Review & automate license management

[baentsch]

liboqs integrates various code bases under one "quantum-safe friendly" API. For some algorithms, integration is done manually, for some automated (copy_from_upstream, copy_from_xkcp). While care has been taken to document the resultant "zoo of licenses", more locations than one exist for this, e.g., "spdx-identifiers" in all source code files, a "summary spdx-identifier" in the algorithm documentation sheets, separate "LICENSE" files (originating with but possibly not in line with the upstream code bases) and a central LICENSE file valid only for the liboqs API, pointing to the sub-folder LICENSE files.

For research purposes, where publication (of code and results) is norm and goal, it arguably is sufficient that code has a license -- which liboqs already provides. For integration into commercial products (including OS distributions) this arguably is insufficient (see e.g., #1437).

If the goal is to be able to create binaries suitable for inclusion into commercial software distros (?), e.g., RedHat, all code in liboqs arguably needs to have unambiguous license statements. Given the large corpus of "external" code (liboqs already counts 225 "LICENSE" files -- even before the inclusion of LMS/XMSS) this needs to be fully automated, such as to allow creation of binaries that can be used in commercial distributions (e.g., MIT, Apache2) and those that can be used in truly open, e.g., research settings (e.g., CC0, GPL).

This issue is to propose work to review and automate all license handling within liboqs -- with the ultimate goal to allow liboqs (and its subprojects and users) to select at build time only those algorithms/code bases using specific licenses, e.g., "commercialization friendly" (e.g., MIT, Apache) or "fully open source" (e.g., GPL) or "research friendly" (arguably any).

Thoughts about the need (and timeline and willingness to support this work) for this particularly welcome from anyone possibly having a commercial use case in mind, e.g., @vsoftco @christianpaquin @bhess @crockeea @beldmit @thb-sb (already thumbs up or down would be helpful to gauge interest in this boring "legalese" issue :)

[thb-sb]

I'd be happy to help!

[dstebila]

Excellent suggestion, Michael! Yes I think it makes sense to have an automated process for this, and to include the check of the output in the test suite.

[baentsch]

Suggest to close as per https://github.com/open-quantum-safe/liboqs/issues/1437#issuecomment-1907717069: This would basically benefit companies worried about licensing terms. And as that concern seems to be remedied by (manually) ensuring STD algorithms being MIT or Apache2 as a FOSS project we may save the effort. This of course does not preclude implementation by someone commercially interested in the feature. Keeping it open for some time to gather feedback: It still feels valuable, but as no-one found time to implement, it cannot be that valuable... Maybe worthwhile implementing only in a non-research branch/version?

[planetf1]

Catching up .... I think the principle is really important, as came out in issue 1437 above. I think as long as it is clear that standard algorithms will be mit/apache2 licensed (and therefore generally ok from a commercial aspect) it's a good first-base. It enables the core algorithms to 'get out there' through a variety of package managers, inclusion in existing open source and commercial software, and cloud services.

Going beyond does make logical sense, but is probably a case of diminishing returns purely for those working on the non-std algorithms. If there is a specific new algo that a company needs to commercialise then they'll need to work on the licensing of it in any case, and to expect to just take an algo in dev without contributing (including to making the license acceptable or developing tooling to guard) isn't reasonable ?

One additional step we could take is to

• update the CONFIGURE.md we have in a few places to clarify that OQS_ALGS_ENABLED also only pulls in openly licensed content

  • Add a reference in the top level README.md
  • there may be additional tweaks needed in build/docs for oqsprovider to similarly clarify & only build appropriate algos by default

  I'm not aware of any review checklists, but ensure this assumption isn't broken is important, so should be part of the review of new code/algorithms (presumably see also the pq-code-package discussions)

  Happy to help out with PR if appropriate

[baentsch]

I'm not aware of any review checklists

See/amend https://github.com/open-quantum-safe/liboqs/wiki/Release-process

[baentsch]

there may be additional tweaks needed in build/docs for oqsprovider

By all means, create PRs to add those as you(r company) see(s) fit. fwiw, oqsprovider historically does have a stronger focus on the "STD" algs (surely in CCI) but it would be good to document/qualify this.