impediment to package and redistribute it
> as a Debian Package. I checked the openssl package, and the content and
> license is the same.

These statements are, of course, false, at least as far as
openssl-ibmca itself is concerned.  It is very bad practice to require
licensees to make false statements in copyright notices !

It causes considerable trouble.  In a similar situation involving PHP
addons, we (the Debian Project) ended up consulting lawyers to find
out whether this was a serious problem.

So please do go back to upstream and see if you can get them to drop
this (or follow OpenSSL's lead and use Apache 2.0).

However, in fact our lawyers advised us in the PHP case that there was
no significant actual legal risk in us distributing the PHP addons,
provided that we made the situation very clear (including to the
relevant PHP upstreams).

See
  https://lists.debian.org/debian-legal/2016/02/msg00014.html

I think this advice is probably equally applicable here.  So if
openssl-ibmca upstream do not want to change their licence, I think
you should do as our laywers recommended in the PHP case.

Ian.

Reply to:

References:
- OpenSSL license for new packages.
  - From: Paulo Ricardo Paz Vital <pvital@gmail.com>

Prev by Date: Re: OpenSSL license for new packages.
Next by Date: Re: OpenSSL license for new packages.
Previous by thread: Re: OpenSSL license for new packages.
Index(es):
- Date
- Thread