Paulo Ricardo Paz Vital writes ("OpenSSL license for new packages."):
> I'm intending to package the openssl-ibmca library for s390 arch into
> Debian and I have a question about the license.Thanks for getting in touch. > Since this is an engine for OpenSSL, we have choose the license as > OpenSSL License, which is based on BSD license. Is "we" the upstream developers for openssl-ibmca, here ? If so then I have some observations you may find helpful. Firstly, OpenSSL itself is undergoing a relicensing effort: https://www.openssl.org/blog/blog/2017/03/22/license/ If you want to follow OpenSSL, I therefore strongly suggest you adopt Apache 2.0, or at least dual licence with Apache 2.0 as an option. Secondly, the OpenSSL licence is not generally very well-regarded for a number of reasons. I won't go into that here, but the OpenSSL project's decision seems very good to me. > The point is, two of the > OpenSSL License [2] statements say the follow: > > " * 3. All advertising materials mentioning features or use of this > * software must display the following acknowledgment: > * "This product includes software developed by the OpenSSL Project > * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" > > " * 6. Redistributions of any form whatsoever must retain the following > * acknowledgment: > * "This product includes software developed by the OpenSSL Project > * for use in the OpenSSL Toolkit (http://www.openssl.org/)" > > I'd like to know if this is an impediment to package and redistribute it > as a Debian Package. I checked the openssl package, and the content and > license is the same. These statements are, of course, false, at least as far as openssl-ibmca itself is concerned. It is very bad practice to require licensees to make false statements in copyright notices ! It causes considerable trouble. In a similar situation involving PHP addons, we (the Debian Project) ended up consulting lawyers to find out whether this was a serious problem. So please do go back to upstream and see if you can get them to drop this (or follow OpenSSL's lead and use Apache 2.0). However, in fact our lawyers advised us in the PHP case that there was no significant actual legal risk in us distributing the PHP addons, provided that we made the situation very clear (including to the relevant PHP upstreams). See https://lists.debian.org/debian-legal/2016/02/msg00014.html I think this advice is probably equally applicable here. So if openssl-ibmca upstream do not want to change their licence, I think you should do as our laywers recommended in the PHP case. Ian.
