Inside OpenSSL's battle to change its license: Coders' rights, tech giants, patents and more

Devs who fail to respond to call for change will count as 'yes' votes for AL 2.0


Analysis The OpenSSL project, possibly the most widely used open-source cryptographic software, has a license to kill – specifically its own. But its effort to obtain permission to rewrite contributors' rights runs the risk of alienating the community that sustains it.

The software is licensed under the OpenSSL License, which includes its own terms and those dating back to the preceding SSLeay license.

Those driving the project announced plans to shift to a new license in 2015 and now the thousand or so people who have contributed code over the years have started receiving email messages asking them to grant permission to relicense their contributions under the Apache Software License, version 2.

Theo De Raadt, founder of OpenBSD, a contributor to OpenSSL, and creator of a LibreSSLforked from OpenSSL in 2014 – expressed dissatisfaction with the relicensing campaign in a mailing list post, criticizing OpenSSL for failing to consult its community of authors.

"My worry is that the rights of the authors are being trampled upon, and they are only being given one choice of license which appears to be driven by a secret agreement between big corporations, Linux Foundation, lawyers, and such," he explained in an interview with The Register via phone and email.

For years, OpenSSL went largely unappreciated, until the Heartbleed vulnerability surfaced in 2014 and shamed the large companies that depend on the software for online security to contribute funds and code.

The planned licensing change comes with the endorsement of Intel and Oracle, among the companies that pledged $3.9 million to the Linux Foundation as atonement. A portion of that funding transformed OpenSSL into something more than the shoe-string operation it had been for years.

Rich Salz, a member of the OpenSSL development team and senior architect at Akamai Technologies, in a phone interview with The Register, said that in the year before Heartbleed, two people were responsible for almost all of the changes being incorporated into OpenSSL. Now there are at least 150 contributing and making pull requests, he said.

Salz cited several reasons for seeking a new license for OpenSSL.

"If you read the SSLeay license carefully, it says among other things you cannot distribute this code under any other license," he said. "What that means is for people who make derivations and want to license their changes, as long as their changes are derived from SSLeay license, they can't."

The license also includes advertising credit clauses, which Salz characterized as "obnoxious." He said, "We want to move to a license that's completely standard and well-known and widely accepted by the community, by the industry."

A source familiar with software licensing, who asked not to be named because of lack of employer authorization, echoed Salz's concerns, describing the SSLeay license as a contractual freak and a compliance nightmare. The license states that the code cannot be placed under another license, which makes it incompatible with some popular copyleft licenses because they stipulate additional terms can only ease restrictions, the source said.

The advertising clause mentioned by Salz, according to the source, requires that any mention of software including OpenSSL comes with attribution. "This does not say when you distribute, it says when you talk about it," the source said. "That's a restriction on use, which runs very contrary to the spirit of what the community has worked towards."

Similar topics


Other stories you might like

  • Brave's homegrown search claims to protect your privacy but there's a long way to go if it's to challenge the big G

    Ad-free now but not forever

    The Brave browser will now default to the company's own search engine, claimed to preserve privacy, while a new Web Discovery Project aims to collect search data again with privacy protection.

    The Brave web browser is based on the Google-sponsored Chromium engine but with features designed to prevent tracking, as well as an unusual reward system using its own cryptocurrency, the Basic Attention Token (BAT). Brave search will now be the default on new installs for desktop, Android, and iOS. Existing Brave users will keep their current default unless they choose to change it.

    Brave Search was released in beta in June and uses technology called Tailcat, acquired from the failed German Cliqz project, which also sought to provide a Google-free index.

    Continue reading
  • NHS Digital exposes hundreds of email addresses after BCC blunder copies in entire invite list to 'Let's talk cyber' event

    It's like rai-iiiiiin on your wedding day

    NHS Digital has scored a classic Mail All own-goal by dispatching not one, not two, not three, but four emails concerning an infosec breakfast briefing, each time copying the entirety of the invite list in on the messages.

    The first email sent yesterday morning thanked participants for "registering for NHS Digital's Full Digital Breakfast: Let's talk cyber, scheduled for Thursday 21 October 2021, 8:00-9:00am."

    Apparently Neil Bennett, CISO at NHS Digital, and Phil Huggins, National CISO at NHS X, "along with guest speakers, will have a conversation about the ongoing protection and how an increasingly digitised world means we must be super vigilant and cyber secure, where cyber hygiene is essential in protecting patients."

    Continue reading
  • Hitting underground pipes and cables costs the UK £2.4bn a year. We need a data platform for that, says government

    Atkins wins £23m deal to build National Underground Asset Register

    The UK government has awarded management consultancy Atkins a £23m contract to help it get to grips with accidental damage to underground pipes and cables, which is costing £2.4bn a year.

