Update based on BoringSSL relicense?

[joshtriplett]

As of 2 weeks ago, upstream BoringSSL did all the legwork to relicense to Apache 2.0, eliminating the OpenSSL license: google/boringssl@33d1049

This in theory would make it much easier for aws-lc to follow suit, which makes it easier for applications to choose a library to use.

(ring seems to be following suit soon, and I'd like to avoid the scenario where people need to choose between ring vs aws-lc based on licensing rather than based on other factors.)

[skmcgrail]

@joshtriplett We are exploring and evaluating what, if any, options we could take to potentially relicense the project. At this time though we don't have a specific date or timeline we can share on when such a determination will be made.

[briansmith]

Just stumbled across this.

(ring seems to be following suit soon, and I'd like to avoid the scenario where people need to choose between ring vs aws-lc based on licensing rather than based on other factors.)

FWIW, I agree with this. This is one of the reasons I put a lot of effort into resetting expectations about ring

[stewartsmith]

This licensing difference between OpenSSL 3 and AWS-LC is (yet another) concern about using it as the core cryptographic library in a Linux distribution (such as Amazon Linux)

The first barrier is #1098 of course, but this re-license is also a concern.

[joshtriplett]

@joshtriplett We are exploring and evaluating what, if any, options we could take to potentially relicense the project. At this time though we don't have a specific date or timeline we can share on when such a determination will be made.

Have there been any further discussions on this?

[andrewhop]

Hi, sorry for the slow response, we are still evaluating options (internal tracking P151534254 and CryptoAlg-2774).

[joshtriplett]

@andrewhop Any updates on those options?

[ofek]

We would very much be interested in this as well. Have there been any updates?

[joshtriplett]

Checking back in on this. Any luck working through this internally?