OpenSSL change to Apache Licence v2.0 sparks concerns over author rights

News by Rene Millman

Critics upset over lack of consultation over licensing move as the OpenSSL project moves to Apache License v 2.0, a move which may affect hundreds of contributors.

The OpenSSL project, which looks after the popular SSL/TLS and cryptographic toolkit, is to change its license to the Apache License v 2.0 (ASLv2). However some voices in the community have voiced concerns that contributors to the project are being ignored in the move.

As part of efforts to change licence terms, a new website has been launched. According to Mishi Choudhary, legal director of Software Freedom Law Center (SFLC) and counsel to OpenSSL, the relicensing would make OpenSSL “more convenient to incorporate in the widest possible range of free and open source software”.

“OpenSSL's team has carefully prepared for this relicensing, and their process will be an outstanding example of 'how to do it right.' SFLC is pleased to have been able to help the team bring this process to this point, and looks forward to its successful and timely completion,” she said.

The project said that the new website should help in efforts to contact everyone who has contributed to the project so far, which includes nearly 400 individuals with a total of more than 31,000 commits. It added that the current license dates to the 1990s and is more than 20 years old.

OpenSSL said the decision to relicense the code under the widely-used ASLv2 was taken “after careful review”.

Nicko van Someren, chief technology officer at the Linux Foundation, said that using a standard and well-understood licence is a “huge benefit when incorporating a FOSS project into other projects and products”.

“OpenSSL has made huge progress in recent years, in part through support from the Linux Foundation's Core Infrastructure Initiative, and this licence move will further help to ensure it remains one of the most important and relied-upon open source projects in the world,” he added.

The project said that its new website contains a list of every email address mentioned in every single commit, a searchable database of authors, and the ability to send email and approve the licence change. “Because email addresses change, the website will also be updated over time to record email bounces and the names of people the project is still trying to reach,” it added in a statement.

However, Theo De Raadt, founder of OpenBSD and a contributor to OpenSSL, said in a mailing list message that an email sent out by OpenSSL showed that the people in the project “have never asked the community of authors what they want”.

“They want to privately collect sufficient consensus to pass their agenda,” he said.

In an email sent from OpenSSL to contributors, the last sentence of the message said that if OpenSSL does not hear from a contributor, it will be assumed that they have “no objections”.

De Raddt said that this suggested that “they don't care at all about the rights of the authors”.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews