worr
commented
6 years ago I am fine with relicensing this project under the BSD 3-clause license, or any other similar open source license.
Closed blag closed 4 years ago
worr
commented
6 years ago I am fine with relicensing this project under the BSD 3-clause license, or any other similar open source license.
worr
commented
6 years ago Also heads up, per their Twitter profile, Isis uses they/them.
blag
commented
6 years ago @worr Thanks for catching that, I had no idea.
Fixed. Sorry Isis!
RichardPooleEDB
commented
6 years ago I am fine with relicensing this project under the BSD 3-clause license, or any other similar open source license.
amenonsen
commented
6 years ago I am fine with relicensing my contributions to this project under the BSD 3-clause license, or any other similar open source license. (Especially since the text above suggests you won't stop bothering me until I am fine with it. ;-)
anarcat
commented
6 years ago i usually license my work under (A)GPL licenses and do not see why this one would be any different. GnuPG itself is, by the way, also GPL(v3).
charles-dyfis-net
commented
6 years ago I'm fine with BSD 3-clause.
blag
commented
6 years ago @Richard2ndQuadrant @amenonsen @charles-dyfis-net Thank you!
@anarcat I understand, and I usually like to use the GPL as well. But in this case doing so prevents proprietary projects (like mine) from using encryption (well, really it just forces us to use Vinay's BSD 3-clause version, but that one is not as good as this one).
If this project is GPL, I could not use this in my project, because I would have to GPL my entire project to do so. I'm not interested in doing that.
However, if this was more liberally licensed - like BSD 3-clause or even the LGPL, I could use it in my project.
I have zero interest - and I'm sure any other proprietary users have zero interest as well - in keeping a proprietary fork of this code. I absolutely would contribute any and all changes to this code back upstream. I would simply like to use PGP/GPG in my project without having to open source the whole thing.
It sounds like you would like this project to be licensed under the LGPL "at minimum", and I'm 100% fine with that, but all contributors need to agree to that. I just picked BSD because it matches Vinay's, so this project can be used (in a legal sense, I know it breaks his API) everywhere his has been used.
Please let me know if you have any further questions, and if you would be okay with relicensing your contributions under the BSD 3-clause, the LGPL, or if you would like to keep the project fully GPLed.
GnuPG itself is, by the way, also GPL(v3)
That's true, but this code simply calls and passes data to the gnupg executable, it doesn't actually link (in a software sense) to it. AFAICT any code that only does that does not need to be GPLed as well.
anarcat
commented
6 years ago On 2018-03-12 12:46:58, blag wrote:
If this project is GPL, I could not use this in my project, because I would have to GPL my entire project to do so. I'm not interested in doing that.
However, if this was more liberally licensed - like BSD 3-clause or even the LGPL, I could use it in my project.
I understand your position but you need to understand that the whole point of the GPL is exactly to avoid those situations where people derive proprietary software from public work. Asking me to release the code under a non-GPL license is asking me to contribute, for free, to your proprietary software project.
This is why I chose to release my work under the GPL: so that derivatives stay free, to create a free software world.
zariye
commented
6 years ago I am fine with relicensing this project under the BSD 3-clause license, or any other similar open source license.
tomgalloway
commented
6 years ago Reading those emails from Isis on the decision to make the license GPL makes me want to hear from them 1st. At the moment I'm leaning towards the license staying as GPL.
blag
commented
6 years ago This is why I chose to release my work under the GPL: so that derivatives stay free, to create a free software world.
The end result is perhaps a less secure world. This is a case where contributors have to balance two different goals: a world where GnuPG is easy to use by everybody or a world where some software is inherently less secure.
So you would not even accept the LGPL then? That would force me (even though I would do it anyway) to contribute any changes I made to this project back to upstream, while keeping the rest of my project non-GPL. I would be compensating you by contributing code back (also for free).
If python-gnupg is kept under the GPL then I will simply use another package with a more liberal license and contribute changes back to that. I would rather use and contribute back to this package without having to open source my entire project.
akerl
commented
6 years ago This is a case where contributors have to balance two different goals: a world where GnuPG is easy to use by everybody or a world where some software is inherently less secure.
The only reason we're even having this chat is because this library could allow you to sidestep the fact that GnuPG is GPL'd. If it weren't for the argument that invoking the separate gpg binary's CLI interface doesn't carry over the GPL, you'd be stuck pitching this issue to gnupg upstream, and I suspect you're aware what kind of reception you'd get there.
For somebody who's asking a bunch of contributors to consent to relicensing their work (and I'm already intrigued that you've basically stated you'll keep bothering them until they respond), you seem to have focused entirely on how the license change would help your new closed source project.
blag
commented
6 years ago The only reason we're even having this chat is because this library could allow you to sidestep the fact that GnuPG is GPL'd. If it weren't for the argument that invoking the separate gpg binary's CLI interface doesn't carry over the GPL, you'd be stuck pitching this issue to gnupg upstream, and I suspect you're aware what kind of reception you'd get there.
Absolutely true. My alternative is to write a library that calls the GPG executable directly and passes flags to it. Since that's exactly what this project already does, I'd like to not reinvent the wheel if I can help it. I don't want to fall into the same traps, or rediscover all of the bugs that this project has already found and avoided or fixed (like shell=True for instance).
(and I'm already intrigued that you've basically stated you'll keep bothering them until they respond)
I may not have worded that entirely well enough. I will bother them until they respond with a yea or a nay. If it's a nay and I cannot convince them otherwise, then it's a done deal - I'll use something else. I'm not going to badger them into relicensing to something that is favorable to me, only to badger them until they respond at all and hope they will at least hear me out.
you seem to have focused entirely on how the license change would help your new closed source project
Yep. I'm trying to be perfectly above-board and completely honest here, to the point that I'm being absolutely blunt. This relicensing will help me keep my project's users secure. Otherwise they will be less secure because I'll have to use Vinay's python-gnupg package, which, according to Isis, doesn't quite fix all of the flaws that they have addressed with this fork.
Do you want me to try to lie to you about my goals? Or omit or paper over them? I don't find that behavior to have much integrity and I doubt you do either. I don't think my use case is very uncommon, and helping users of all software - open source or otherwise - remain as secure as possible in their communications is (I think) a worthwhile goal.
I'm not representing any large evil corporation here that wants to take your source code and never give back - I'm just a guy like any other who wants to use this package in a small project. You are welcome to check out my GitHub profile - I've been here awhile, and I've contributed back plenty to upstream projects and authored some of my own open source projects as well. Being able to use and give back to this project to me seems like a win-win situation.
anarcat
commented
6 years ago On 2018-03-13 00:36:10, blag wrote:
Do you want me to try to lie to you about my goals? Or omit or paper over them? I don't find that behavior to have much integrity and I doubt you do either. I don't think my use case is very uncommon, and helping users of all software - open source or otherwise - remain as secure as possible in their communications is (I think) a worthwhile goal.
We're not asking you to lie or cheat, we want you to write free software. That is why we use the GPL. But we don't have to convince you to do that, nor do you have to convince us to switch to BSD.
You need to understand that the current state of affairs is that a decision was made to switch the GPL from the person who made the improvements you so desire. If you wish to revert that, you can either make your project GPL, or use the original BSD fork. It's pretty simple... There are also other GnuPG Python wrappers you could look at as well, but good luck convincing the GnuPG developers to relicense GPGME...
Also note that python-gnupg is not even licensed under the AGPL, which would force you to share the source if you run a service based on it. Only if you distribute a binary to your users do you have to share the source, and only to those users. It seems a pretty fair deal, if you ask me: you can even sell the right to access the software, as long as you ship the source. I don't see what the big deal is, to be honest.
I, for one, do not wish to have yet another BSD vs GPL debate, for I did not contribute much to this project. I do not consider myself to be the maintainer here, so I will also defer to Isis' decision here, but I figured I would make a first stand behind the GPL here so that they wouldn't have to deal with such a debate if they didn't want to.
charles-dyfis-net
commented
6 years ago Before I bow out of this thread, the only remaining words I'm going to have on this subject are to note that:
The most recent time I selected an OpenPGP library, that selection was not python-gnupg or any other GnuPG wrapper but x/crypto/openpgp -- with one of the factors (yes, influencing implementation language) being licensing of said library.
