OpenSSL re-licensing project

On March 16, 2017, the OpenSSL project announced that it is changing its license to Apache 2.0. The purpose of the re-licensing is to make OpenSSL “more convenient to incorporate in the widest possible range of free and open source software” according to Mishi Choudhary of the Software Freedom Law Center, counsel to OpenSSL. OpenSSL is already the most widely-used FOSS encryption software.

The re-licensing project requires contacting and obtaining the consent of everyone who has contributed to the project, approximately 400 people. This no doubt has been quite a chore. It is not clear what happens if everyone’s consent cannot be obtained. Probably the contributions of any non-approving or non-located contributors would have to be removed from OpenSSL. The OpenSSL project is taking the position that if a contributor who is contacted for approval simply does not respond, they assume that the contributor has no objection to the license change. Perhaps this issue could have been addressed in advance with the use of a contributor agreement. 

There has been concern that the original OpenSSL license, now more than 20 years old, has some conflicts with the GPL. This is because the original OpenSSL license contains notice requirements that might be deemed to conflict with GPL terms that prohibit license restrictions beyond those that are already contained in the GPL terms themselves. This is significant if an organization incorporates OpenSSL into software it is distributing under the GPL.

Using a standard and well-understood open source license like Apache 2.0 is beneficial when incorporating open source software into other FOSS projects. License compatibility is enhanced. This should be kept in mind when developers are deciding which FOSS license to use. Also, a contributor agreement can be beneficial in the event a license change is deemed necessary.