You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Steve Varnau <st...@esgyn.com> on 2016/06/02 18:13:12 UTC
Dependency on OpenSSL
Hello,
Per Justin's suggestion (below) I wanted to ask whether it is okay for our
project to have a dependency on OpenSSL.
OpenSSL is working on changing licensing[1], but is currently seems to be
Category X.
By dynamically linking with OpenSSL libraries, we will not bundle it with
our convenience binaries.
I see from the export page[2] that several other projects also use
OpenSSL, but some of those usages seem to be optional.
Can we dynamically link to and thereby depend on OpenSSL, or do we need to
somehow make this optional?
Thanks,
--Steve
[1] https://www.openssl.org/blog/blog/2015/08/01/cla/
[2] http://www.apache.org/licenses/exports/
-----Original Message-----
From: Justin Mclean [mailto:justin@classsoftware.com]
Sent: Wednesday, June 1, 2016 4:39 PM
To: general@incubator.apache.org
Subject: Re: [VOTE] Release Apache Trafodion 2.0.0 (incubating)
Hi,
> Looking at the openssl issue, I want to figure out why we are statically
> linking the libraries. If there is a key reason it needs to be static
> rather than dynamically linked, then I'll want to go to legal-discuss
and
> ask whether we can distribute it, given license changes in the works.
Given the 4 clause BSD license is most likely category X I think the only
way you can have it as a dependancy is if it is an optional one. [1]
Dynamically linking it would be one way of doing that. (But INAL so again
it may be good to check on legal discuss.)
> the expedient thing is to go ahead with this release, minus the client
binary.
That works for me and you have my +1 for that.
Thanks,
Justin
1. http://www.apache.org/legal/resolved.html#optional
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> As far as I can tell, the 4-clause BSD license is not listed under any
> "category" -- it's not in "A", "B", or "X", it is simply not covered by
> <http://www.apache.org/legal/resolved>.
As far as I can that that is the case and it seems like it should be regarded as category X, but open to other opinions.
There several places where it stated / discussed it’s not allowed. e.g. [1]
It’s not on the list of OSI approved licenses [2] " The four clause license has not been approved by OSI”, and probably fails the criteria here. [3]
The issue here is that it’s being bundled / statically linked not that the project uses it.
Thanks,
Justin
1. https://issues.apache.org/jira/browse/LEGAL-185
2. https://opensource.org/licenses/BSD-3-Clause
3. http://www.apache.org/legal/resolved.html#criteria
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> Interestingly, while we seem to be discussing BSD 4-clause, I discovered
> that, according to Wikipedia [1], OpenSSL is under Apache 1.0, not BSD
> 4-clause, and when comparing OpenSSL's license [2] against this copy of
> Apache 1.0 [3], I'd have to agree.
I believe it’s actually both if you look at [1] you see that some of it is licensed under Apache 1.0 (or similar), but the original SSLeay code is under a 4 clause BSD.
Both Apache 1.0 and 4 clause BSD license contain the troublesome advising clause.
> Even more interestingly, Apache 1.0 doesn't seem to be listed in [4] under
> Category A, B, or X either. Is there some past ruling about Apache 1.0?
This has been discussed before but no clear answer was given other than both are probably category X. See [2][3] and also [4]. I also noted this as as issue a little while back [5].
BTW There is one Apache project that looks like it contains code licensed under Apache 1.0. And yep you guessed it, it’s Apache Flex. [6] It contains code from an old version of the Apache Velocity project (2007 or so?).
Thanks,
Justin
1. https://github.com/openssl/openssl/blob/master/LICENSE
2. http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200803.mbox/%3c2d12b2f00803200818s4a35d080ifac13904a1737e4@mail.gmail.com%3e
3. http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200909.mbox/%3C4AAE8B8C.6090704@intertwingly.net%3E
4. http://mail-archives.apache.org/mod_mbox/www-legal-discuss/201005.mbox/%3CAANLkTinc479YpEvDqP7_nDVY8grrbksK2PGAMMF2Vkl_@mail.gmail.com%3E
5. https://mail-archives.apache.org/mod_mbox/incubator-general/201602.mbox/%3C57491FBA-FDDB-4009-8D00-8F3A9A2B324A@classsoftware.com%3E
6. https://github.com/apache/flex-sdk/blob/eec643c453a3a1bec6ea3352b0c94ec81d36b2d6/modules/thirdparty/velocity/test/texen/license.txt
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Greg Stein <gs...@gmail.com>.
*head-explode*
On Thu, Jun 2, 2016 at 11:17 PM, Alex Harui <ah...@adobe.com> wrote:
> Interestingly, while we seem to be discussing BSD 4-clause, I discovered
> that, according to Wikipedia [1], OpenSSL is under Apache 1.0, not BSD
> 4-clause, and when comparing OpenSSL's license [2] against this copy of
> Apache 1.0 [3], I'd have to agree.
>
> Even more interestingly, Apache 1.0 doesn't seem to be listed in [4] under
> Category A, B, or X either. Is there some past ruling about Apache 1.0?
> I would hope Apache 1.0 is ok to use in Apache 2.0 projects. And if it
> is, then it does raise questions about the categorization of the
> advertising clause in BSD 4-clause since Apache 1.0 has the same sort of
> clause.
>
> Thoughts?
> -Alex
>
> [1] https://en.wikipedia.org/wiki/OpenSSL
> [2] https://www.openssl.org/source/license.html
> [3] https://www.apache.org/licenses/LICENSE-1.0
> [4] http://www.apache.org/legal/resolved.html
>
>
Re: Dependency on OpenSSL
Posted by Alex Harui <ah...@adobe.com>.
Interestingly, while we seem to be discussing BSD 4-clause, I discovered
that, according to Wikipedia [1], OpenSSL is under Apache 1.0, not BSD
4-clause, and when comparing OpenSSL's license [2] against this copy of
Apache 1.0 [3], I'd have to agree.
Even more interestingly, Apache 1.0 doesn't seem to be listed in [4] under
Category A, B, or X either. Is there some past ruling about Apache 1.0?
I would hope Apache 1.0 is ok to use in Apache 2.0 projects. And if it
is, then it does raise questions about the categorization of the
advertising clause in BSD 4-clause since Apache 1.0 has the same sort of
clause.
Thoughts?
-Alex
[1] https://en.wikipedia.org/wiki/OpenSSL
[2] https://www.openssl.org/source/license.html
[3] https://www.apache.org/licenses/LICENSE-1.0
[4] http://www.apache.org/legal/resolved.html
Re: Dependency on OpenSSL
Posted by Roman Shaposhnik <ro...@shaposhnik.org>.
On Thu, Jun 2, 2016 at 6:03 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
> On Thu, Jun 2, 2016 at 3:59 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>> FWIW, OpenSSL is a dependency of a number of Apache projects and
>> has long been vetted as acceptable by the board, and all of the Legal VP's
>> throughout our evolution.
>>
>> You can suddenly decide to reclassify the scope of advertising clauses,
>> but we will be disabling major components of the Apache httpd, Tomcat,
>> and a number of other very visible projects in reaction to such a decision.
>> Somehow, both our organization and our many consumers have found their
>> way through this minefield up to this point, 15 years later.
>
> I would +1 a one-off exception for OpenSSL. I still think 4-clause BSD
> belongs in category X.
Do you mean explicitly listing this exception on our web page?
Thanks,
Roman.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Thu, Jun 2, 2016 at 3:59 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> FWIW, OpenSSL is a dependency of a number of Apache projects and
> has long been vetted as acceptable by the board, and all of the Legal VP's
> throughout our evolution.
>
> You can suddenly decide to reclassify the scope of advertising clauses,
> but we will be disabling major components of the Apache httpd, Tomcat,
> and a number of other very visible projects in reaction to such a decision.
> Somehow, both our organization and our many consumers have found their
> way through this minefield up to this point, 15 years later.
I would +1 a one-off exception for OpenSSL. I still think 4-clause BSD
belongs in category X.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
RE: Dependency on OpenSSL
Posted by "Dennis E. Hamilton" <de...@acm.org>.
I would like very much to return to the original focused concern of this thread: The license requirements of OpenSSL as a dependency from an Apache project. I am already investigating how Apache OpenOffice may need to adjust its handling of an apparent dependency with regard to LICENSE and NOTICE.
Here are the facts that I am concerned about.
1. From <https://www.openssl.org/>, the following statement is made. Note the use of "APACHE-STYLE"
"The OpenSSL toolkit is licensed under an Apache-style license,
Which basically means that you are free to get and use it for
commercial and non-commercial purposes subject to some simple
license conditions."
Not unlike what could be said of the Apache License [any version]
2. At <https://www.openssl.org/source/license.txt> there is a "dual license" text for two licenses, an OpenSSL License and an Orinal SSLeay License. The texts are each distinct in literal form from an Apache License.
2.1 Familiar bits
* They each include copyright notices. They each apply
"redistribution" to mean with or without modification.
* They each require retention of those notices, the statements of
conditions, and disclaimers in redistributions.
* They each require provision of the same in an effective manner
in conjunction with binary redistributions.
2.2 Notification, Attribution, Acknowledgment bits
* OpenSSL License requires a specific acknowledgment in "All
advertising materials mentioning features or use of this software."
Open SSLeay License has the condition and a different specific
acknowledgment.
* OpenSSL License requires redistribution in any form to whatsoever
to retain a specific acknowledgement statement.
* OpenSSL License has a final statement of acknowledgment that is
not literally embraced under the stated conditions.
