Hacker News new | past | comments | ask | show | jobs | submit login

"If you have software which uses OpenSSL, and to promote it you send out a tweet, then the license requires you to include the above two lines in the tweet. "

No. If you have software that uses OpenSSL, and to promote it you send out a tweet that says "Use our product instead of our competitors, We use SSL to make things secure", then you must include the above two lines

For the clause to apply 1. It has to be an advertisement 2. It has to advertise the features that use openssl




hyc_symas gave essentially the same correction in a parallel post, a few minutes before you.

I pointed out that the edge cases are fuzzier than I would like. If my product is called "SecureTalk", and uses OpenSSL for secure connections, then it sounds like almost any mention of the name which might be advertising needs to include that line.

As in, "Secure Systems, the developers of the NSA-proof SecureTalk, are hiring."

Isn't that "mentioning features" of OpenSSL? If so, it needs that line. If not, why not? What does it mean to mention a feature? Can I get away with

"Secure Systems, the developers of SecureTalk, are hiring."

After all, the only reason it's secure is because it uses OpenSSL.


In this case we can consider this requirement to be a public service. Suggesting that someone believes that an app is secure because it uses OpenSSL is a somewhat common form of mockery in crypto circles. If you just announce that you are clueless about security then no one needs to bother looking at your website in the off chance that you aren't.


I didn't say it was secure "because it uses OpenSSL". I said the much more limited "and it uses OpenSSL for secure connections."

Copyright is sticky. The hypothetical "SecureTalk" program might only use 500 lines of OpenSSL, where that 500 lines was security audited by crypto experts, static code checkers, and formal program analysis, and run in a chroot'ed jail.

A clueful re-use of OpenSSL for secure connections still needs that advertising clause, even if the software really is more secure than anything else out there. In that case, the required advertisement is a false clue to experts, no?


I would say if you make the claim that the security is from more than just the use of OpenSSL then there would be no need to put in the OpenSSL notice when just talking generically about security. You might still need to if you specifically mention encrypted connections, say, if you are using OpenSSL to encrypt connections. The advertising clause can still be annoying, but I don't think it is quite as bad as you are making it out to be. At least when there is only one or two projects you are using that require them... I think the main reason they are less popular now is that it gets really awkward when you need pages and pages of advertisement clauses.

I also doubt that anything that uses OpenSSL as the primary crypto could possibly be "more secure than anything else out there". This isn't so much a slam of OpenSSL, which may overall be doing a better job of implementing TLS than anything else available right now (at least open source) but of TLS in general which is complex and not designed with current best practices. Using TLS is often an easy way to make things a lot more secure than they are without much effort and as such is often a good choice, but it is unlikely to result in the most secure thing possible. OTR is a well known alternative in chat that has a number of advantages (and some disadvantages too). Various others are under construction. Importantly, there are significant tradeoffs involved and it is often not a simple matter of X is more secure than Y.


Neither you nor I have the legal experience to really determine if there is no need. What constitutes an "advertisement"? If I am a security consultant and I develop a no-cost open source tool using OpenSSL, and I do it deliberately as a way to get my name out into the field and find clients, then is that advertising?

What constitutes "mentioning features of this software"? If I use another package for SSL and advertise that my software has SSL support, but have OpenSSL in my code for other reasons (let's say, the SHA-1 digest code), then do I need to mention OpenSSL? After all, SSL is a supposed feature of OpenSSL.

No, it's not as bad as I make it out to be, but that's in large part because we are generally lazy when it comes to the particulars of licenses. Just look at the number of GPLv2 software distributions which don't follow the letter of the license. (Section 3 assumes physical distribution, not network. GPLv3 clarified this problem.)

It's also because license holders are lazy. Enforcing the GPL takes a lot of time and effort. Many violations occur because few actively enforce the license.

If your expectations are based on what people do in a lazy world, then you are perhaps a realist (or a cynic), but it still violates the license.

The "pages and pages of advertisement clauses" affects only to those who actually follow the license. These might be nitpickers like me, or organizations with lots of money and who are easy pickings and worried about liability.

These also happen to be the people who are likely to give acknowledgements, especially when the license so requires it (as the GPL does).




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: