Merge BoringSSL 33d1049: Switch the license to Apache 2.0, matching OpenSSL upstream #2402
Conversation
We use the standard Apache 2.0 file header, described in "APPENDIX: How to apply the Apache License to your work." This was primarily automated by running: git ls-tree -r --name-only HEAD | xargs go run ./util/relicense.go See go/boringssl-relicensing-triage for the results of triaging the output of the tool. As part of this, switch from taking fiat-crypto under MIT license to Apache 2.0. (It is licensed under MIT OR Apache-2.0 OR BSD-1-Clause.) The copyright_summary tool can also be used to confirm we didn't accidentally drop any copyright lines: # Run before the CL git grep -l Copyright | xargs go run ./util/copyright_summary.go -out /tmp/old.json # Run after the CL git grep -l Copyright | xargs go run ./util/copyright_summary.go -compare /tmp/old.json Bug: 364634028 Change-Id: I17c50e761e9d077a1f92e25969e50ed35e320c59 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75852 Reviewed-by: Bob Beck <[email protected]> Commit-Queue: David Benjamin <[email protected]> Reviewed-by: Adam Langley <[email protected]>
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
| See LICENSE-BoringSSL for code that was sourced from BoringSSL. |
There was a problem hiding this comment.
I don't really know the best way to deal with the multi-license situation insofar as a LICENSE file goes. Suggestions appreciated.
There was a problem hiding this comment.
One common option is to have files like LICENSE.Apache-2.0, LICENSE.ISC that you refer to in the readme or in a separate COPYING/LICENSE file. The REUSE standard formalizes this with a LICENSES directory and a TOML file or per‐file annotations to declare copyright holders and applicable licences, though you may find it to be too much ceremony. Given the note at the top of the LICENSE file about checking the per‐file headers instead, though, perhaps adopting it would simplify things overall.
There was a problem hiding this comment.
Thanks. I think the scope of this PR should be limited to making sure the LICENSE file isn't wrong, making sure we include all the license files in the crate that are for the crate contents, having the machine-readable license for the crate contents, and getting rid of the use of the old licenses. I think documenting the licensing of things that don't end up in the crate should be done in another PR.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2402 +/- ##
==========================================
- Coverage 96.61% 96.61% -0.01%
==========================================
Files 176 176
Lines 21640 21640
Branches 533 533
==========================================
- Hits 20908 20907 -1
Misses 618 618
- Partials 114 115 +1 ☔ View full report in Codecov by Sentry. |
Cargo.toml
Outdated
| @@ -5,7 +5,7 @@ categories = ["cryptography", "no-std"] | |||
| description = "Safe, fast, small crypto using Rust." | |||
| edition = "2021" | |||
| keywords = ["crypto", "cryptography", "rand", "ECC", "RSA"] | |||
| license-file = "LICENSE" | |||
| license = "APACHE AND (APACHE OR MIT) AND ISC" | |||
There was a problem hiding this comment.
I assume this is meant to be Apache 2.0, right? Per the SPDX license list 3.20 used by Cargo, the correct form is Apache-2.0.
Also, although there is no harm in Apache-2.0 AND (Apache-2.0 OR MIT), it is not required: as the downstream consumer and redistributor of the code licensed under Apache-2.0 OR MIT, you can choose (“at your option”) to receive it under Apache-2.0, and distribute it under the same terms. So this can collapse to Apache-2.0 AND ISC, unless you want to explicitly let people know that the code from once_cell is also available under the MIT licence.
(FWIW, Apache 2.0 includes an explicit patent grant whereas ISC does not. I assume the ship has sailed on the ISC licensing, but Apache-2.0 alone may have been simpler for downstream consumers for this reason.)
There was a problem hiding this comment.
Thanks. I updated things based on what you wrote above. PTAL. Your help is much appreciated.
|
|
||
| The above copyright notice and this permission notice shall be included in all | ||
| copies or substantial portions of the Software. | ||
| See LICENSE-BoringSSL for code that was sourced from BoringSSL. |
There was a problem hiding this comment.
One common option is to have files like LICENSE.Apache-2.0, LICENSE.ISC that you refer to in the readme or in a separate COPYING/LICENSE file. The REUSE standard formalizes this with a LICENSES directory and a TOML file or per‐file annotations to declare copyright holders and applicable licences, though you may find it to be too much ceremony. Given the note at the top of the LICENSE file about checking the per‐file headers instead, though, perhaps adopting it would simplify things overall.
…penSSL upstream
No description provided.