* Original SSLeay License is not so well-structured and gives notice
of copyright by two individuals. Notices in code are explicitly
not removable.
* Original SSLeay License requires attribution to named individuals
under various conditions.
* Original SSLeay License has a tacked-on condition that appears
intended to ward off downsteam relicensing, were there such a
thing.
3. Initial Take-Away. UNDER CONDITIONS OF ACCEPTABLE DEPENDENCY,
* The license acceptable for redistribution as a dependency would
surely appear in the LICENSE file because it must be
provided and others are not alternatives.
* The NOTICE file would include a clear but minimal statement
that satisfies the conditions of the license and the ASF purpose
for NOTICE.
* I have no idea what the conditions of acceptable dependency might
be. It would be nice were there at least practicable Category B
conditions.
- Dennis
> -----Original Message-----
> From: Henri Yandell [mailto:bayard@apache.org]
> Sent: Sunday, June 5, 2016 13:20
> To: ASF Legal Discuss <le...@apache.org>
> Subject: Re: Dependency on OpenSSL
>
> Roy said:
>
> "The advertising clause is subsumed by the AL2 NOTICE file when the
> copyright
> owners are asked if the NOTICE file is sufficient advertising and they
> agree."
>
>
> So don't we have to go ask the copyright owners?
>
>
> Hen
>
>
>
> On Sun, Jun 5, 2016 at 7:03 AM, Justin Mclean <justin@classsoftware.com
> <ma...@classsoftware.com> > wrote:
>
>
> Hi,
>
> > I did not mean OpenSSL, specifically. I meant the things we have
> included in our own packages that used to be under original BSD or AL
> 1.0.
>
> So how do you recommend we change the current legal resolved
> questions to make this clear ow to handle these licenses? Add them to
> category A but add that they need to be called out in NOTICE?
>
> Thanks,
> Justin
>
> -------------------------------------------------------------------
> --
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> <ma...@apache.org>
> For additional commands, e-mail: legal-discuss-help@apache.org
> <ma...@apache.org>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Henri Yandell <ba...@apache.org>.
Roy said:
"The advertising clause is subsumed by the AL2 NOTICE file when the
copyright
owners are asked if the NOTICE file is sufficient advertising and they
agree."
So don't we have to go ask the copyright owners?
Hen
On Sun, Jun 5, 2016 at 7:03 AM, Justin Mclean <ju...@classsoftware.com>
wrote:
> Hi,
>
> > I did not mean OpenSSL, specifically. I meant the things we have
> included in our own packages that used to be under original BSD or AL 1.0.
>
> So how do you recommend we change the current legal resolved questions to
> make this clear ow to handle these licenses? Add them to category A but add
> that they need to be called out in NOTICE?
>
> Thanks,
> Justin
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
RE: Dependency on OpenSSL
Posted by "Dennis E. Hamilton" <de...@acm.org>.
+1
> -----Original Message-----
> From: Marvin Humphrey [mailto:marvin@rectangular.com]
> Sent: Sunday, June 5, 2016 22:24
> To: legal-discuss@apache.org
> Subject: Re: Dependency on OpenSSL
>
> Roy, then Justin:
>
> >> I did not mean OpenSSL, specifically. I meant the things we have
> included
> >> in our own packages that used to be under original BSD or AL 1.0.
> >
> > So how do you recommend we change the current legal resolved questions
> to
> > make this clear ow to handle these licenses? Add them to category A
> but add
> > that they need to be called out in NOTICE?
>
> The approach I hope we can take is to grandfather in harmless existing
> usage,
> including an exception for OpenSSL in particular, but explicitly
> deprecate
> licenses with advertising clauses to discourage future usage.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Jim Wright <ji...@oracle.com>.
I'll discuss with Mishi and confirm back to the group.
Regards,
Jim
> On Oct 31, 2016, at 4:53 PM, Todd Lipcon <to...@cloudera.com> wrote:
>
>> On Mon, Oct 31, 2016 at 1:29 PM, Jim Wright <ji...@oracle.com> wrote:
>> When Todd says "we're copy-paste importing it" do you mean cut and pasting into an existing file, and if so (or in either event really) where does the original license go when you do that?
>
> We created a new source file to copy-paste the code into. There are a few trivial modifications that we had to make (eg using strlen() instead of OPENSSL_strlen()) but otherwise it's just copy-pasted. So, we were planning to keep the original OpenSSL license header and copyright on that file rather than applying the Apache 2.0 one. You can see what we're planning on committing here:
>
> https://gerrit.cloudera.org/#/c/4789/7/src/kudu/util/x509_check_host.cc
>
>>
>> Apologies for my ignorance here, I just want to confirm a complete copy of the OpenSSL license ends up in both the complete source and in binary distributions.
>
> https://gerrit.cloudera.org/#/c/4789/7/LICENSE.txt shows the diff for LICENSE.txt
> and https://gerrit.cloudera.org/#/c/4789/7/NOTICE.txt for NOTICE.txt
>
> Does that seem sufficient?
>
> -Todd
>
>>
>> > On Oct 30, 2016, at 8:40 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
>> >
>> > Yes, that's correct, and +1 on adding it to the Resolved page.
>> >
>> >> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
>> >>
>> >> Just to revive this thread from a few months ago:
>> >>
>> >> In Apache Kudu we're pulling in a little bit of code from OpenSSL (x509 certificate hostname validation) into our source repository. In general we prefer to just link against the system's OpenSSL, but this particular code is new and not available in most commonly deployed versions, so we're copy-paste importing it.
>> >>
>> >> Based on reading of this thread, we need to put the following in NOTICE.txt:
>> >>
>> >> <begin>
>> >> This product includes software developed by the OpenSSL Project
>> >> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>> >>
>> >> This product includes cryptographic software written by Eric Young
>> >> (eay@cryptsoft.com). This product includes software written by Tim
>> >> Hudson (tjh@cryptsoft.com).
>> >> <end>
>> >>
>> >> Is my understanding of the resolution here correct? Would be great to have this listed on the legal "resolved" page.
>> >>
>> >> -Todd
>> >>
>> >> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org> wrote:
>> >> So I can update resolved.html; is there a link to where OpenSSL agreed that NOTICE was sufficient in the archives (or their archives)?
>> >>
>> >> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>> >> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> >> that have agreed that NOTICE is sufficient.
>> >>
>> >>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com> wrote:
>> >>>
>> >>> Roy, then Justin:
>> >>>
>> >>>>> I did not mean OpenSSL, specifically. I meant the things we have included
>> >>>>> in our own packages that used to be under original BSD or AL 1.0.
>> >>>>
>> >>>> So how do you recommend we change the current legal resolved questions to
>> >>>> make this clear ow to handle these licenses? Add them to category A but add
>> >>>> that they need to be called out in NOTICE?
>> >>>
>> >>> The approach I hope we can take is to grandfather in harmless existing usage,
>> >>> including an exception for OpenSSL in particular, but explicitly deprecate
>> >>> licenses with advertising clauses to discourage future usage.
>> >>>
>> >>> Marvin Humphrey
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >>> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Todd Lipcon
>> >> Software Engineer, Cloudera
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
Re: Dependency on OpenSSL
Posted by Todd Lipcon <to...@cloudera.com>.
Yea, turns out the contributor misinterpreted that as a deprecated license
for an older version of the product. We'll include both in our LICENSE.
Thanks for the catch!
-Todd
On Wed, Nov 2, 2016 at 10:11 AM, Todd Lipcon <to...@cloudera.com> wrote:
> On Wed, Nov 2, 2016 at 4:18 AM, Jim Wright <ji...@oracle.com> wrote:
>
>> Todd, while I wait to catch up with Mishi about it, is there a reason you
>> inserted only part of the OpenSSL license into the LICENSE.TXT file (the
>> first of two licenses)?
>>
>>
> I think that's probably an oversight. Let me check with the patch author.
>
> -Todd
>
> On Oct 31, 2016, at 4:53 PM, Todd Lipcon <to...@cloudera.com> wrote:
>>
>> On Mon, Oct 31, 2016 at 1:29 PM, Jim Wright <ji...@oracle.com>
>> wrote:
>>
>>> When Todd says "we're copy-paste importing it" do you mean cut and
>>> pasting into an existing file, and if so (or in either event really) where
>>> does the original license go when you do that?
>>>
>>
>> We created a new source file to copy-paste the code into. There are a few
>> trivial modifications that we had to make (eg using strlen() instead of
>> OPENSSL_strlen()) but otherwise it's just copy-pasted. So, we were planning
>> to keep the original OpenSSL license header and copyright on that file
>> rather than applying the Apache 2.0 one. You can see what we're planning on
>> committing here:
>>
>> https://gerrit.cloudera.org/#/c/4789/7/src/kudu/util/x509_check_host.cc
>>
>>
>>> Apologies for my ignorance here, I just want to confirm a complete copy
>>> of the OpenSSL license ends up in both the complete source and in binary
>>> distributions.
>>>
>>>
>> https://gerrit.cloudera.org/#/c/4789/7/LICENSE.txt shows the diff for
>> LICENSE.txt
>> and https://gerrit.cloudera.org/#/c/4789/7/NOTICE.txt for NOTICE.txt
>>
>> Does that seem sufficient?
>>
>> -Todd
>>
>>
>>> > On Oct 30, 2016, at 8:40 AM, Jim Jagielski <jim@jaguNET.com
>>> <ji...@jagunet.com>> wrote:
>>> >
>>> > Yes, that's correct, and +1 on adding it to the Resolved page.
