>Did you miss the detail about the contribution agreement not granting any rights to third parties until the OpenSSL Foundation has "published" the contribution. No I didn't. They are free to post code as apache 2 and frequently rebase against master. Or whatever they want. We don't have the resources, or interests, to be a general code repository for "related to openssl" things (any more). > In other words, if the only license provided in the Pull request is "this is a contribution", then there is no license for making that downstream repo. Then they will have to be careful and precise about how the licensed it. Same as if openssl were doing it. > Also, isn't GitHub located in the country crypto folk always try to avoid for legal reasons? Which one, there are so many of them these days :( It's a good point; perhaps you can host a repo? Denmark is relatively right-thinking on this issue. /r$
