NSS:Mozilla::PKIX:Licensing

From MozillaWiki
Jump to: navigation, search

Historical Note: the decision was taken in May 2014 to use the "Dual Licensing: Apache and MPL 2.0" option. The work was done in bug 1007195.

This page analyses the possible options for the licensing of the mozilla::pkix certificate verification library. The aim of this page at the moment is to make sure that all of the options are properly characterised. No decision to make any change has been taken yet.

This library was written for use with NSS by Mozilla, to replace the current "classic" library and "libpkix" library in Firefox. However, there is hope in some quarters that if mozilla::pkix proves successful, it can be used in other projects such as nginx or OpenSSL. The aim here would be to have people standardise on a well-tested, clear and well-documented certificate verification library. Mozilla is always in favour of its code being used as widely as possible. Providing useful code to the world is part of our public purpose.

The standard license of NSS, Mozilla's security library, is the MPL 2.0. However, some of the projects which, it is hoped, might use mozilla::pkix use "permissive" licensing - that is, licensing which has no copyleft (e.g. Apache 2.0, MIT or BSD). The copyleft of the MPL 2.0 would not extend outside the mozilla::pkix library, so would not affect the code of those projects. Nevertheless, for political reasons, some projects would not accept the code under that license.

The current license of mozilla::pkix is Apache 2.0. This presents a problem because, according to the Free Software Foundation (although the view is not universally held), code under the Apache License 2.0 cannot be linked into an executable licensed under the GNU General Public License 2.0. (3.0 is OK.) NSS wishes to maintain its ability to be linked with code under the GPL 2.0, which some important NSS distributors currently take advantage of. So the code as currently licensed cannot be incorporated fully into NSS.

So the question has arisen: is there a way of licensing mozilla::pkix which satisfies all parties?

Interested Parties

The following people have an interest in the outcome of this discussion (in alphabetical order):

  • Bob Relyea
  • Brendan Eich
  • Brian Smith
  • Camilo Viecco
  • Dan Veditz
  • David Keeler
  • Doug Turner
  • Elio Maldonado
  • Gervase Markham
  • Kai Engert
  • Kathleen Wilson
  • Sid Stamm
  • Richard Barnes
  • Wan-Teh Chang

If this list is incomplete, please add names to it.

Apache 2.0 only

This proposal is that mozilla::pkix continue to be licensed under the Apache License 2.0 alone.

Pros

  • Licensing is simple.
  • Code can be used in permissively-licensed projects.
  • Code can be an option for certificate verification in NSS.
  • Code can be copied from mozilla::pkix into the rest of NSS.

Cons

  • NSS' licensing terms are not as simple as they were before.
  • The NSS team would need to make users of NSS aware that they could not both use the mozilla::pkix option for certificate verification and link with a GPL 2.0 project.
  • mozilla::pkix could therefore never be the only certificate verification option for NSS. (Although I don't know if anyone ever thinks it could be.)
  • Code could not be copied from the rest of NSS into mozilla::pkix without seeking permission from the author(s) of the copied code.

Apache 2.0 plus additional permission

This proposal is that mozilla::pkix be licensed under Apache 2.0, with an additional permissions statement permitting use with GPL 2 projects. It would need lawyersmithing, but would read something like this:

"For the avoidance of doubt, the authors of this software give any additional permissions required to allow this software to be linked into projects using the GPL 2.0 license, or relicensed under the GPL 2.0."

This would solve the license incompatibility problem.

Pros

  • Code can be used in both NSS and permissively-licensed projects.
  • Code can be copied from mozilla::pkix into the rest of NSS.

Cons

  • This license is not straight Apache. (Although adding additional permissions to a standard license does not normally complicate the legal analysis.)
  • NSS now has an additional license for users to know about. (Although it already includes code from several BSD-licensed projects anyway.)
  • Code could not be copied from other projects under the Apache license into mozilla::pkix without seeking permission from the author(s) of the copied code.
  • Code could not be copied from the rest of NSS into mozilla::pkix without seeking permission from the author(s) of the copied code.

MPL 2.0 only

This proposal is that mozilla::pkix be licensed under the MPL 2.0 only.

Pros

  • Licensing is simple.
  • Code can be freely copied between mozilla::pkix and the rest of NSS.

Cons

  • Code would (probably) not be accepted by permissively-licensed projects.

Dual Licensing: Apache and MPL 2.0

This proposal is that mozilla::pkix be licensed under both the MPL 2.0 and the Apache License 2.0.

Pros

  • Code can be used in both NSS and permissively-licensed projects.
  • Allows NSS team to continue to have a simple licensing story - they can say "follow MPL 2.0, and you're OK".
  • Code can be copied from mozilla::pkix into the rest of NSS.

Cons

  • Greater risk of forking by 3rd parties - they can release their changes under only one of the two licenses, so they can't be reincorporated. (But both the licenses allow semi-proprietary forks anyway.)
  • Code could not be copied from the rest of NSS into mozilla::pkix without seeking permission from the author(s) of the copied code.

BSD or MIT

This proposal is that mozilla::pkix be licensed under one of the BSD or MIT licenses (they are all effectively the same for our purposes).

Pros

  • Code can be used in both NSS and permissively-licensed projects.
  • Licensing is simple (NSS already contains BSDed code).
  • Allows NSS team to continue to have a simple licensing story - they can say "follow MPL 2.0, and you're OK".
  • Code can be copied from mozilla::pkix into the rest of NSS.

Cons

  • The BSD and MIT licenses do not have a patent clause. Use of a license with a patent clause is considered best practice. The certificate space is one in which patents are actively asserted. (On the other hand, the Apache patent clause only protects you if the patent holder contributes to the project; that seems unlikely in this case.)

Rejected Options

Forking

This proposal is that Mozilla provide a one-time "dump" of the mozilla::pkix code to NSS under MPL 2.0, and then the code continue under Apache 2.0.

This has been rejected because it's clearly worse than many of the options above, and would lead to a quite unnecessary and unproductive division between the groups of people working on the codebase.