>>> >
>>> >> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
>>> >>
>>> >> Just to revive this thread from a few months ago:
>>> >>
>>> >> In Apache Kudu we're pulling in a little bit of code from OpenSSL
>>> (x509 certificate hostname validation) into our source repository. In
>>> general we prefer to just link against the system's OpenSSL, but this
>>> particular code is new and not available in most commonly deployed
>>> versions, so we're copy-paste importing it.
>>> >>
>>> >> Based on reading of this thread, we need to put the following in
>>> NOTICE.txt:
>>> >>
>>> >> <begin>
>>> >> This product includes software developed by the OpenSSL Project
>>> >> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>>> >>
>>> >> This product includes cryptographic software written by Eric Young
>>> >> (eay@cryptsoft.com). This product includes software written by Tim
>>> >> Hudson (tjh@cryptsoft.com).
>>> >> <end>
>>> >>
>>> >> Is my understanding of the resolution here correct? Would be great to
>>> have this listed on the legal "resolved" page.
>>> >>
>>> >> -Todd
>>> >>
>>> >> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org>
>>> wrote:
>>> >> So I can update resolved.html; is there a link to where OpenSSL
>>> agreed that NOTICE was sufficient in the archives (or their archives)?
>>> >>
>>> >> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com>
>>> wrote:
>>> >> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL,
>>> etc
>>> >> that have agreed that NOTICE is sufficient.
>>> >>
>>> >>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com>
>>> wrote:
>>> >>>
>>> >>> Roy, then Justin:
>>> >>>
>>> >>>>> I did not mean OpenSSL, specifically. I meant the things we have
>>> included
>>> >>>>> in our own packages that used to be under original BSD or AL 1.0.
>>> >>>>
>>> >>>> So how do you recommend we change the current legal resolved
>>> questions to
>>> >>>> make this clear ow to handle these licenses? Add them to category A
>>> but add
>>> >>>> that they need to be called out in NOTICE?
>>> >>>
>>> >>> The approach I hope we can take is to grandfather in harmless
>>> existing usage,
>>> >>> including an exception for OpenSSL in particular, but explicitly
>>> deprecate
>>> >>> licenses with advertising clauses to discourage future usage.
>>> >>>
>>> >>> Marvin Humphrey
>>> >>>
>>> >>> ------------------------------------------------------------
>>> ---------
>>> >>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> >>> For additional commands, e-mail: legal-discuss-help@apache.org
>>> >>
>>> >>
>>> >> ---------------------------------------------------------------------
>>> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> >> For additional commands, e-mail: legal-discuss-help@apache.org
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Todd Lipcon
>>> >> Software Engineer, Cloudera
>>> >
>>> >
>>> > ---------------------------------------------------------------------
>>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> > For additional commands, e-mail: legal-discuss-help@apache.org
>>> >
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>>
>>>
>>
>>
>> --
>> Todd Lipcon
>> Software Engineer, Cloudera
>>
>>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
>
--
Todd Lipcon
Software Engineer, Cloudera
Re: Dependency on OpenSSL
Posted by Todd Lipcon <to...@cloudera.com>.
On Wed, Nov 2, 2016 at 4:18 AM, Jim Wright <ji...@oracle.com> wrote:
> Todd, while I wait to catch up with Mishi about it, is there a reason you
> inserted only part of the OpenSSL license into the LICENSE.TXT file (the
> first of two licenses)?
>
>
I think that's probably an oversight. Let me check with the patch author.
-Todd
On Oct 31, 2016, at 4:53 PM, Todd Lipcon <to...@cloudera.com> wrote:
>
> On Mon, Oct 31, 2016 at 1:29 PM, Jim Wright <ji...@oracle.com> wrote:
>
>> When Todd says "we're copy-paste importing it" do you mean cut and
>> pasting into an existing file, and if so (or in either event really) where
>> does the original license go when you do that?
>>
>
> We created a new source file to copy-paste the code into. There are a few
> trivial modifications that we had to make (eg using strlen() instead of
> OPENSSL_strlen()) but otherwise it's just copy-pasted. So, we were planning
> to keep the original OpenSSL license header and copyright on that file
> rather than applying the Apache 2.0 one. You can see what we're planning on
> committing here:
>
> https://gerrit.cloudera.org/#/c/4789/7/src/kudu/util/x509_check_host.cc
>
>
>> Apologies for my ignorance here, I just want to confirm a complete copy
>> of the OpenSSL license ends up in both the complete source and in binary
>> distributions.
>>
>>
> https://gerrit.cloudera.org/#/c/4789/7/LICENSE.txt shows the diff for
> LICENSE.txt
> and https://gerrit.cloudera.org/#/c/4789/7/NOTICE.txt for NOTICE.txt
>
> Does that seem sufficient?
>
> -Todd
>
>
>> > On Oct 30, 2016, at 8:40 AM, Jim Jagielski <jim@jaguNET.com
>> <ji...@jagunet.com>> wrote:
>> >
>> > Yes, that's correct, and +1 on adding it to the Resolved page.
>> >
>> >> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
>> >>
>> >> Just to revive this thread from a few months ago:
>> >>
>> >> In Apache Kudu we're pulling in a little bit of code from OpenSSL
>> (x509 certificate hostname validation) into our source repository. In
>> general we prefer to just link against the system's OpenSSL, but this
>> particular code is new and not available in most commonly deployed
>> versions, so we're copy-paste importing it.
>> >>
>> >> Based on reading of this thread, we need to put the following in
>> NOTICE.txt:
>> >>
>> >> <begin>
>> >> This product includes software developed by the OpenSSL Project
>> >> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>> >>
>> >> This product includes cryptographic software written by Eric Young
>> >> (eay@cryptsoft.com). This product includes software written by Tim
>> >> Hudson (tjh@cryptsoft.com).
>> >> <end>
>> >>
>> >> Is my understanding of the resolution here correct? Would be great to
>> have this listed on the legal "resolved" page.
>> >>
>> >> -Todd
>> >>
>> >> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org>
>> wrote:
>> >> So I can update resolved.html; is there a link to where OpenSSL agreed
>> that NOTICE was sufficient in the archives (or their archives)?
>> >>
>> >> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>> >> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> >> that have agreed that NOTICE is sufficient.
>> >>
>> >>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com>
>> wrote:
>> >>>
>> >>> Roy, then Justin:
>> >>>
>> >>>>> I did not mean OpenSSL, specifically. I meant the things we have
>> included
>> >>>>> in our own packages that used to be under original BSD or AL 1.0.
>> >>>>
>> >>>> So how do you recommend we change the current legal resolved
>> questions to
>> >>>> make this clear ow to handle these licenses? Add them to category A
>> but add
>> >>>> that they need to be called out in NOTICE?
>> >>>
>> >>> The approach I hope we can take is to grandfather in harmless
>> existing usage,
>> >>> including an exception for OpenSSL in particular, but explicitly
>> deprecate
>> >>> licenses with advertising clauses to discourage future usage.
>> >>>
>> >>> Marvin Humphrey
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >>> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Todd Lipcon
>> >> Software Engineer, Cloudera
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
>
>
--
Todd Lipcon
Software Engineer, Cloudera
Re: Dependency on OpenSSL
Posted by Jim Wright <ji...@oracle.com>.
Todd, while I wait to catch up with Mishi about it, is there a reason you inserted only part of the OpenSSL license into the LICENSE.TXT file (the first of two licenses)?
Regards,
Jim
> On Oct 31, 2016, at 4:53 PM, Todd Lipcon <to...@cloudera.com> wrote:
>
>> On Mon, Oct 31, 2016 at 1:29 PM, Jim Wright <ji...@oracle.com> wrote:
>> When Todd says "we're copy-paste importing it" do you mean cut and pasting into an existing file, and if so (or in either event really) where does the original license go when you do that?
>
> We created a new source file to copy-paste the code into. There are a few trivial modifications that we had to make (eg using strlen() instead of OPENSSL_strlen()) but otherwise it's just copy-pasted. So, we were planning to keep the original OpenSSL license header and copyright on that file rather than applying the Apache 2.0 one. You can see what we're planning on committing here:
>
> https://gerrit.cloudera.org/#/c/4789/7/src/kudu/util/x509_check_host.cc
>
>>
>> Apologies for my ignorance here, I just want to confirm a complete copy of the OpenSSL license ends up in both the complete source and in binary distributions.
>
> https://gerrit.cloudera.org/#/c/4789/7/LICENSE.txt shows the diff for LICENSE.txt
> and https://gerrit.cloudera.org/#/c/4789/7/NOTICE.txt for NOTICE.txt
>
> Does that seem sufficient?
>
> -Todd
>
>>
>> > On Oct 30, 2016, at 8:40 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
>> >
>> > Yes, that's correct, and +1 on adding it to the Resolved page.
>> >
>> >> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
>> >>
>> >> Just to revive this thread from a few months ago:
>> >>
>> >> In Apache Kudu we're pulling in a little bit of code from OpenSSL (x509 certificate hostname validation) into our source repository. In general we prefer to just link against the system's OpenSSL, but this particular code is new and not available in most commonly deployed versions, so we're copy-paste importing it.
>> >>
>> >> Based on reading of this thread, we need to put the following in NOTICE.txt:
>> >>
>> >> <begin>
>> >> This product includes software developed by the OpenSSL Project
>> >> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>> >>
>> >> This product includes cryptographic software written by Eric Young
>> >> (eay@cryptsoft.com). This product includes software written by Tim
>> >> Hudson (tjh@cryptsoft.com).
