Consider relicensing under MIT/Apache-2.0

[michaelmera]

TL;DR dual-licensing under MIT or Apache-2.0 is standard in the Rust ecosystem and frees downstream projects from worrying about licensing and copyright issues when including tlspuffin.

Currently, tlspuffin is licensed solely under the MIT license. I suggest setting a dual licensing scheme under MIT or Apache-2.0 and exposing the licensing scheme more clearly in the README file.

Here are some points to consider:

• the MIT license puts some burden on whoever might want to include parts of this project:

1. The MIT license requires for the copyright notice to be included in all "copies and substantial portions" of the software. While I think it's proper to acknowledge upstream projects, I personally consider it detrimental to enforce it. For example, I've seen companies outside of the software world refusing their developers the right to use libraries for this exact reason, as these would run on embedded chips and the company doesn't want to (or can't) disclose internals of the system they are producing.
2. The MIT license was created when the patentability of software was less commonly recognized under US law and there has been some concern that including MIT-licensed software might put you at risk of patent infringement claims in the future. Also these concerns have been mostly cleared up (1) (2) (3) they remain a barrier in the mind of many open source contributors and companies.

• the Apache-2.0 license is another permissive license like the MIT license, just much more explicit. It is generally considered a better choice for this reason. The downside of the Apache-2.0 is that it is not compatible with the GPL licenses. Retaining this compatibility is the reason for keeping the MIT license in the suggested dual scheme.
• dual licensing is part of Rust API Guidelines recommendations and as such is widely adopted in the rust community. Many Rust projects have transitioned to this exact licensing scheme, e.g. (1) (2) (3) (4) ...

As summarized here by the Rust developer Josh Triplett, the dual licensing scheme brings the best of both licenses:

Requiring both MIT and Apache 2.0 as inbound licenses for contributions means that anyone making a contribution is providing the Apache 2.0 patent grant. And then having MIT and Apache 2.0 as outbound licenses people can use Rust under means that Rust provides widespread compatibility with all sorts of other FOSS licenses, including GPLv2.

I'm open to discussion but I think it's not a big constraint to do the change at this stage of the project and it's more friendly toward future contributors. Particularly as we would like external people contributing protocols and PUTs at some point.

I think at this point only @maxammann contributions qualify for creative work, but I would be more comfortable if everyone listed below would take the time to consider this issue and do the checkoff. I will take care of opening a PR with the changes if everyone agree.

Contributor checkoff

To agree to relicensing, comment with:

I license past and future contributions under the dual MIT/Apache-2.0 license, allowing licensees to chose either at their option.

• @maxammann
• @LCBH
• @aeyno
• @michaelmera

[LCBH]

I think we should transition to the dual license too.

I license past and future contributions under the dual MIT/Apache-2.0 license, allowing licensees to chose either at their option.

[LCBH]

Ping @aeyno

[michaelmera]

I license past and future contributions under the dual MIT/Apache-2.0 license, allowing licensees to chose either at their option.

[maxammann]

I license past and future contributions under the dual MIT/Apache-2.0 license, allowing licensees to chose either at their option.

[aeyno]

I license past and future contributions under the dual MIT/Apache-2.0 license, allowing licensees to chose either at their option.

[michaelmera]

Change landed in #299. Thanks everyone!