They're changing their license[1] to Apache 2 which unlike the current fuzzy compatibility with the current license[2] is explicitly incompatible with GPLv2[3]. We use OpenSSL for SHA1 by default unless NO_OPENSSL=YesPlease. This still hasn't happened, but given the lifetime of git versions packaged up by distros knowing sooner than later if this is going to be a practical problem would be good. If so perhaps we could copy the relevant subset of the code int our tree, or libressl's, or improve block-sha1. We also use OpenSSL for git-imap-send, AFAICT with no fallback other than "don't use ssl" or "use stunnel". 1. https://www.openssl.org/blog/blog/2017/03/20/license/ 2. https://www.openssl.org/docs/faq.html#LEGAL2 3. https://www.apache.org/licenses/GPL-compatibility.html