>> >> <end>
>> >>
>> >> Is my understanding of the resolution here correct? Would be great to have this listed on the legal "resolved" page.
>> >>
>> >> -Todd
>> >>
>> >> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org> wrote:
>> >> So I can update resolved.html; is there a link to where OpenSSL agreed that NOTICE was sufficient in the archives (or their archives)?
>> >>
>> >> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>> >> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> >> that have agreed that NOTICE is sufficient.
>> >>
>> >>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com> wrote:
>> >>>
>> >>> Roy, then Justin:
>> >>>
>> >>>>> I did not mean OpenSSL, specifically. I meant the things we have included
>> >>>>> in our own packages that used to be under original BSD or AL 1.0.
>> >>>>
>> >>>> So how do you recommend we change the current legal resolved questions to
>> >>>> make this clear ow to handle these licenses? Add them to category A but add
>> >>>> that they need to be called out in NOTICE?
>> >>>
>> >>> The approach I hope we can take is to grandfather in harmless existing usage,
>> >>> including an exception for OpenSSL in particular, but explicitly deprecate
>> >>> licenses with advertising clauses to discourage future usage.
>> >>>
>> >>> Marvin Humphrey
>> >>>
>> >>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >>> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> >> For additional commands, e-mail: legal-discuss-help@apache.org
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Todd Lipcon
>> >> Software Engineer, Cloudera
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
Re: Dependency on OpenSSL
Posted by Todd Lipcon <to...@cloudera.com>.
On Mon, Oct 31, 2016 at 1:29 PM, Jim Wright <ji...@oracle.com> wrote:
> When Todd says "we're copy-paste importing it" do you mean cut and pasting
> into an existing file, and if so (or in either event really) where does the
> original license go when you do that?
>
We created a new source file to copy-paste the code into. There are a few
trivial modifications that we had to make (eg using strlen() instead of
OPENSSL_strlen()) but otherwise it's just copy-pasted. So, we were planning
to keep the original OpenSSL license header and copyright on that file
rather than applying the Apache 2.0 one. You can see what we're planning on
committing here:
https://gerrit.cloudera.org/#/c/4789/7/src/kudu/util/x509_check_host.cc
> Apologies for my ignorance here, I just want to confirm a complete copy of
> the OpenSSL license ends up in both the complete source and in binary
> distributions.
>
>
https://gerrit.cloudera.org/#/c/4789/7/LICENSE.txt shows the diff for
LICENSE.txt
and https://gerrit.cloudera.org/#/c/4789/7/NOTICE.txt for NOTICE.txt
Does that seem sufficient?
-Todd
> > On Oct 30, 2016, at 8:40 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
> >
> > Yes, that's correct, and +1 on adding it to the Resolved page.
> >
> >> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
> >>
> >> Just to revive this thread from a few months ago:
> >>
> >> In Apache Kudu we're pulling in a little bit of code from OpenSSL (x509
> certificate hostname validation) into our source repository. In general we
> prefer to just link against the system's OpenSSL, but this particular code
> is new and not available in most commonly deployed versions, so we're
> copy-paste importing it.
> >>
> >> Based on reading of this thread, we need to put the following in
> NOTICE.txt:
> >>
> >> <begin>
> >> This product includes software developed by the OpenSSL Project
> >> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
> >>
> >> This product includes cryptographic software written by Eric Young
> >> (eay@cryptsoft.com). This product includes software written by Tim
> >> Hudson (tjh@cryptsoft.com).
> >> <end>
> >>
> >> Is my understanding of the resolution here correct? Would be great to
> have this listed on the legal "resolved" page.
> >>
> >> -Todd
> >>
> >> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org>
> wrote:
> >> So I can update resolved.html; is there a link to where OpenSSL agreed
> that NOTICE was sufficient in the archives (or their archives)?
> >>
> >> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> >> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
> >> that have agreed that NOTICE is sufficient.
> >>
> >>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com>
> wrote:
> >>>
> >>> Roy, then Justin:
> >>>
> >>>>> I did not mean OpenSSL, specifically. I meant the things we have
> included
> >>>>> in our own packages that used to be under original BSD or AL 1.0.
> >>>>
> >>>> So how do you recommend we change the current legal resolved
> questions to
> >>>> make this clear ow to handle these licenses? Add them to category A
> but add
> >>>> that they need to be called out in NOTICE?
> >>>
> >>> The approach I hope we can take is to grandfather in harmless existing
> usage,
> >>> including an exception for OpenSSL in particular, but explicitly
> deprecate
> >>> licenses with advertising clauses to discourage future usage.
> >>>
> >>> Marvin Humphrey
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >>> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> >> For additional commands, e-mail: legal-discuss-help@apache.org
> >>
> >>
> >>
> >>
> >>
> >> --
> >> Todd Lipcon
> >> Software Engineer, Cloudera
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
--
Todd Lipcon
Software Engineer, Cloudera
Re: Dependency on OpenSSL
Posted by Jim Wright <ji...@oracle.com>.
When Todd says "we're copy-paste importing it" do you mean cut and pasting into an existing file, and if so (or in either event really) where does the original license go when you do that?
Apologies for my ignorance here, I just want to confirm a complete copy of the OpenSSL license ends up in both the complete source and in binary distributions.
Regards,
Jim
> On Oct 30, 2016, at 8:40 AM, Jim Jagielski <ji...@jaguNET.com> wrote:
>
> Yes, that's correct, and +1 on adding it to the Resolved page.
>
>> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
>>
>> Just to revive this thread from a few months ago:
>>
>> In Apache Kudu we're pulling in a little bit of code from OpenSSL (x509 certificate hostname validation) into our source repository. In general we prefer to just link against the system's OpenSSL, but this particular code is new and not available in most commonly deployed versions, so we're copy-paste importing it.
>>
>> Based on reading of this thread, we need to put the following in NOTICE.txt:
>>
>> <begin>
>> This product includes software developed by the OpenSSL Project
>> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>>
>> This product includes cryptographic software written by Eric Young
>> (eay@cryptsoft.com). This product includes software written by Tim
>> Hudson (tjh@cryptsoft.com).
>> <end>
>>
>> Is my understanding of the resolution here correct? Would be great to have this listed on the legal "resolved" page.
>>
>> -Todd
>>
>> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org> wrote:
>> So I can update resolved.html; is there a link to where OpenSSL agreed that NOTICE was sufficient in the archives (or their archives)?
>>
>> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> that have agreed that NOTICE is sufficient.
>>
>>> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com> wrote:
>>>
>>> Roy, then Justin:
>>>
>>>>> I did not mean OpenSSL, specifically. I meant the things we have included
>>>>> in our own packages that used to be under original BSD or AL 1.0.
>>>>
>>>> So how do you recommend we change the current legal resolved questions to
>>>> make this clear ow to handle these licenses? Add them to category A but add
>>>> that they need to be called out in NOTICE?
>>>
>>> The approach I hope we can take is to grandfather in harmless existing usage,
>>> including an exception for OpenSSL in particular, but explicitly deprecate
>>> licenses with advertising clauses to discourage future usage.
>>>
>>> Marvin Humphrey
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
>>
>>
>>
>> --
>> Todd Lipcon
>> Software Engineer, Cloudera
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Jim Jagielski <ji...@jaguNET.com>.
Yes, that's correct, and +1 on adding it to the Resolved page.
> On Oct 28, 2016, at 6:48 PM, Todd Lipcon <to...@cloudera.com> wrote:
>
> Just to revive this thread from a few months ago:
>
> In Apache Kudu we're pulling in a little bit of code from OpenSSL (x509 certificate hostname validation) into our source repository. In general we prefer to just link against the system's OpenSSL, but this particular code is new and not available in most commonly deployed versions, so we're copy-paste importing it.
>
> Based on reading of this thread, we need to put the following in NOTICE.txt:
>
> <begin>
> This product includes software developed by the OpenSSL Project
> for use in the OpenSSL Toolkit. (http://www.openssl.org/)
>
> This product includes cryptographic software written by Eric Young
> (eay@cryptsoft.com). This product includes software written by Tim
> Hudson (tjh@cryptsoft.com).
> <end>
>
> Is my understanding of the resolution here correct? Would be great to have this listed on the legal "resolved" page.
>
> -Todd
>
> On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org> wrote:
> So I can update resolved.html; is there a link to where OpenSSL agreed that NOTICE was sufficient in the archives (or their archives)?
>
> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
> that have agreed that NOTICE is sufficient.
>
> > On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com> wrote:
> >
> > Roy, then Justin:
> >
> >>> I did not mean OpenSSL, specifically. I meant the things we have included
> >>> in our own packages that used to be under original BSD or AL 1.0.
> >>
> >> So how do you recommend we change the current legal resolved questions to
> >> make this clear ow to handle these licenses? Add them to category A but add
> >> that they need to be called out in NOTICE?
> >
> > The approach I hope we can take is to grandfather in harmless existing usage,
> > including an exception for OpenSSL in particular, but explicitly deprecate
> > licenses with advertising clauses to discourage future usage.
> >
> > Marvin Humphrey
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
>
>
>
> --
> Todd Lipcon
> Software Engineer, Cloudera
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Todd Lipcon <to...@cloudera.com>.
Just to revive this thread from a few months ago:
In Apache Kudu we're pulling in a little bit of code from OpenSSL (x509
certificate hostname validation) into our source repository. In general we
prefer to just link against the system's OpenSSL, but this particular code
is new and not available in most commonly deployed versions, so we're
copy-paste importing it.
