I'm looking at the package (golang-x-crypto) which has a file containing this header:
// Copyright 2019 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file.
// Based on CRYPTOGAMS code with the following comment: // # ==================================================================== // # Written by Andy Polyakov appro@openssl.org for the OpenSSL // # project. The module is, however, dual licensed under OpenSSL and // # CRYPTOGAMS licenses depending on where you obtain it. For further // # details see http://www.openssl.org/~appro/cryptogams/. // # ====================================================================
The top level LICENSE referenced is BSD-3-Clause. The CRYPTOGAMS licenses appear to be a combination of BSD-2-Clause and GPL (no version) which I intepret as GPL-2.0 unless someone knows of a compelling reason for it to be considered GPL-1.0 in this case.
The golang-x-crypto spec license currently declares BSD-3-Clause as its only license. I expect that the rational is that the first paragraph has claimed to re-license the original code it was derived from, so it could be ignored (or maybe it was simply missed during review).
I wouldn't tend to view this as re-licensing though. To me I think that the derivation is keeping the original license (OpenSSL + CRYPTOGAMS) for existing code, and augmenting the work with new code under a compatible license (BSD 3-Clause).
IOW, I'm inclined to think we need to include the origin license too, which I would interpret to be
"( OpenSSL OR BSD-2-Clause OR GPL-2.0 )"
and thus the overall license as
"BSD-3-Clause AND ( OpenSSL OR BSD-2-Clause OR GPL-2.0 )"
Thoughts ?
With regards, Daniel
On Mon, Dec 4, 2023 at 1:00 PM Daniel P. Berrangé berrange@redhat.com wrote:
I'm looking at the package (golang-x-crypto) which has a file containing this header:
// Copyright 2019 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file.
// Based on CRYPTOGAMS code with the following comment: // # ==================================================================== // # Written by Andy Polyakov appro@openssl.org for the OpenSSL // # project. The module is, however, dual licensed under OpenSSL and // # CRYPTOGAMS licenses depending on where you obtain it. For further // # details see http://www.openssl.org/~appro/cryptogams/. // # ====================================================================
The top level LICENSE referenced is BSD-3-Clause. The CRYPTOGAMS licenses appear to be a combination of BSD-2-Clause and GPL (no version) which I intepret as GPL-2.0 unless someone knows of a compelling reason for it to be considered GPL-1.0 in this case.
The golang-x-crypto spec license currently declares BSD-3-Clause as its only license. I expect that the rational is that the first paragraph has claimed to re-license the original code it was derived from, so it could be ignored (or maybe it was simply missed during review).
I wouldn't tend to view this as re-licensing though. To me I think that the derivation is keeping the original license (OpenSSL + CRYPTOGAMS) for existing code, and augmenting the work with new code under a compatible license (BSD 3-Clause).
IOW, I'm inclined to think we need to include the origin license too, which I would interpret to be
"( OpenSSL OR BSD-2-Clause OR GPL-2.0 )"
and thus the overall license as
"BSD-3-Clause AND ( OpenSSL OR BSD-2-Clause OR GPL-2.0 )"
Thoughts ?
I think the BSD portion of the Cryptograms license is almost a match to SPDX BSD-3-Clause (ignoring the reference to the GPL) except it has "nor the names of its copyright holder and contributors" in clause 3 (rather than "nor the names of its contributors"), so an issue should be submitted to SPDX to revise BSD-3-Clause accordingly. Assuming that is done, I would treat the license as:
BSD-3-Clause AND (OpenSSL OR BSD-3-Clause OR GPL-2.0-or-later)
Richard
-
Daniel P. Berrangé -
Richard Fontana