On Mon, Dec 4, 2023 at 1:00 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > > I'm looking at the package (golang-x-crypto) which has a file containing > this header: > > // Copyright 2019 The Go Authors. All rights reserved. > // Use of this source code is governed by a BSD-style > // license that can be found in the LICENSE file. > > // Based on CRYPTOGAMS code with the following comment: > // # ==================================================================== > // # Written by Andy Polyakov <appro@xxxxxxxxxxx> for the OpenSSL > // # project. The module is, however, dual licensed under OpenSSL and > // # CRYPTOGAMS licenses depending on where you obtain it. For further > // # details see http://www.openssl.org/~appro/cryptogams/. > // # ==================================================================== > > > The top level LICENSE referenced is BSD-3-Clause. The CRYPTOGAMS licenses > appear to be a combination of BSD-2-Clause and GPL (no version) which I > intepret as GPL-2.0 unless someone knows of a compelling reason for it to > be considered GPL-1.0 in this case. > > The golang-x-crypto spec license currently declares BSD-3-Clause as its > only license. I expect that the rational is that the first paragraph has > claimed to re-license the original code it was derived from, so it could > be ignored (or maybe it was simply missed during review). > > > I wouldn't tend to view this as re-licensing though. To me I think that > the derivation is keeping the original license (OpenSSL + CRYPTOGAMS) for > existing code, and augmenting the work with new code under a compatible > license (BSD 3-Clause). > > IOW, I'm inclined to think we need to include the origin license too, > which I would interpret to be > > "( OpenSSL OR BSD-2-Clause OR GPL-2.0 )" > > and thus the overall license as > > "BSD-3-Clause AND ( OpenSSL OR BSD-2-Clause OR GPL-2.0 )" > > Thoughts ? I think the BSD portion of the Cryptograms license is almost a match to SPDX BSD-3-Clause (ignoring the reference to the GPL) except it has "nor the names of its copyright holder and contributors" in clause 3 (rather than "nor the names of its contributors"), so an issue should be submitted to SPDX to revise BSD-3-Clause accordingly. Assuming that is done, I would treat the license as: BSD-3-Clause AND (OpenSSL OR BSD-3-Clause OR GPL-2.0-or-later) Richard -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