Based on reading of this thread, we need to put the following in NOTICE.txt:
<begin>
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)
This product includes cryptographic software written by Eric Young
(eay@cryptsoft.com). This product includes software written by Tim
Hudson (tjh@cryptsoft.com).
<end>
Is my understanding of the resolution here correct? Would be great to have
this listed on the legal "resolved" page.
-Todd
On Fri, Jun 17, 2016 at 10:29 PM, Henri Yandell <ba...@apache.org> wrote:
> So I can update resolved.html; is there a link to where OpenSSL agreed
> that NOTICE was sufficient in the archives (or their archives)?
>
> On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>
>> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> that have agreed that NOTICE is sufficient.
>>
>> > On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com>
>> wrote:
>> >
>> > Roy, then Justin:
>> >
>> >>> I did not mean OpenSSL, specifically. I meant the things we have
>> included
>> >>> in our own packages that used to be under original BSD or AL 1.0.
>> >>
>> >> So how do you recommend we change the current legal resolved questions
>> to
>> >> make this clear ow to handle these licenses? Add them to category A
>> but add
>> >> that they need to be called out in NOTICE?
>> >
>> > The approach I hope we can take is to grandfather in harmless existing
>> usage,
>> > including an exception for OpenSSL in particular, but explicitly
>> deprecate
>> > licenses with advertising clauses to discourage future usage.
>> >
>> > Marvin Humphrey
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>>
>
--
Todd Lipcon
Software Engineer, Cloudera
Re: Dependency on OpenSSL
Posted by Henri Yandell <ba...@apache.org>.
So I can update resolved.html; is there a link to where OpenSSL agreed that
NOTICE was sufficient in the archives (or their archives)?
On Mon, Jun 6, 2016 at 4:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
> that have agreed that NOTICE is sufficient.
>
> > On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com>
> wrote:
> >
> > Roy, then Justin:
> >
> >>> I did not mean OpenSSL, specifically. I meant the things we have
> included
> >>> in our own packages that used to be under original BSD or AL 1.0.
> >>
> >> So how do you recommend we change the current legal resolved questions
> to
> >> make this clear ow to handle these licenses? Add them to category A but
> add
> >> that they need to be called out in NOTICE?
> >
> > The approach I hope we can take is to grandfather in harmless existing
> usage,
> > including an exception for OpenSSL in particular, but explicitly
> deprecate
> > licenses with advertising clauses to discourage future usage.
> >
> > Marvin Humphrey
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: Dependency on OpenSSL
Posted by Craig Russell <cr...@oracle.com>.
> On Jun 7, 2016, at 1:34 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> On Mon, Jun 6, 2016 at 6:11 PM, Craig Russell <craig.russell@oracle.com <ma...@oracle.com>> wrote:
> Hi Bill,
>
>> On Jun 6, 2016, at 9:37 AM, William A Rowe Jr <wrowe@rowe-clan.net <ma...@rowe-clan.net>> wrote:
>>
>> On Mon, Jun 6, 2016 at 6:47 AM, Jim Jagielski <jim@jagunet.com <ma...@jagunet.com>> wrote:
>> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> that have agreed that NOTICE is sufficient.
>>
>> So look back to CC-BY Attribution 3.0 license…
>
> clr: I assume you mean CC-SA here
>
> Correct, thanks.
>
>> http://www.apache.org/legal/resolved.html#cc-sa <http://www.apache.org/legal/resolved.html#cc-sa>
>> If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Ssection 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
>> I don't read that NOTICE alone can satisfy this requirement,
>
> clr: I do read it that having an Apache NOTICE satisfies the requirement (assuming that the copyright notices are also available)
>
> I take issue with "Screenplay based on original Work by Original Author"... which
> is very similar to how many Vendors *choose* (are not required) to brand their
> ASF-derived software as "Foo Thing, based on Apache Bar”.
We are talking about an unmodified work which does not fall into the category of an Adaptation which is the subject of the “Screenplay based on…” reference..
> This would seem
> to require such an attribution, not only in advertising copy, but in the actual name
> of a forked work or description of the combined work.
>
> I do note that we don't actually permit *forks* of CC-SA Attribution works, only
> to bundle or depend upon them.
And that is why Adaptation doesn’t fit.
Craig
>> it is yet another
>> Advertising clause by another name. E.g. if a project ships "Ray's Magnificent
>> Random Number Generator" (RMRNG), and it was licensed as CREATIVE
>> COMMONS ATTRIBUTION-SHARE ALIKE WORKS- then it isn't enough to
>
>> simply credit the author, but that the name of the original work and attribution
>> of the author must sit alongside other titles and credits, including in some
>> cases, the actual name of the ASF project, right?
>
> clr: The first line in the NOTICE file is attribution to the Apache project. Subsequent lines in the NOTICE file that reference the CC-BY work are “at least as prominent”.
>
> That applies to a source tarball, what about the other materials (e.g. download
> link on the downloads page of said combined binary, or project descriptive text?)
Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org <ma...@apache.org> http://db.apache.org/jdo <http://db.apache.org/jdo>
Re: Dependency on OpenSSL
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Mon, Jun 6, 2016 at 6:11 PM, Craig Russell <cr...@oracle.com>
wrote:
> Hi Bill,
>
> On Jun 6, 2016, at 9:37 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> On Mon, Jun 6, 2016 at 6:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>
>> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
>> that have agreed that NOTICE is sufficient.
>>
>
> So look back to CC-BY Attribution 3.0 license…
>
>
> clr: I assume you mean CC-SA here
>
Correct, thanks.
> http://www.apache.org/legal/resolved.html#cc-sa
>
> 1. If You Distribute, or Publicly Perform the Work or any Adaptations
> or Collections, You must, unless a request has been made pursuant to
> Section 4(a), keep intact all copyright notices for the Work and provide,
> reasonable to the medium or means You are utilizing: (i) the name of the
> Original Author (or pseudonym, if applicable) if supplied, and/or if the
> Original Author and/or Licensor designate another party or parties (e.g., a
> sponsor institute, publishing entity, journal) for attribution
> ("Attribution Parties") in Licensor's copyright notice, terms of service or
> by other reasonable means, the name of such party or parties; (ii) the
> title of the Work if supplied; (iii) to the extent reasonably practicable,
> the URI, if any, that Licensor specifies to be associated with the Work,
> unless such URI does not refer to the copyright notice or licensing
> information for the Work; and (iv) , consistent with Ssection 3(b), in the
> case of an Adaptation, a credit identifying the use of the Work in the
> Adaptation (e.g., "French translation of the Work by Original Author," or
> "Screenplay based on original Work by Original Author"). The credit
> required by this Section 4(c) may be implemented in any reasonable manner;
> provided, however, that in the case of a Adaptation or Collection, at a
> minimum such credit will appear, if a credit for all contributing authors
> of the Adaptation or Collection appears, then as part of these credits and
> in a manner at least as prominent as the credits for the other contributing
> authors. For the avoidance of doubt, You may only use the credit required
> by this Section for the purpose of attribution in the manner set out above
> and, by exercising Your rights under this License, You may not implicitly
> or explicitly assert or imply any connection with, sponsorship or
> endorsement by the Original Author, Licensor and/or Attribution Parties, as
> appropriate, of You or Your use of the Work, without the separate, express
> prior written permission of the Original Author, Licensor and/or
> Attribution Parties.
>
> I don't read that NOTICE alone can satisfy this requirement,
>
>
> clr: I *do* read it that having an Apache NOTICE satisfies the
> requirement (assuming that the copyright notices are also available)
>
I take issue with "Screenplay based on original Work by Original Author"...
which
is very similar to how many Vendors *choose* (are not required) to brand
their
ASF-derived software as "Foo Thing, based on Apache Bar". This would seem
to require such an attribution, not only in advertising copy, but in the
actual name
of a forked work or description of the combined work.
I do note that we don't actually permit *forks* of CC-SA Attribution works,
only
to bundle or depend upon them.
> it is yet another
> Advertising clause by another name. E.g. if a project ships "Ray's
> Magnificent
> Random Number Generator" (RMRNG), and it was licensed as CREATIVE
> COMMONS ATTRIBUTION-SHARE ALIKE WORKS- then it isn't enough to
>
> simply credit the author, but that the name of the original work and
> attribution
> of the author must sit alongside other titles and credits, including in
> some
> cases, the actual name of the ASF project, right?
>
>
> clr: The first line in the NOTICE file is attribution to the Apache
> project. Subsequent lines in the NOTICE file that reference the CC-BY work
> are “at least as prominent”.
>
That applies to a source tarball, what about the other materials (e.g.
download
link on the downloads page of said combined binary, or project descriptive
text?)
Re: Dependency on OpenSSL
Posted by Craig Russell <cr...@oracle.com>.
Hi Bill,
> On Jun 6, 2016, at 9:37 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> On Mon, Jun 6, 2016 at 6:47 AM, Jim Jagielski <jim@jagunet.com <ma...@jagunet.com>> wrote:
> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
> that have agreed that NOTICE is sufficient.