After making that selection, I ended up jumping through the relevant hoops to get approval of the employer for whom said project was work-for-hire to contribute some enhancements we made in the course of such use upstream in said employer's name.
That said, Isis certainly has done much more for this project than me, and I will of course respect their decision.
meskio
commented
6 years ago If the only reason to change from GPL to BSD is the request to use the library for proprietary software I'm not much in favor to do the change. But if Isis decides to go for it I'll not oppose it.
Fjodor42
commented
6 years ago I am fine with relicensing this project under the BSD 3-clause license, or any other similar open source license provided that @isislovecruft is fine with this as well.
Should that provision turn out not to be met, the sentence above shall, naturally, be negated.
worr
commented
6 years ago So I had assumed, in good faith, that you had discussed or even at least raised the idea with Isis ahead of time. Unless you haven't mentioned that yet, it seems like you haven't. Frankly, this doesn't change my agreement to go with a license change, since I'd happily go along with whatever Isis would like.
That said, this generally comes off as a very rude method for asking for a license change. In the future, if you are really interested in asking about a change in license for an established project that you're not an owner or contributor of, ask the primary dev of the software first. Send a mail, ask in an issue that's tagged question, but don't just send a diff with a new license asking for all of the contributors to sign off on it. I know that if someone had asked me like this on one of my projects, I would've promptly rejected the diff and ceased discussion on the issue. Please keep that in mind next time you request a license change.
amenonsen
commented
6 years ago I had also assumed that this was the result of some prior discussion (in retrospect, for no good reason other than mildly suggestive wording "e.g., requires signoff by multiple stakeholders before merge"). I am happy with whatever @isislovecruft decides about the licensing.
blag
commented
6 years ago @worr @amenonsen Sorry if I came off across as rude or pushy.
I actually have brought it up with Isis in the past, but it was via email about a year ago and while they were amenable to helping me at the time, their opinion may have shifted since then. I wanted to give Isis the opportunity to chime in to this discussion with their current opinion without bringing up our previous emails. But, I think that leaving out the email may have been a mistake on my part.
Here is a scrubbed excerpt of the email chain between Isis and me. I am intentionally omitting some parts of the conversation that I don't think are materially relevant to this relicensing conversation. 1
On Dec 28, 2016, at 3:47 AM, isis agora lovecruft <(email scrubbed)> wrote:
Hi (blag)!
I'd be happy for you to use my project, since it's still more secure that the alternatives. I'll do whatever I can to help you to do so.
I inherited the license, unfortunately, because my code started as an incremental rewrite of Vinay Sajip's module. I'm not a lawyer, and—even though it's clear that, after this many years, our forks have irrevocably diverged—I don't understand licensing enough to understand if I'm allowed to drop Sajip's original GPLv3 license. I would always very much prefer to write crypto code under public domain, since security and privacy should be available to everyone.
If you have any advice or know any lawyers who know what to do, I'd be happy to do something like sign a waiver to allow you to use it. I'm just not certain it's within my rights to do so, without you getting Sajip's permission as well. (scrubbed)
Now, when you are reading this excerpt, please keep in mind the following:
Thank you all for responding so far, I realize that I am asking a lot of you all and I appreciate all of the time and energy you have spent considering this. I'm trying to be as forthright and above-board with this as I can be, but I'm trying to weigh that against burning people out by blowing up their inboxes.
If any of you are in the San Francisco Bay area I'd be happy to get you all a round of soda/tea/coffee/beer/wine as a token of my appreciation for the contributions you have made to open source so far and for the trouble I've put you through already. Cheers! 🍵☕️🍺🍷🍹
1 If Isis would like to publicize the entire email thread I am fine with that, just please redact my real name and email address from those publications.
Edit: Clarified a point; fixed some typos.
worr
commented
6 years ago Ah, I'm very sorry for misjudging. Good to hear that you reached out to them prior. Sorry again since I turned out to be the rude one - I'm definitely the one that should get you a beverage!
andrejb
commented
6 years ago Hello!
If I were to choose I would prefer to maintain python-gnupg licensed under GPL and then leave blag the options of not using this project or relicensing his proprietary project as GPL also. The main reason is that access to the source code is a necessary condition for assessment of quality and security of software, and that is not only valid for the libraries themselves but also for the programs that use such libraries.
But I also don't consider myself someone who has the legitimacy to determine the choice here, so I would respect any decision from the main author of this project. :-)
kelseyq
commented
6 years ago I only submitted a docfix, but I’m fine with any relicensing decision.
Hasimir
commented
6 years ago Wow, I'm amazed that a request like this has even made it this far. I'm not sure whether or not I should comment at all, but shrug what the hell, eh …
Okay, so Vinay Sajip's wrapper is not actually an original work, he's just the longest maintainer of it. Buried in the depths of its documentation you'll find that one Richard Jones, a Pythonista from Sydney, is the original responsible party. I believe that project may be old enough to have been launched around the time Python itself was having or had just had its own licensing woes (do a search on "Python 1.6" and that should result in some fascinating, albeit painful, reading).
I can't comment on the licensing choices back then, but I suspect that the licensing and the wrapping of the binary were not directly linked. On the other hand, I'm too slack to pester Richard for an answer to that anyway.
Moving on to this thread, though …
@blag said:
Absolutely true. My alternative is to write a library that calls the GPG executable directly and passes flags to it. Since that's exactly what this project already does, I'd like to not reinvent the wheel if I can help it. I don't want to fall into the same traps, or rediscover all of the bugs that this project has already found and avoided or fixed (like shell=True for instance).
Please don't do that, that's how all these less than ideal shell calls began in the first place.
GPGME provides a complete C API for the entire GnuPG project (including the other engine and all the libs). The Python bindings available over the last couple of years or so replicate that functionality completely, though a more pythonic layer that's easier to work with is still in progress. Nevertheless, the most common features are already available. It's also got better documentation than GPGME itself.
Then @blag said:
I may not have worded that entirely well enough. I will bother them until they respond with a yea or a nay. If it's a nay and I cannot convince them otherwise, then it's a done deal - I'll use something else. I'm not going to badger them into relicensing to something that is favorable to me, only to badger them until they respond at all and hope they will at least hear me out.
Well, you're doing far better than I did. I tried discussing the permissive versus free thing with Isis back in 2014 on Twitter and it landed me a block. Though admittedly that was shortly after they'd had the somewhat larger argument regarding the AGPL vs. the GPL on one of the Debian lists and Twitter isn't an ideal medium for the detailed discussion it needed if one intends to be taken seriously, so that was my fault.
As it happens her last words to me were I could either accept the license as it was or use Vinay Sajip's module. I ended up doing something very different instead and so used neither this project nor its upstream.
And then this:
Yep. I'm trying to be perfectly above-board and completely honest here, to the point that I'm being absolutely blunt. This relicensing will help me keep my project's users secure. Otherwise they will be less secure because I'll have to use Vinay's python-gnupg package, which, according to Isis, doesn't quite fix all of the flaws that she has addressed with this fork.
Neither of them do, but it's important to understand the differences between the two projects and developers.
Isis has been immersed in security software for a long time and is often found exploring the edge cases of elliptic curve implementations and so on; sometimes at the cost of consistently maintaining side projects because greater goals come into sight. It's not entirely an uncommon tale amongst those with immense talent — the risk they may become bored and move onto something else. I won't say that's necessarily happened here, but if I were assessing it for my own use now I'd look at the last time it was updated, what's in the current issues and pull requests and then compare that to the amount of activity of the project manager elsewhere.
Whereas Vinay gets a bad rap with a lot of people because of his errors with python-gnupg; even though he also writes chunks of Python's standard libs. most of us actually depend on his work, just not this bit of it. He's actually a pretty good Python programmer in a more general sense, but a very poor security programmer (and understands sod all about cryptography).
