License Agreements and changes are coming

The OpenSSL license is rather unique and idiosyncratic. It reflects views from when its predecessor, SSLeay, started twenty years ago. As a further complication, the original authors were hired by RSA in 1998, and the code forked into two versions: OpenSSL and RSA BSAFE SSL-C. (See Wikipedia for discussion.) I don’t want get into any specific details, and I certainly don’t know them all.

Things have evolved since then, and open source is an important part of the landscape – the Internet could not exist without it. There are good reasons why Microsoft is a founding member of the Core Infrastructure Initiative (CII).

Our plan is to update the license to the Apache License version 2.0. We are in consultation with various corporate partners, the CII, and the legal experts at the Software Freedom Law Center. In other words, we have a great deal of expertise and interest at our fingertips.

But in order to do this, we need to do two things:

  1. Stop making it worse
  2. Clean up the backlog

To stop making it worse, we will soon require almost every contributor to have a signed a Contributor License Agreement (CLA) on file.

A CLA is important to ensure that we have the rights to distribute the code. It is a lightweight agreement, signed by the copyright holder, that grants us the rights to redistribute your contribution as part of OpenSSL. Note that our CLA does not transfer copyright to us, nor does it limit any of your rights.

There will probably be some exceptions, like if your change is a simple or obvious patch. We’re not lawyers, we don’t want to be lawyers, and we don’t want to be in the business of writing legal opinions or counting how many lawyers can dance on the head of a pin. If this kind of thing does interest you, you might find this article from OSS Watch in August 2012 worth reading: [http://oss-watch.ac.uk/resources/cla].

We have two versions of the CLA available: one for individuals and one for corporations. At this point, every member of the OpenSSL dev team has signed the ICLA, and most of our employers have signed the CCLA.

If your employer sponsors work on OpenSSL as part of your job, then it probably makes sense to get the CCLA signed. Both CLA’s are basically the Apache CLA, with just the obvious editorial changes.

You can find the CLA’s here:

If you or your employer has made code contributions to OpenSSL, or you are planning on doing so in the future, please download, sign, scan, and email the CCLA to us. The contact information is on the CLA. If your employer has any experience with open source, the CCLA should be very straightforward. For individuals, stay tuned as we set up a minimal-hassle submission process.

We’re not yet able to announce more details on the license change. There is a lot of grunt work needed to clean up the backlog and untangle all the years of work from the time when nobody paid much attention to this sort of detail. But times are different, we all care, and we’re going to do the right thing. It will just take some time, and we appreciate your patience.