>
> So look back to CC-BY Attribution 3.0 license…
clr: I assume you mean CC-SA here
>
> http://www.apache.org/legal/resolved.html#cc-sa <http://www.apache.org/legal/resolved.html#cc-sa>
> If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Ssection 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
> I don't read that NOTICE alone can satisfy this requirement,
clr: I do read it that having an Apache NOTICE satisfies the requirement (assuming that the copyright notices are also available)
> it is yet another
> Advertising clause by another name. E.g. if a project ships "Ray's Magnificent
> Random Number Generator" (RMRNG), and it was licensed as CREATIVE
> COMMONS ATTRIBUTION-SHARE ALIKE WORKS- then it isn't enough to
> simply credit the author, but that the name of the original work and attribution
> of the author must sit alongside other titles and credits, including in some
> cases, the actual name of the ASF project, right?
clr: The first line in the NOTICE file is attribution to the Apache project. Subsequent lines in the NOTICE file that reference the CC-BY work are “at least as prominent”.
clr: There is no "advertising clause" as I understand the phrase is used. NOTICE and Advertising are two separate concepts.
>
> If we are going to adopt the policy cited above on all but explicitly exempted
> BSD-4 dependencies, it would seem this license needs to follow the same
> policy, for the very same reasons?
Craig
Craig L Russell
Secretary, Apache Software Foundation
clr@apache.org <ma...@apache.org> http://db.apache.org/jdo <http://db.apache.org/jdo>
Re: Dependency on OpenSSL
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Mon, Jun 6, 2016 at 6:47 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
> that have agreed that NOTICE is sufficient.
>
So look back to CC-BY Attribution 3.0 license...
http://www.apache.org/legal/resolved.html#cc-sa
1. If You Distribute, or Publicly Perform the Work or any Adaptations or
Collections, You must, unless a request has been made pursuant to Section
4(a), keep intact all copyright notices for the Work and provide,
reasonable to the medium or means You are utilizing: (i) the name of the
Original Author (or pseudonym, if applicable) if supplied, and/or if the
Original Author and/or Licensor designate another party or parties (e.g., a
sponsor institute, publishing entity, journal) for attribution
("Attribution Parties") in Licensor's copyright notice, terms of service or
by other reasonable means, the name of such party or parties; (ii) the
title of the Work if supplied; (iii) to the extent reasonably practicable,
the URI, if any, that Licensor specifies to be associated with the Work,
unless such URI does not refer to the copyright notice or licensing
information for the Work; and (iv) , consistent with Ssection 3(b), in the
case of an Adaptation, a credit identifying the use of the Work in the
Adaptation (e.g., "French translation of the Work by Original Author," or
"Screenplay based on original Work by Original Author"). The credit
required by this Section 4(c) may be implemented in any reasonable manner;
provided, however, that in the case of a Adaptation or Collection, at a
minimum such credit will appear, if a credit for all contributing authors
of the Adaptation or Collection appears, then as part of these credits and
in a manner at least as prominent as the credits for the other contributing
authors. For the avoidance of doubt, You may only use the credit required
by this Section for the purpose of attribution in the manner set out above
and, by exercising Your rights under this License, You may not implicitly
or explicitly assert or imply any connection with, sponsorship or
endorsement by the Original Author, Licensor and/or Attribution Parties, as
appropriate, of You or Your use of the Work, without the separate, express
prior written permission of the Original Author, Licensor and/or
Attribution Parties.
I don't read that NOTICE alone can satisfy this requirement, it is yet
another
Advertising clause by another name. E.g. if a project ships "Ray's
Magnificent
Random Number Generator" (RMRNG), and it was licensed as CREATIVE
COMMONS ATTRIBUTION-SHARE ALIKE WORKS - then it isn't enough to
simply credit the author, but that the name of the original work and
attribution
of the author must sit alongside other titles and credits, including in some
cases, the actual name of the ASF project, right?
If we are going to adopt the policy cited above on all but explicitly
exempted
BSD-4 dependencies, it would seem this license needs to follow the same
policy, for the very same reasons?
Re: Dependency on OpenSSL
Posted by Jim Jagielski <ji...@jaguNET.com>.
BSD-4 should be Cat-X *except* for those projects, such as OpenSSL, etc
that have agreed that NOTICE is sufficient.
> On Jun 6, 2016, at 1:23 AM, Marvin Humphrey <ma...@rectangular.com> wrote:
>
> Roy, then Justin:
>
>>> I did not mean OpenSSL, specifically. I meant the things we have included
>>> in our own packages that used to be under original BSD or AL 1.0.
>>
>> So how do you recommend we change the current legal resolved questions to
>> make this clear ow to handle these licenses? Add them to category A but add
>> that they need to be called out in NOTICE?
>
> The approach I hope we can take is to grandfather in harmless existing usage,
> including an exception for OpenSSL in particular, but explicitly deprecate
> licenses with advertising clauses to discourage future usage.
>
> Marvin Humphrey
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Marvin Humphrey <ma...@rectangular.com>.
Roy, then Justin:
>> I did not mean OpenSSL, specifically. I meant the things we have included
>> in our own packages that used to be under original BSD or AL 1.0.
>
> So how do you recommend we change the current legal resolved questions to
> make this clear ow to handle these licenses? Add them to category A but add
> that they need to be called out in NOTICE?
The approach I hope we can take is to grandfather in harmless existing usage,
including an exception for OpenSSL in particular, but explicitly deprecate
licenses with advertising clauses to discourage future usage.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> I did not mean OpenSSL, specifically. I meant the things we have included in our own packages that used to be under original BSD or AL 1.0.
So how do you recommend we change the current legal resolved questions to make this clear ow to handle these licenses? Add them to category A but add that they need to be called out in NOTICE?
Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
I did not mean OpenSSL, specifically. I meant the things we have included in our own packages that used to be under original BSD or AL 1.0.
....Roy
> On Jun 4, 2016, at 2:08 PM, Henri Yandell <ba...@apache.org> wrote:
>
> Everyone meaning RSA + all the OpenSSL committers (up to the point when we stopped asking)?
>
>> On Sat, Jun 4, 2016 at 1:50 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
>> The advertising clause is subsumed by the AL2 NOTICE file when the copyright
>> owners are asked if the NOTICE file is sufficient advertising and they agree.
>> So far, everyone agreed, so we stopped asking a long time ago.
>>
>> We don't distribute under the advertising clause. We distribute under AL2.
>>
>> ....Roy
>>
>> > On Jun 4, 2016, at 12:05 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
>> >
>> > On Fri, Jun 3, 2016 at 3:14 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>> >> All Advertising clauses are odious... that's why the OSS development world
>> >> went from copying them word for word to building new licensed that forgo
>> >> such a stupid requirement.
>> >>
>> >> Unlike copy left, for example, the combined work is still able to be applied
>> >> in any scenario the developer wishes, which is the ASF's definition of
>> >> freedom. We never suggested the user has the freedom from observing all
>> >> applicable license terms, our own included. So this is obviously (to most of
>> >> us here) not category X.
>> >
>> > The license categories are mainly about license subsumption[1].
>> >
>> > * Category A licenses are those which may be subsumed by the Apache
>> > License 2.0.
>> > * In principle, Category B licenses are those which may be subsumed by the
>> > Apache License 2.0 when only the object form is consumed.
>> >
>> > "Subsumed" here means:
>> >
>> > * Anyone who complies with all requirements of the ALv2 also complies with
>> > the requirements of license L.
>> > * Everything permitted by the ALv2 is also permitted by license L.
>> >
>> > (For more on combining licenses see Luis Villa's 2011 article[2].)
>> >
>> > Restricting the licenses of dependencies to those which may be subsumed by the
>> > ALv2 allows the licensing of source releases and convenience binaries to be
>> > summarized as "Apache 2.0" -- even if the licensing is actually polyglot.
>> >
>> > Some of the licenses in "category B", e.g. Mozilla 2.0, have notification
>> > requirements such as pointing to source code. These requirements are not in
>> > the ALv2, but if a pointer to source code is included in NOTICE, then
>> > satisfying the ALv2 by republishing NOTICE is enough to satisfy the
>> > category B license's notification requirements.
>> >
>> > But that is not true for the advertising clauses of BSD-4-clause or
>> > Apache 1.0. And I am not the first person to raise this objection[3][4][5].
>> >
>> > BSD-4-clause is not in category A nor is it in category B, and it should not
>> > be added to either category A or category B.
>> >
>> > Marvin Humphrey
>> >
>> > [1] https://s.apache.org/rguQ
>> > [2] https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility
>> > [3] Sam Ruby: https://s.apache.org/H0vL
>> > [4] Henri Yandell: https://s.apache.org/ysGm
>> > [5] Richard Fontana: https://s.apache.org/pYKO
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> > For additional commands, e-mail: legal-discuss-help@apache.org
>> >
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>
Re: Dependency on OpenSSL
Posted by Henri Yandell <ba...@apache.org>.
Everyone meaning RSA + all the OpenSSL committers (up to the point when we
stopped asking)?
On Sat, Jun 4, 2016 at 1:50 PM, Roy T. Fielding <fi...@gbiv.com> wrote:
> The advertising clause is subsumed by the AL2 NOTICE file when the
> copyright
> owners are asked if the NOTICE file is sufficient advertising and they
> agree.
> So far, everyone agreed, so we stopped asking a long time ago.
>
> We don't distribute under the advertising clause. We distribute under AL2.
>
> ....Roy
>
> > On Jun 4, 2016, at 12:05 PM, Marvin Humphrey <ma...@rectangular.com>
> wrote:
> >
> > On Fri, Jun 3, 2016 at 3:14 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >> All Advertising clauses are odious... that's why the OSS development
> world
> >> went from copying them word for word to building new licensed that forgo
> >> such a stupid requirement.
