Call For Testing BSD Certification Group

OpenSSL Relicensing: An Objection

http://cft.lv/26

#SoftwareFreedom #Licensing

April 10th, 2017

Version 1.0

© Michael Dexter

Remember to understand the problem before you fix the problem

I admit that free software/open source software licensing, especially non-copyleft, is not a topic that gets many people excited but the recent announcement by the OpenSSL project in conjunction with the Linux Foundation warrants more open discussion than it has been receiving. In case you missed it, and I can't blame you for it, the OpenSSL project has announced a move to the Apache 2.0 license. For those not a familiar with the spectrum of free software licensing, the Apache 2.0 license is broadly considered a "permissive license with a patent clause", which more or less means: "you can do as you please with this software as long as you don't hold the copyright holder liable if it fails to work, and retain the attached copyright notice", plus "you forfeit your rights under the license if you sue the copyright holder over perceived software patent infringement by the software".

I am not a lawyer and I welcome you to explore the exact license terms, guarantees and obligations of the Apache 2.0 license on your own but I do believe I have faithfully communicated the broader community understanding of them.

So why change the OpenSSL license? The current OpenSSL license includes an "advertising clause" similar to the "4-clause" BSD copyright that introduced the concept. By all accounts, such a clause is undesirable to a point that the University of California, Berkeley granted blanket permission for it to be omitted from the "BSD" software they published.

The UC Berkeley precedent may lead you think, "Problem solved! Let's move on.", and I would agree with you completely. Bug filed, addressed, and marked "resolved".

But this is not what the OpenSSL project is doing. Instead, they have announced their adoption of the Apache 2.0 license which not only marks the introduction of a "patent clause" but arguably a move from copyright law as represented by the BSD copyright to contract law as represented by the Apache 2.0 license.

How is this a problem? First off I am one of those people who agree that "If You Want to Fix Software Patents, Eliminate Software Patents". Software patents are consistently subject to abuse through trolling and the other Golden Rule: Those with the gold make the rules. This is true of many aspects of the legal system and I can safely say that the legal and free software communities each perform better when furthest isolated from one another. The majority of free software licensing issues were resolved long ago and the complex, fragile, borderline-paradoxical mix of volunteer and commercial motivations in the community rarely benefit from legal "innovations". This context has resulted in rather distinct "camps" of participants but with those camps have come genuine choice between diverse communities, technologies and licenses. What the introduction of a patent clause does is to not only legitimize software patents for those who object to them, but also promote a false sense of "unification" between the distinct communities where choice is being mistaken for disunity.

How false is that sense of unification? The announcement includes the statement, "This re-licensing activity will make OpenSSL ... more convenient to incorporate in the widest possible range of free and open source software." With all due respect, that is untrue. Known flaws aside, the current OpenSSL license is already fundamentally a "permissive" license, which makes it a universal donor in terms of free software licensing obligations just short of public domain status. You are entitled to your opinion on the "best" license model but as a member of the "O" blood type, I know exactly what it means to be a universal donor for the benefit of others and potential detriment to myself. This position on licensing is a very conscious choice for some software developers and you are kindly expected to respect it just as much as you want your choices to be respected.

And speaking of respect... the email message to OpenSSL contributors that accompanied the OpenSSL Licensing Update stated, "If we do not hear from you, we will assume that you have no objection." I am not convinced this is legal, though it has made for some interesting additional relicensing announcements following the same legal logic.

Alternative Strategies? As I stated, if the OpenSSL project and its partners are concerned about a legacy advertising clause in their license, simply remove it as the University of California, Berkeley did and move on. If that does not satisfy your desires, consider:

Either way, these are solved problems and a new licensing strategy is neither needed nor desired to address the issues faced by the OpenSSL license.

CFT

Copyright © 2011 – 2017 Michael Dexter unless specified otherwise. Feedback and corrections welcome.

Happy hacking!