Re: New License/Exception Request: CRYPTOGAMS

Philippe Ombredanne


On Mon, Dec 4, 2017 at 8:25 PM, Jason A. Donenfeld <Jason@...> wrote:

A lot of older OpenSSL code is under the OpenSSL license, but the
author also provides it under GPLv2. Great. The SPDX identifier for
this is obvious.

Faced with the multitude of requests for adding this GPLv2 exception
in the various interesting reusable files of OpenSSL, it appears that
the OpenSSL assembly pinball wizard, Andy Polyakov, wound up coming up
with CRYPTOGAMS. That looks like this:

In the header of a particular OpenSSL file there is this text:

# ====================================================================
# Written by Andy Polyakov <appro@...> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see
# ====================================================================

Following the link to read the CRYPTOGAMS license leads to a 3-clause
BSD license with this text added on:

ALTERNATIVELY, provided that this notice is retained in full, this
product may be distributed under the terms of the GNU General Public
License (GPL), in which case the provisions of the GPL apply INSTEAD OF
those given above.
So, for using one of these files, how would I specify this in SPDX?

Perhaps this: "OpenSSL OR GPL-2.0 OR BSD-3-Clause"?

Or do we need to import the CRYPTOGAMS license and then specify:

And then in the case of kernel code, take advantage of the GPLv2
compatibility to write:


Please do let me know what's best.
The way I have treated the CRYPTOGRAMS licensing proper in the
ScanCode toolkit is a set of rules for a choice of (BSD-3-Clause or
GPL-1.0+) or (BSD-3-Clause or GPL-2.0) depending how this formulated
in CRYPTOGRAMS. I am not sure this warrant a new license id. And with
OpenSSL when used in combo with OpenSSL.

Perhaps this: "OpenSSL OR GPL-2.0 OR BSD-3-Clause"?
The way this is typically worded in OpenSSL and CRYPTOGRAMSwould calls
for this expression IMHO:
OpenSSL OR (BSD-3-Clause OR GPL-2.0)

Philippe Ombredanne

+1 650 799 0949 | pombredanne@...
DejaCode - What's in your code?! -
AboutCode - Open source for open source -
nexB Inc. -

Join to automatically receive all group messages.