> >>
> >> Unlike copy left, for example, the combined work is still able to be
> applied
> >> in any scenario the developer wishes, which is the ASF's definition of
> >> freedom. We never suggested the user has the freedom from observing all
> >> applicable license terms, our own included. So this is obviously (to
> most of
> >> us here) not category X.
> >
> > The license categories are mainly about license subsumption[1].
> >
> > * Category A licenses are those which may be subsumed by the Apache
> > License 2.0.
> > * In principle, Category B licenses are those which may be subsumed by
> the
> > Apache License 2.0 when only the object form is consumed.
> >
> > "Subsumed" here means:
> >
> > * Anyone who complies with all requirements of the ALv2 also complies
> with
> > the requirements of license L.
> > * Everything permitted by the ALv2 is also permitted by license L.
> >
> > (For more on combining licenses see Luis Villa's 2011 article[2].)
> >
> > Restricting the licenses of dependencies to those which may be subsumed
> by the
> > ALv2 allows the licensing of source releases and convenience binaries to
> be
> > summarized as "Apache 2.0" -- even if the licensing is actually polyglot.
> >
> > Some of the licenses in "category B", e.g. Mozilla 2.0, have notification
> > requirements such as pointing to source code. These requirements are
> not in
> > the ALv2, but if a pointer to source code is included in NOTICE, then
> > satisfying the ALv2 by republishing NOTICE is enough to satisfy the
> > category B license's notification requirements.
> >
> > But that is not true for the advertising clauses of BSD-4-clause or
> > Apache 1.0. And I am not the first person to raise this
> objection[3][4][5].
> >
> > BSD-4-clause is not in category A nor is it in category B, and it should
> not
> > be added to either category A or category B.
> >
> > Marvin Humphrey
> >
> > [1] https://s.apache.org/rguQ
> > [2]
> https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility
> > [3] Sam Ruby: https://s.apache.org/H0vL
> > [4] Henri Yandell: https://s.apache.org/ysGm
> > [5] Richard Fontana: https://s.apache.org/pYKO
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> > For additional commands, e-mail: legal-discuss-help@apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>
Re: Dependency on OpenSSL
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
The advertising clause is subsumed by the AL2 NOTICE file when the copyright
owners are asked if the NOTICE file is sufficient advertising and they agree.
So far, everyone agreed, so we stopped asking a long time ago.
We don't distribute under the advertising clause. We distribute under AL2.
....Roy
> On Jun 4, 2016, at 12:05 PM, Marvin Humphrey <ma...@rectangular.com> wrote:
>
> On Fri, Jun 3, 2016 at 3:14 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>> All Advertising clauses are odious... that's why the OSS development world
>> went from copying them word for word to building new licensed that forgo
>> such a stupid requirement.
>>
>> Unlike copy left, for example, the combined work is still able to be applied
>> in any scenario the developer wishes, which is the ASF's definition of
>> freedom. We never suggested the user has the freedom from observing all
>> applicable license terms, our own included. So this is obviously (to most of
>> us here) not category X.
>
> The license categories are mainly about license subsumption[1].
>
> * Category A licenses are those which may be subsumed by the Apache
> License 2.0.
> * In principle, Category B licenses are those which may be subsumed by the
> Apache License 2.0 when only the object form is consumed.
>
> "Subsumed" here means:
>
> * Anyone who complies with all requirements of the ALv2 also complies with
> the requirements of license L.
> * Everything permitted by the ALv2 is also permitted by license L.
>
> (For more on combining licenses see Luis Villa's 2011 article[2].)
>
> Restricting the licenses of dependencies to those which may be subsumed by the
> ALv2 allows the licensing of source releases and convenience binaries to be
> summarized as "Apache 2.0" -- even if the licensing is actually polyglot.
>
> Some of the licenses in "category B", e.g. Mozilla 2.0, have notification
> requirements such as pointing to source code. These requirements are not in
> the ALv2, but if a pointer to source code is included in NOTICE, then
> satisfying the ALv2 by republishing NOTICE is enough to satisfy the
> category B license's notification requirements.
>
> But that is not true for the advertising clauses of BSD-4-clause or
> Apache 1.0. And I am not the first person to raise this objection[3][4][5].
>
> BSD-4-clause is not in category A nor is it in category B, and it should not
> be added to either category A or category B.
>
> Marvin Humphrey
>
> [1] https://s.apache.org/rguQ
> [2] https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility
> [3] Sam Ruby: https://s.apache.org/H0vL
> [4] Henri Yandell: https://s.apache.org/ysGm
> [5] Richard Fontana: https://s.apache.org/pYKO
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Fri, Jun 3, 2016 at 3:14 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> All Advertising clauses are odious... that's why the OSS development world
> went from copying them word for word to building new licensed that forgo
> such a stupid requirement.
>
> Unlike copy left, for example, the combined work is still able to be applied
> in any scenario the developer wishes, which is the ASF's definition of
> freedom. We never suggested the user has the freedom from observing all
> applicable license terms, our own included. So this is obviously (to most of
> us here) not category X.
The license categories are mainly about license subsumption[1].
* Category A licenses are those which may be subsumed by the Apache
License 2.0.
* In principle, Category B licenses are those which may be subsumed by the
Apache License 2.0 when only the object form is consumed.
"Subsumed" here means:
* Anyone who complies with all requirements of the ALv2 also complies with
the requirements of license L.
* Everything permitted by the ALv2 is also permitted by license L.
(For more on combining licenses see Luis Villa's 2011 article[2].)
Restricting the licenses of dependencies to those which may be subsumed by the
ALv2 allows the licensing of source releases and convenience binaries to be
summarized as "Apache 2.0" -- even if the licensing is actually polyglot.
Some of the licenses in "category B", e.g. Mozilla 2.0, have notification
requirements such as pointing to source code. These requirements are not in
the ALv2, but if a pointer to source code is included in NOTICE, then
satisfying the ALv2 by republishing NOTICE is enough to satisfy the
category B license's notification requirements.
But that is not true for the advertising clauses of BSD-4-clause or
Apache 1.0. And I am not the first person to raise this objection[3][4][5].
BSD-4-clause is not in category A nor is it in category B, and it should not
be added to either category A or category B.
Marvin Humphrey
[1] https://s.apache.org/rguQ
[2] https://opensource.com/law/11/9/mpl-20-copyleft-and-license-compatibility
[3] Sam Ruby: https://s.apache.org/H0vL
[4] Henri Yandell: https://s.apache.org/ysGm
[5] Richard Fontana: https://s.apache.org/pYKO
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
All Advertising clauses are odious... that's why the OSS development world
went from copying them word for word to building new licensed that forgo
such a stupid requirement.
Unlike copy left, for example, the combined work is still able to be
applied in any scenario the developer wishes, which is the ASF's definition
of freedom. We never suggested the user has the freedom from observing all
applicable license terms, our own included. So this is obviously (to most
of us here) not category X.
You raise good questions but I hope you know the answer to 1) below, if
you've survived this long at this forum.
Question 3) is legitimate (there is no AL 1, but there are AL 1.0 and 1.1
which should both be clarified.)
Question 2) is more complex and well worth raising. Where the ASF does not
ship a binary of OpenSSL, e.g. SVN project or APR project, it doesn't fall
on us to observe the license terms of something we don't distribute.
Where projects do choose to ship the binaries from ASF projects with
OpenSSL, it is clearly a more complex issue and guidance from ASF Legal
would certainly be appropriate.
On Jun 3, 2016 9:52 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
>
>
> On 6/3/16, 7:08 AM, "Justin Mclean" <ju...@classsoftware.com> wrote:
>
> >Hi,
> >
> >>> FWIW, OpenSSL is a dependency of a number of Apache projects and
> >>> has long been vetted as acceptable by the board, and all of the Legal
> >>>VP's
> >>> throughout our evolution.
> >> Including today’s
> >
> >The point being missed I think is if it bundled or not. Are making an
> >exception for OpenSSL or all Apache 1.0/BSD 4 clause licenses?
>
> Apologies if this makes Greg's head explode again, but also:
>
> 1) What are the License and Notice requirements for this exception?
> 2) Does the advertising clause apply to the project web pages and its
> consumers?
> 3) Can treatment of Apache 1.0 go in the FAQ at
> http://www.apache.org/legal/resolved.html?
>
> I imagine to the folks who have been around a long time that concerns over
> AL1.0 seem unnecessary, but all the newer folks have to go on is what we
> can find on the various web pages.
>
> Thanks,
> -Alex
>
Re: Dependency on OpenSSL
Posted by Alex Harui <ah...@adobe.com>.
On 6/3/16, 7:08 AM, "Justin Mclean" <ju...@classsoftware.com> wrote:
>Hi,
>
>>> FWIW, OpenSSL is a dependency of a number of Apache projects and
>>> has long been vetted as acceptable by the board, and all of the Legal
>>>VP's
>>> throughout our evolution.
>> Including today’s
>
>The point being missed I think is if it bundled or not. Are making an
>exception for OpenSSL or all Apache 1.0/BSD 4 clause licenses?
Apologies if this makes Greg's head explode again, but also:
1) What are the License and Notice requirements for this exception?
2) Does the advertising clause apply to the project web pages and its
consumers?
3) Can treatment of Apache 1.0 go in the FAQ at
http://www.apache.org/legal/resolved.html?
I imagine to the folks who have been around a long time that concerns over
AL1.0 seem unnecessary, but all the newer folks have to go on is what we
can find on the various web pages.
Thanks,
-Alex
Re: Dependency on OpenSSL
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
>> FWIW, OpenSSL is a dependency of a number of Apache projects and
>> has long been vetted as acceptable by the board, and all of the Legal VP's
>> throughout our evolution.