So, getting back to the thread, all of this led to @anarkat saying:
You need to understand that the current state of affairs is that a decision was made to switch the GPL from the person who made the improvements you so desire. If you wish to revert that, you can either make your project GPL, or use the original BSD fork. It's pretty simple... There are also other GnuPG Python wrappers you could look at as well, but good luck convincing the GnuPG developers to relicense GPGME...
GPGME is released under the same dual licensing model as the rest of the GNU Privacy Guard: the GPL version 2 with the "or any later" clause (GPLv2+) and the LGPL version 2.1 with the "or any later" clause (LGPLv2.1+).
The dual licensing of the GnuPG Project is deliberate and won't be changed. Part of the motivation of @blag as stated in this issue reflects one of the reasons behind the licensing choice.
As worthwhile a cause as free software is, there are many situations in which OpenPGP has only been able to reach because it could be incorporated in projects requiring more permissive licensing. The access to strong cryptography by as many people as possible is deemed by the GnuPG Project developers to be far more important than adherence to any free software ideology.
There are those within or supporting of the FSF who disagree with that position; but it comes down to a matter of personal ethics and values which are well beyond the scope of this thread.
The flip side to that is that closed source cryptography simply can't be trusted. Which is why the GnuPG Project isn't only released under the LGPL, whereas some other GNU libraries are. Any other project using it as a dependency can use it or any component of it under either of the two licenses, but contributions back to the parent project(s) must be under both licenses. Usually with a Developer's Certificate of Origin (DCO) from the contributor and signed with their OpenPGP/GPG key.
You can see an example of this with mine. Since I both posted it using PGP/MIME and included a clearsigned attached copy, Mailman only scrubbed the PGP/MIME signature for the web list archive and the clearsigned one is there in its entirety.
Likewise the Python bindings (supporting 2.7 and 3.4+) use the same licensing and will continue to do so in perpetuity. These bindings began as PyME for Python 2, but were ported to Python 3 three years ago and then that code was folded back into GPGME, since even after 13 years the licenses were still identical, and turned into the current bindings.
As for the GPL vs. BSD debate; there is no debate to speak of. The LGPLv2.1+ permits inclusion with BSD projects … which is why GPG usually ships with NetBSD, FreeBSD, OpenBSD, OS X and so on.
Finally, though, unless you get an actual sign-off from everyone who contributed code under either or both of the GPL or AGPL releases of this project, you can't do squat with it. All these licenses, in spite of rms' PR regarding “copyleft,” derive their legal status from copyright and you must have the permission of every copyright holder to do what is intended here. If just one is not contactable, you can't proceed. If one of them is dead, you need to follow up with the estate/heirs. If one is incapacitated and unable to consent (e.g. coma, institutionalised, etc.), then you need to deal with their executor or guardian (which may be the state/government). If any of them are in witness security then, to put it quite bluntly, you're simply screwed.
Just looking at the number of names on that list would give many law firms pause, let alone developers. I, of course, am not one amongst those needing to sign off something here. Which is good because even if I had I would have been unable to do so at all following a change made in May last year (for reasons which are way off topic and even more complicated than a mere licensing issue like this) and even posting this comment is pushing it as far as I'm concerned. Since I'm not a contributor and there are no censorious clauses here like those of the Django Project, perhaps that's enough. I guess w'll see (and I'll make an archive in case I'm wrong … again).
I did contribute to the upstream wrapper Vinay manages, but I can't remember if it was before or after this fork. Either way it wouldn't matter because the license of that project would permit everything requested here. All my other crypto work is firmly covered elsewhere.
No, the larger problem is tracking down every single contributor and getting something in writing with either an electronic or digital signature on it authorising the license change. Not to mention whether or not it can be done in a timeframe which meets the needs of @blag's other project (or anyone else's for that matter).
Personally I doubt this will ever be achieved, but it may make for a good case study for GSoC candidates regarding the importance of copyright and licensing in FOSS projects. So for that reason the request has some value regardless of the outcome and for which you all have my thanks (though I can think of a couple of GSoC candidates who may wish I hadn't seen this until autumn).
isislovecruft
commented
6 years ago Hi @blag!
