New license request: CRYPTOGAMS

[swinslow]

How license meets inclusion principles

Largely similar to BSD-3-Clause, with an "Alternatively" option embedded in the middle, allowing distribution under GPL (version unspecified), "provided that this notice is retained in full".

Very similar in spirit to Brian-Gladman-3-Clause, though not a match as different wording is used for each clause and the disclaimer.

License Name

CRYPTOGAMS License

Suggested short identifier

CRYPTOGAMS

License or Exception?

license

URL to license text

http://web.archive.org/web/20180829174116/https://www.openssl.org/~appro/cryptogams/

OSI Status

Not Submitted

License author or steward

Unknown, though historically the (archived) URL was hosted on OpenSSL's website

URL to project(s) that use license

http://web.archive.org/web/20180829174116/https://www.openssl.org/~appro/cryptogams/ => historically used in OpenSSL

Referenced in many projects, e.g.:

• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/powerpc/crypto/ghashp8-ppc.pl#n12
• https://github.com/apple/swift-nio-ssl/blob/3eec6698d32394659d35e0682328c11cfed377a7/Sources/CNIOBoringSSL/crypto/fipsmodule/bsaes-armv7-ios.ios.arm.S#L17-L21
• https://cs.opensource.google/go/x/crypto/+/master:chacha20/chacha_ppc64le.s;drc=8d0d405eedb9e8f9d0d381a5e85235684df0a868;l=6

paste text of license here

Copyright (c) 2006-2017, CRYPTOGAMS by appro@openssl.org All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

• Redistributions of source code must retain copyright notices, this list of conditions and the following disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

• Neither the name of the CRYPTOGAMS nor the names of its copyright holder and contributors may be used to endorse or promote products derived from this software without specific prior written permission.

ALTERNATIVELY, provided that this notice is retained in full, this product may be distributed under the terms of the GNU General Public License (GPL), in which case the provisions of the GPL apply INSTEAD OF those given above.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

[swinslow]

A few further notes:

• see prior related discussion at https://github.com/spdx/license-list-XML/issues/1785#issuecomment-1387354256
• other slight variations on this text show up in various other spots in the Linux kernel. At some point we can look at those in more detail; but the text pasted above is taken from the apparently-official (though archived) CRYPTOGAMS site, so I'd treat it as the "official" version.
• I don't love the all-caps name or ID, but that's how the site appears to style it so I would probably keep that styling.
• Also appears to have been discussed on the spdx-legal mailing list here several years ago.

[karsten-klein]

{metæffekt} Universe matched expression: BSD 3-Clause License (copyright holder variant) + GNU General Public License (undefined) markers: Do Not Promote Marker

ScanCode matched id: bsd-new OR gpl-1.0-plus

Comments I'm inclined to not add it. It's rather a BSD 3-Clause License (copyright holder variant) with an option to license under GPL, which should be addressable by an expression (even it this particular case is challenging with SPDX, since a LicenseRef for the "ALTERNATIVELY, ..." paragraph is required).

[richardfontana]

I guess I'm inclined to agree with Karsten. This is a good case for use of AdditionRef-, I'd think.

[OliverFendt]

I also do not see a need to integrate this in the license list. In my opinion this is: GPL-1.0-or-later OR BSD-3-Clause (and the BSD-3-Clause license text is the with "CRYPTOGAMS" individualized text) So I agree to Karsten and Richard

[jlovejoy]

so, from a practical standpoint, I certainly agree that it is effectively, GPL-1.0-or-later OR BSD-3-Clause

But that is the human-readable side of things. Being true to SPDX goals of being human and machine readable - I wouldn't think a license scanner would likely be able to parse that from a matching standpoint.

where does that leave us? Especially in light of the "precedent" set by https://spdx.org/licenses/Brian-Gladman-3-Clause.html ?

@swinslow @richardfontana - I also recalled there being a bunch of example of this kind of think in the kernel, do either of you remember how/if those licenses got resolved?

[OliverFendt]

I checked some files of the Linux kernel, I am currently working on, there are many files which carry the following license information (the files listed are only examples, this list is by far not complete there are hundrets of such cases in the Linux kernel and since you find Linux Kernel files in many other packages these files are also in other packages:

linux-6.1.97/net/can/af_can.h linux-6.1.97/net/can/bcm.c // SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause)

bcm.c - Broadcast Manager to filter/send (cyclic) CAN content

Copyright (c) 2002-2017 Volkswagen Group Electronic Research All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of Volkswagen nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

Alternatively, provided that this notice is retained in full, this software may be distributed under the terms of the GNU General Public License ("GPL") version 2, in which case the provisions of the GPL apply INSTEAD OF those given above.

The provided data structures and external interfaces from this code are not restricted to be used by modules with a GPL compatible license.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

So the kernel developers made (GPL-2.0 OR BSD-3-Clause) out of the text in the file. This you will find many times in the Linux kernel.

There are also many other cases like the following ones:

linux-6.1.97/crypto/algif_rng.c Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

ALTERNATIVELY, this product may be distributed under the terms of the GNU General Public License, in which case the provisions of the GPL2 are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.)

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

linux-6.1.97/include/crypto/drbg.h Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.

ALTERNATIVELY, this product may be distributed under the terms of the GNU General Public License, in which case the provisions of the GPL are required INSTEAD OF the above restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.)

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

What you see is that the linux-6.1.97/crypto/algif_rng.c has an other text than the suggested license. What you else see in the last example is that no version number of GPL is specified which then leads to GPL-1.0-or-later OR BSD-3-Clause As already said there are hundrets of such cases in the Linux kernel. With this in mind I disagree that such a "new" license adds to

human-readable side of things

Because you would need to establish complicated matching rules or you need to add a whole bunch of "new" licenses" and both things do not enhance human-readability and will put a lot more effort on license compliance work.

Sorry I be perhaps a bit harsh but I disagree to do a new license

[swinslow]

It sounds like the general consensus here is not to add this license, or at least this particular version of it (seeing that the kernel seems to have several variations of it).

Given that, I'm fine with marking this as "not approved" if folks generally feel that a "GPL or BSD" expression is more appropriate here.

[richardfontana]

It occurs to me that a "GPL or BSD" expression is arguably not appropriate for the "Alternatively, provided that this notice is retained in full" variant of this license.

[jlovejoy]

thanks @OliverFendt for the research! That is really helpful to know how the kernel ended up dealing with this, which somehow I missed.

@richardfontana - not sure what you mean? what is not appropriate? (or what would be better?)

I think this is one of those somewhat "unfortunate" licensing situations that we have to live with. I think the disjunctive expression captures the intent, it's just a bit odd b/c of how the actual license text/notice is implemented (i.e., BSD-3-Clause with some text shoved in the middle, instead of just having the full text of both licenses, separate/distinct.

Perhaps this would be useful to capture in a FAQ in case someone finds these files (likely) and is wondering about this (and also so we don't "revisit" this again!) :)

[richardfontana]

@jlovejoy not appropriate because it's not just signifying 'you have a choice of GPL or BSD', it's saying 'you have a choice of GPL or BSD But you have to preserve this whole notice'.

[swinslow]

Discussed on 2024-08-08 legal team call; lack of consensus about the preferred way to handle it.

Given the imminent upcoming release, there's more that would be needed to be figured out regarding variants. I'm going to label this as "Later Release" in case this comes up again in the future.