> Including today’s
The point being missed I think is if it bundled or not. Are making an exception for OpenSSL or all Apache 1.0/BSD 4 clause licenses?
Thanks,
Justin
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by Jim Jagielski <ji...@jaguNET.com>.
> On Jun 2, 2016, at 6:59 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>
> FWIW, OpenSSL is a dependency of a number of Apache projects and
> has long been vetted as acceptable by the board, and all of the Legal VP's
> throughout our evolution.
>
Including today's
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Dependency on OpenSSL
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Jun 2, 2016 at 4:38 PM, Marvin Humphrey <ma...@rectangular.com>
wrote:
> On Thu, Jun 2, 2016 at 1:01 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> > On Thu, Jun 2, 2016 at 1:13 PM, Steve Varnau <st...@esgyn.com>
> wrote:
> >>
> >> Hello,
> >>
> >> Per Justin's suggestion (below) I wanted to ask whether it is okay for
> our
> >> project to have a dependency on OpenSSL.
> >> OpenSSL is working on changing licensing[1], but is currently seems to
> be
> >> Category X.
> >
> > Welcome news, and there is lots of code to yet refactor to eliminate all
> > of the originally licensed code. But as to Category "X" How do you come
> > to this conclusion?
> >
> > It is a BSD+Advertising Clause derivative license, which we've always
> > understood as permissible as a dependency... but with an important
> > caveat in the FAQ...
> >
> > "Please also ensure to comply with any attribution/notice requirements in
> > the specific license in question."
> >
> > BSD with no Advertising clause is Category "A", but the presence
> > of the clause triggers our Category "B" case.
>
> As far as I can tell, the 4-clause BSD license is not listed under any
> "category" -- it's not in "A", "B", or "X", it is simply not covered by
> <http://www.apache.org/legal/resolved>.
>
> Upon closer review, I lean towards adding it to "category X". The
> advertising
> clause is uniquely onerous.
>
> 3. All advertising materials mentioning features or use of this
> software
> must display the following acknowledgement:
> This product includes software developed by the <organization>.
>
> Compare that against the the third clause of Apache 1.1, which is quite
> flexible about where acknowledgments must appear, as opposed to the "All
> advertising materials" requirement in 4-clause BSD...
>
> 3. The end-user documentation included with the redistribution,
> if any, must include the following acknowledgment:
> "This product includes software developed by the
> Apache Software Foundation (http://www.apache.org/)."
> Alternately, this acknowledgment may appear in the software itself,
> if and wherever such third-party acknowledgments normally appear.
>
> ... or against the notification requirements from section 3 of the Mozilla
> Public License 2.0, which are also flexible:
>
> https://www.mozilla.org/en-US/MPL/2.0/
>
> [...] You must inform recipients that the Source Code Form of the
> Covered
> Software is governed by the terms of this License, and how they can
> obtain
> a copy of this License. [...]
>
> If You distribute Covered Software in Executable Form then:
>
> a. such Covered Software must also be made available in Source Code
> Form,
> as described in Section 3.1, and You must inform recipients of the
> Executable Form how they can obtain a copy of such Source Code
> Form by
> reasonable means in a timely manner [...]
>
> Both Apache 1.1 and Mozilla 2.0 can be satisfied for binary distributions
> by
> the propagation of the contents of NOTICE to
> META-INF/"About"-box/end-user-documentation/etc. -- but that's *not* true
> for
> 4-clause BSD, which insists on propagation to advertising materials.
>
FWIW, OpenSSL is a dependency of a number of Apache projects and
has long been vetted as acceptable by the board, and all of the Legal VP's
throughout our evolution.
You can suddenly decide to reclassify the scope of advertising clauses,
but we will be disabling major components of the Apache httpd, Tomcat,
and a number of other very visible projects in reaction to such a decision.
Somehow, both our organization and our many consumers have found their
way through this minefield up to this point, 15 years later.
Cheers,
Bill
Re: Dependency on OpenSSL
Posted by Marvin Humphrey <ma...@rectangular.com>.
On Thu, Jun 2, 2016 at 1:01 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Thu, Jun 2, 2016 at 1:13 PM, Steve Varnau <st...@esgyn.com> wrote:
>>
>> Hello,
>>
>> Per Justin's suggestion (below) I wanted to ask whether it is okay for our
>> project to have a dependency on OpenSSL.
>> OpenSSL is working on changing licensing[1], but is currently seems to be
>> Category X.
>
> Welcome news, and there is lots of code to yet refactor to eliminate all
> of the originally licensed code. But as to Category "X" How do you come
> to this conclusion?
>
> It is a BSD+Advertising Clause derivative license, which we've always
> understood as permissible as a dependency... but with an important
> caveat in the FAQ...
>
> "Please also ensure to comply with any attribution/notice requirements in
> the specific license in question."
>
> BSD with no Advertising clause is Category "A", but the presence
> of the clause triggers our Category "B" case.
As far as I can tell, the 4-clause BSD license is not listed under any
"category" -- it's not in "A", "B", or "X", it is simply not covered by
<http://www.apache.org/legal/resolved>.
Upon closer review, I lean towards adding it to "category X". The advertising
clause is uniquely onerous.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by the <organization>.
Compare that against the the third clause of Apache 1.1, which is quite
flexible about where acknowledgments must appear, as opposed to the "All
advertising materials" requirement in 4-clause BSD...
3. The end-user documentation included with the redistribution,
if any, must include the following acknowledgment:
"This product includes software developed by the
Apache Software Foundation (http://www.apache.org/)."
Alternately, this acknowledgment may appear in the software itself,
if and wherever such third-party acknowledgments normally appear.
... or against the notification requirements from section 3 of the Mozilla
Public License 2.0, which are also flexible:
https://www.mozilla.org/en-US/MPL/2.0/
[...] You must inform recipients that the Source Code Form of the Covered
Software is governed by the terms of this License, and how they can obtain
a copy of this License. [...]
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the
Executable Form how they can obtain a copy of such Source Code Form by
reasonable means in a timely manner [...]
Both Apache 1.1 and Mozilla 2.0 can be satisfied for binary distributions by
the propagation of the contents of NOTICE to
META-INF/"About"-box/end-user-documentation/etc. -- but that's *not* true for
4-clause BSD, which insists on propagation to advertising materials.
Marvin Humphrey
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
RE: Dependency on OpenSSL
Posted by Steve Varnau <st...@esgyn.com>.
Oh! A reviewer in Incubator PMC suggested it was probably category X, and
I did not double check it. My fault.
The current license is: https://www.openssl.org/source/license.html
It has a few more clauses, but it seems they all boil down to advertising
and redistribution. So category B seems right to me, as you suggest.
Thanks!
--Steve
*From:* William A Rowe Jr [mailto:wrowe@rowe-clan.net]
*Sent:* Thursday, June 2, 2016 1:01 PM
*To:* legal-discuss@apache.org
*Subject:* Re: Dependency on OpenSSL
On Thu, Jun 2, 2016 at 1:13 PM, Steve Varnau <st...@esgyn.com> wrote:
Hello,
Per Justin's suggestion (below) I wanted to ask whether it is okay for our
project to have a dependency on OpenSSL.
OpenSSL is working on changing licensing[1], but is currently seems to be
Category X.
Welcome news, and there is lots of code to yet refactor to eliminate all
of the originally licensed code. But as to Category "X" How do you come
to this conclusion?
It is a BSD+Advertising Clause derivative license, which we've always
understood as permissible as a dependency... but with an important
caveat in the FAQ...
"Please also ensure to comply with any attribution/notice requirements in
the specific license in question."
BSD with no Advertising clause is Category "A", but the presence
of the clause triggers our Category "B" case.
By dynamically linking with OpenSSL libraries, we will not bundle it with
our convenience binaries.
I see from the export page[2] that several other projects also use
OpenSSL, but some of those usages seem to be optional.
Can we dynamically link to and thereby depend on OpenSSL, or do we need to
somehow make this optional?
Thanks,
--Steve
[1] https://www.openssl.org/blog/blog/2015/08/01/cla/
[2] http://www.apache.org/licenses/exports/
There is no practical distinction here.
Re: Dependency on OpenSSL
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Jun 2, 2016 at 1:13 PM, Steve Varnau <st...@esgyn.com> wrote:
> Hello,
>
> Per Justin's suggestion (below) I wanted to ask whether it is okay for our
> project to have a dependency on OpenSSL.
> OpenSSL is working on changing licensing[1], but is currently seems to be
> Category X.
>
Welcome news, and there is lots of code to yet refactor to eliminate all
of the originally licensed code. But as to Category "X" How do you come
to this conclusion?
It is a BSD+Advertising Clause derivative license, which we've always
understood as permissible as a dependency... but with an important
caveat in the FAQ...
"Please also ensure to comply with any attribution/notice requirements in
the specific license in question."
BSD with no Advertising clause is Category "A", but the presence
of the clause triggers our Category "B" case.
By dynamically linking with OpenSSL libraries, we will not bundle it with
> our convenience binaries.
> I see from the export page[2] that several other projects also use
> OpenSSL, but some of those usages seem to be optional.
> Can we dynamically link to and thereby depend on OpenSSL, or do we need to
> somehow make this optional?
>
> Thanks,
> --Steve
>
> [1] https://www.openssl.org/blog/blog/2015/08/01/cla/
> [2] http://www.apache.org/licenses/exports/
There is no practical distinction here.