I know I've already mentioned it, but I'm not a lawyer and I don't really understand licensing stuff (and don't really want to!). That said, I'm happy to relicense this project as 3-BSD if everyone is okay with it and/or provide you (or anyone else) with a written exemption. (I have provided exemptions in the past for python-gnupg, including for someone who wanted to use it on a satellite.)
Could you please ping me when you think this is ready for merge?
tobiasb
commented
4 years ago Is there update on this?
blag
commented
4 years ago @tobiasb Since this PR was opened, there have been additional contributors to this project. I have added them to the checklist in the summary, ~and I will be explicitly at-mentioning them all here in an additional comment,~ and possibly following up privately with them via email.
Aside from that, the checklist has been updated to reflect the tentative acceptance for everybody who has responded so far, as well as akerl's potential disapproval.
Edit: Apparently GitHub notifies people when they have been at-mentioned in a comment or PR summary update, so I don't have to create additional noise.
thusoy
commented
4 years ago I'm fine with relicensing to either license.
instantname
commented
4 years ago Sorry, but I do not approve to a change of the licence to BSD-3 clause.
However, I would agree to reverting my (tiny) contributions and, after that, let the decision of future licence changes to the other contributors, so that the project can still move forward.
adamchainz
commented
4 years ago I’m fine with relicensing
a9rkzz
commented
4 years ago I support the relicensing
Sent from my iPhone
On Dec 4, 2019, at 22:57, Drew H notifications@github.com wrote:
NOTE: Requires signoff by multiple stakeholders before merge!
I would like to use this project under the semi-original BSD 3-clause license. I think cryptographic libraries should be available to everybody, not just GPLed projects, and I think most contributors would agree.
The licensing history of this project is kind of interesting.
There was a question in the Google Code issue tracker regarding licensing. The outcome of that was that the original author was trying to put it under public domain:
The intention was to put the module into the public domain ...
If it makes anything easier, I'm fine with the module being relicensed under some other license.
Vinay's fork was then licensed under the BSD 3-clause.
When @isislovecruft forked it, they did so by creating the repository on GitHub, then adding the files in a separate commit. Somehow, at that point, the AGPL was committed as the license, even though at no point was Vinay's version AGPLed. I don't know what happened here, but from this point onward all contributions would legally be considered AGPLed.
Isis was the only contributor to this fork until @tomgalloway added two commits (one, two). With Isis and Tom being the only two contributors to the AGPL-licensed project, it was easy/possible to later relicense it to the good ol' GPL.
That brings us to today. Since then, multiple contributors have contributed code to the project under the GPL. Any attempt to relicense it to a different license will require that ALL of those contributors agree to relicense their changes under both the GPL and the BSD 3-clause license (or whatever license we can all agree to 1).
So, for all of you folks that I'm about to at-mention, please leave a comment here to the effect of:
I am fine with relicensing this project under the BSD 3-clause license, or any other similar open source license.
Once everybody has accepted relicensing this project, this PR can be merged.
1 We don't have to use the BSD 3-clause, I just picked that one. Unless you have a reasonable, compelling interest against the BSD 3-clause license, please do not squabble or argue over the minor differences between BSD, MIT, public domain, WTFPL, or any other very similar licenses. Whatever license we do choose, we ALL have to agree to it. The other license that would suit my needs is the LGPL, but I figure switching to a more liberal license once is better than switching again in another few years.
