Inside OpenSSL's battle to change its license: Coders' rights, tech giants, patents and more

Devs who fail to respond to call for change will count as 'yes' votes for AL 2.0


'Public key encryption is a patent minefield'

Salz said that one of the appeals of the Apache License is its patent clause, which grants patent rights associated with the software and removes your right to use the software if you make a patent infringement claim on the software.

"The patent protection is important because public key encryption is a patent minefield," Salz said. "We have seen patent trolls, Non-Practicing Entities, start to nibble around the edges of these things."

De Raadt is less enthusiastic about the ASLv2, calling it more restrictive than SSLeay. LibreSSL, boringSSL, and Ring will never agree to go along, he insisted.

"That means the trees will fork and it becomes harder to observe the license terms and more software needs to be rewritten," he said, "That's a load of work on the developers who are just trying to make software better."

As of Thursday afternoon, Salz said 265 contributors have agreed to the change and 7 (described as mostly minor contributors) have refused. That means their contributions will have to be rewritten.

As for the other 870 email solicitations sent out, about half have bounced, showing that the open source community has its own version of the orphan works problem.

Eric A. Young, one of the original creators of the software (along with Tim J. Hudson) and the "eay" in the license name SSLeay, is unable to change his license as a result of contractual terms arising from his decision to join RSA.

One of the issues De Raadt has with the way the licensing change campaign is being handled is that OpenSSL's message to contributors states, "If we do not hear from you, we will assume that you have no objection." De Raadt expressed doubt such terms are legally valid.

Salz, however, believes otherwise. "We've gotten expert legal counsel and we're confident in the plan we have," he said.

Whether the license change passes legal muster or not, there will be blood, or at least discontent. "Since the new license isn't aimed at being resolutely permissive, this will fragment the usage community even further," De Raadt said.

"Fundamentally, OpenSSL has never had a contributor agreement," said De Raadt. "OpenSSL does not own the rights to make this change. That is why they are asking all the authors. If any author says no, they cannot do it, or they must rewrite that contribution. That is how license changes are done. Any other option is legally unsound, and morally wrong." ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022