On Mon, Dec 4, 2023 at 1:00 PM Daniel P. Berrangé <berrange(a)redhat.com> wrote:
I'm looking at the package (golang-x-crypto) which has a file containing
this header:
// Copyright 2019 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// Based on CRYPTOGAMS code with the following comment:
// # ====================================================================
// # Written by Andy Polyakov <appro(a)openssl.org> for the OpenSSL
// # project. The module is, however, dual licensed under OpenSSL and
// # CRYPTOGAMS licenses depending on where you obtain it. For further
// # details see
http://www.openssl.org/~appro/cryptogams/.
// # ====================================================================
The top level LICENSE referenced is BSD-3-Clause. The CRYPTOGAMS licenses
appear to be a combination of BSD-2-Clause and GPL (no version) which I
intepret as GPL-2.0 unless someone knows of a compelling reason for it to
be considered GPL-1.0 in this case.
The golang-x-crypto spec license currently declares BSD-3-Clause as its
only license. I expect that the rational is that the first paragraph has
claimed to re-license the original code it was derived from, so it could
be ignored (or maybe it was simply missed during review).
I wouldn't tend to view this as re-licensing though. To me I think that
the derivation is keeping the original license (OpenSSL + CRYPTOGAMS) for
existing code, and augmenting the work with new code under a compatible
license (BSD 3-Clause).
IOW, I'm inclined to think we need to include the origin license too,
which I would interpret to be
"( OpenSSL OR BSD-2-Clause OR GPL-2.0 )"
and thus the overall license as
"BSD-3-Clause AND ( OpenSSL OR BSD-2-Clause OR GPL-2.0 )"
Thoughts ?
I think the BSD portion of the Cryptograms license is almost a match
to SPDX BSD-3-Clause (ignoring the reference to the GPL) except it has
"nor the names of its copyright holder and contributors" in clause 3
(rather than "nor the names of its contributors"), so an issue should
be submitted to SPDX to revise BSD-3-Clause accordingly. Assuming that
is done, I would treat the license as:
BSD-3-Clause AND (OpenSSL OR BSD-3-Clause OR GPL-2.0-or-later)
Richard