I need all of the following people to accept/reject a relicense to BSD 3-clause (and/or public domain), I will check you off (and stop bothering you) once you respond in this thread:
@isislovecruft @kalikaneko @andrejb - emailed privately respects Isis' decision @charles-dyfis-net @ttanner @lynncyrin - emailed privately @tomgalloway - waiting on Isis @garrettr - responded privately, deferring to Isis @zariye @zigg - emailed privately @Fjodor42 - approval pending on Isis' approval @revfiyawo - no longer appears in list of contributors (account renamed??) @sfindeisen @Richard2ndQuadrant @amenonsen - deferring to Isis @worr @shonny-ua @kelseyq @bwagnerr - emailed privately @meskio - will not oppose if Isis approves @anarcat - deferring to Isis @akerl - possibly opposed @kejbaly2 - emailed privately @a9rkzz @adamchainz @comzeradd @georgexsh @instantname @mugwort-rc @swagatata @thusoy @wimglenn @JamesMaroney @OdyX @web-flow - GitHub's account for their web interface (both commits were authored by isislovecruft) You can view, comment on, or merge this pull request online at:
https://github.com/isislovecruft/python-gnupg/pull/228
Commit Summary
Relicense (back) to BSD 3-clause - requires signoff by multiple stakeholders before merge File Changes
M LICENSE (631) M docs/index.rst (4) M gnupg/copyleft.py (715) M setup.py (4) Patch Links:
https://github.com/isislovecruft/python-gnupg/pull/228.patch https://github.com/isislovecruft/python-gnupg/pull/228.diff — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
OdyX
commented
4 years ago Not overly happy with a relicensing to BSD as I much prefer (A)GPL* Copyleft licenses; but I don't want to stand in the way; especially as @isislovecruft already gave their agreement. So, not in joy, I am fine with relicensing this project under the BSD 3-clause license, or any free software license that is acceptable for Debian main.
coilysiren
commented
4 years ago 👋 Hi, I only just realized that I'm supposed to do something here!
I have the same opinion as @OdyX above 🙂
Not overly happy with a relicensing to BSD as I much prefer (A)GPL* Copyleft licenses; but I don't want to stand in the way; especially as [Isis] already gave their agreement.
So, not in joy, I am fine with relicensing this project under the BSD 3-clause license
So 👍
tomgalloway
commented
4 years ago @blag I've seen Isis has responded on this request. Having re-read the thread I'm not convinced of the merits to change the license.
blag
commented
4 years ago Given @Hasimir's comment, @tomgalloway's dissent, and the many non-responses, I've given up all hope for this relicensing effort and I'll be focusing my energy elsewhere. Thank you all for putting up with this, especially those of you who responded. I did not ask this question lightly. And please accept my apologies for any confusion or distraction I may have caused.
NOTE: Requires signoff by multiple stakeholders before merge!
I would like to use this project under the semi-original BSD 3-clause license. I think cryptographic libraries should be available to everybody, not just GPLed projects, and I think most contributors would agree.
The licensing history of this project is kind of interesting.
There was a question in the Google Code issue tracker regarding licensing. The outcome of that was that the original author was trying to put it under public domain:
Vinay's fork was then licensed under the BSD 3-clause.
When @isislovecruft forked it, they did so by creating the repository on GitHub, then adding the files in a separate commit. Somehow, at that point, the AGPL was committed as the license, even though at no point was Vinay's version AGPLed. I don't know what happened here, but from this point onward all contributions would legally be considered AGPLed.
Isis was the only contributor to this fork until @tomgalloway added two commits (one, two). With Isis and Tom being the only two contributors to the AGPL-licensed project, it was easy/possible to later relicense it to the good ol' GPL.
That brings us to today. Since then, multiple contributors have contributed code to the project under the GPL. Any attempt to relicense it to a different license will require that ALL of those contributors agree to relicense their changes under both the GPL and the BSD 3-clause license (or whatever license we can all agree to 1).
So, for all of you folks that I'm about to at-mention, please leave a comment here to the effect of:
Once everybody has accepted relicensing this project, this PR can be merged.
1 We don't have to use the BSD 3-clause, I just picked that one. Unless you have a reasonable, compelling interest against the BSD 3-clause license, please do not squabble or argue over the minor differences between BSD, MIT, public domain, WTFPL, or any other very similar licenses. Whatever license we do choose, we ALL have to agree to it. The other license that would suit my needs is the LGPL, but I figure switching to a more liberal license once is better than switching again in another few years.
I need all of the following people to accept/reject a relicense to BSD 3-clause (and/or public domain), I will check you off (and stop bothering you) once you respond in this thread:
emailed privatelyrespects Isis' decision