    The Geospatial Commission, an independent expert committee within the Cabinet Office, has awarded the work to help it build "a secure data exchange platform providing a comprehensive, trusted and secure digital map of where buried assets are located."

    Documents attached to a competitive tender notice point out that when digging up roads or attempting any other subterranean engineering, workers suffer the considerable difficulty of finding out what other human-made structures might be down there.

    Continue reading
  • Lunar rocks brought to Earth by China's Chang'e 5 show Moon's volcanoes were recently* active

    * Just a couple of billion years

    The Moon remained volcanically active much later than previously thought, judging from fragments of rocks dating back two billion years that were collected by China's Chang’e 5 spacecraft.

    The Middle Kingdom's space agency obtained about 1.72 kilograms (3.8 pounds) of lunar material from its probe that returned to Earth from the Moon in December. These samples gave scientists their first chance to get their hands on fresh Moon material in the 40 years since the Soviet Union's Luna 24 mission brought 170 grams (six ounces) of regolith to our home world in 1976.

    The 47 shards of basalt rocks retrieved by Chang'e 5 were estimated to be around two billion years old using radiometric dating techniques. The relatively young age means that the Moon was still volcanically active up to 900 million years later than previous estimates, according to a team of researchers led by the Chinese Academy of Sciences (CAS).

    Continue reading
  • Centre for Computing History apologises to customers for 'embarrassing' breach

    Website patched following phishing scam, no financial data exposed

    Updated The Centre for Computing History (CCH) in Cambridge, England, has apologised for an "embarrassing" breach in its online customer datafile, though thankfully no payment card information was exposed.

    The museum for computers and video games said it was notified that a unique email address used to book tickets via its website "has subsequently received a phishing email that looked like it came from HSBC."

    "Our investigation has revealed that our online customer datafile has been compromised and the email addresses contained within are now in the hands of spammers," says the letter to visitors from Jason Fitzpatrick, CEO and trustee at CCH dated 19 October.

    Continue reading
  • Ancient with a dash of modern: We joined the Royal Navy to find there's little new in naval navigation

    Following the Fleet Navigating Officers' course

    Boatnotes II The art of not driving your warship into the coast or the seabed is a curious blend of the ancient and the very modern, as The Reg discovered while observing the Royal Navy's Fleet Navigating Officers' (FNO) course.

    Held aboard HMS Severn, "sea week" of the FNO course involves taking students fresh from classroom training and putting them on the bridge of a real live ship – and then watching them navigate through progressively harder real-life challenges.

    "It's about finding where the students' capacity limit is," FNO instructor Lieutenant Commander Mark Raeburn told The Register. Safety comes first: the Navy isn't interested in having navigators who can't keep up with the pressures and volume of information during pilotage close to shore – or near enemy minefields.

    Continue reading
  • Darmstadt, we have a problem – ESA reveals its INTEGRAL space telescope was three hours from likely death

    Gamma ray-spotting 'scope was spinning uncontrollably and unable to make 'leccy until dramatic rescue

    The European Space Agency (ESA) revealed on Monday that its 19-year-old International Gamma-Ray Astrophysics Laboratory (INTEGRAL) had a near-death experience last month when failure of a small yet significant part caused it to spin uncontrollably and prevented its solar panels from generating power.

    According to ESA's blog, one of the scope's three active 'reaction wheels' – flywheels that help to stabilise attitude – turned off without warning. Absent the reaction wheel's energy, INTEGRAL rotated dangerously.

    The ESA activated Emergency Safe Attitude Mode, but that was ineffective because a July 2020 failure had left the geriatric satellite's thrusters inoperable.

    Continue reading
  • When it comes to ransomware, every second hurts

    Fortinet seeks to make EDR easy for non-specialists

    Sponsored For the longest time it seemed that modern endpoint detection and response (EDR) was getting on top of the worst malware, only for that certainty to evaporate in a single day in June 2017 thanks to a strange malware event remembered as the NotPetya attack.

    A lot of virtual ink has flowed on the origins of NotPetya but the most important aspect of its behaviour for anyone involved in endpoint defence EDR was the stunning speed with which it turned entire networks of computers into boxes uselessly pushing warm air. The word ‘fast’ gets bandied around a lot in malware incidents but for once this was no hyperbole, reportedly downing an entire Ukrainian bank in 45 seconds and a network running part of the country’s transit system in a third of that time.

    That means the infection unfolded in roughly 15 seconds to less than a minute. As with the equally swift WannaCry infection which had encrypted at least 200,000 computers in 150 countries only weeks earlier, this was far faster than EDR systems of the time - and the teams fielding the alerts generated by them - could possibly react. Security Operations Centre (SoC) teams couldn’t even ask employees to turn their computers off.

    Continue reading

Biting the hand that feeds IT © 1998–2021