Licensing: AGPL and OpenSSL

[lenerd]

Hi,

this project is licensed under GNU AGPL-3.0 and uses MIRACL (APGL) and OpenSSL (OpenSSL License) as dependencies. However, the OpenSSL License is listed as GPL-incompatible. So this is probably an issue.

(I am no expert regarding software licenses.)

[dd23]

Hi, you are right, this might be an issue. After some very quick research I found this: https://people.gnome.org/~markmc/openssl-and-the-gpl.html But we will look into this in more detail soon.

[dd23]

This should be almost resolved since eeab3577827a6c9588854fff87c5f482ac413b5e, which changed our License to LGPL and replaced MIRACL with Relic.

One question remains: is OpenSSL compatible (enough) with the LGPL, or do we need to add an exemption for that case?

(I am also no expert regarding software licenses.)

[MartKro]

OpenSSL was relicensed under the Apache License 2.0 version some time ago. That license is compatible to be used in (L)GPLv3 projects according to the Apache Software Foundation so this is not an issue if a version is used which used the Apache license and not the old OpenSSL license.

[lenerd]

The relicensing applies to the currently unreleased version 3.0.0 of OpenSSL (OpenSSL Blog).

According to debian-legal:

I believe that there is no license conflict between the LGPL and the OpenSSL license except as regards relicensing LGPL works under the GPL, per paragraph 3 of the LGPL. If you are concerned with allowing people to incorporate your code into GPLed works, you may wish to add an exemption to the license you're using (after first securing permission from any other copyright holders, of course).

So if we want that other people who want to use our code in GPL software together with OpenSSL, we would need that exemption (if I understood that correctly).