scouten-adobe
commented
8 months ago @hackerfactor thank you for bringing this to our attention. We are looking into this in detail and will follow up soon.
Closed hackerfactor closed 3 months ago
scouten-adobe
commented
8 months ago @hackerfactor thank you for bringing this to our attention. We are looking into this in detail and will follow up soon.
dkozma
commented
7 months ago @hackerfactor Just wanted to provide an update that we are currently working on updating our code to use OpenSSL 3.x, which will result in some license changes. However, we have to make the changes to our c2pa-rs project first (via https://github.com/contentauth/c2pa-rs/issues/350) and then that will flow into this project. Will keep this issue updated as things progress.
crandmck
commented
3 months ago
The code claims to be dual licensed as Apache and MIT.
However, the build process includes a wide range of code libraries, including code that is BSD, GPLv2, GPLv3, and other licenses. For example, the current code base includes OpenSSL 1.1.1w, which (being from the 1.x code base) is dual licensed under the OpenSSL license and SSLeasy license. Since you are not the license holder for OpenSSL, you cannot re-license the code as Apache/MIT.
These licenses would not be a concern if you accessed these modules using shared libraries. However, 'cargo build' is making a static executable, which means you must comply with the additional license terms.
Please change the license to correctly match the actual license terms used by the code.