Hi Carina, Peter,

I'd like to point out that the Apache 2.0 License is a very standard open source license whose features are extensively documented online. (Same for the GPL 2.0 and later versions.) Just because Mbed TLS uses those licenses doesn't make our development team experts on those licenses.

Except perhaps for the bit about dual-licensing (Apache 2.0 OR GPLv2-or-later at the user's option) which Janos has clarified, I don't think there's anything unusual about the way we use these licenses.

I would suggest consulting existing sources about common open-source licenses in general and Apache 2.0 in particular if you want a general overview or its features and requirements, and how to use Apache 2.0 software in compliance with the licence. If you wanted to go further that what can be found online, I think the right people to consult would be IP lawyers, not a bunch of engineers.

Thank you for your interest in Mbed TLS and your care in making sure you comply with the license!

Regards,
Manuel.


From: Carina Tsai via mbed-tls <mbed-tls@lists.trustedfirmware.org>
Sent: 17 October 2025 13:57
To: Peter <peter@peter2000.co.uk>; Janos Follath <Janos.Follath@arm.com>
Cc: mbed-tls@lists.trustedfirmware.org <mbed-tls@lists.trustedfirmware.org>; shaun.longhorn@linaro.org <shaun.longhorn@linaro.org>; Ken Chen <Ken.Chen@netgear.com>; MH Cheng <mh.cheng@netgear.com>
Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage
 
+ Ken / MH

Please allow me to add our SW team in the loop to ensure we adhere to the license terms and requirements correctly.

Thank you Peter, and Janos for the details and guidance.

Carina

-----Original Message-----
From: Peter <peter@peter2000.co.uk>
Sent: Friday, October 17, 2025 7:30 PM
To: Janos Follath <Janos.Follath@arm.com>
Cc: Carina Tsai <Carina.Tsai@netgear.com>; mbed-tls@lists.trustedfirmware.org; shaun.longhorn@linaro.org
Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS License/Royality fee for commercial usage



External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.com<mailto:reportphishing@netgear.com>.

Hello Janos,

Thank you.

What does a *user* of the library need to do, beyond preserving the copyright notices?

The other angle is that MbedTLS is distributed with Cube IDE by STM, and they must have done their licensing deal. The whole of Cube IDE is free to use for any commercial purpose, AFAICT.

But if you create a product, how are you going to preserve copyright notices? Not in the binary code :) Perhaps you have to set up a website and post the open source code there. I recall seeing some Linksys product, years ago, which was like that. The source code posted was just a useless fragment, with a load of copyright notices.

Regards,

Peter

>Hi Peter,
>
>The section you quote is about contributing. Contributors have to agree
>that their code can be used under both the Apache-2.0 and
>GPL-2.0-or-later licenses. This is necessary for the library to be
>distributed under dual Apache-2.0 OR GPL-2.0-or-later licenses:
>https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls/blob/de
>velopment/LICENSE__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-
>WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFmljJ29A$
>
>As a user of the library, you can take the licence that fits your purposes better and use that and ignore the other. For example, you can pick Apache-2.0 and use it like any other Apache-2.0 software.
>
>Regards,
>Janos
>
>
>
>From: Peter <peter@peter2000.co.uk>
>Date: Friday, 17 October 2025 at 11:45
>To: Janos Follath <Janos.Follath@arm.com>
>Cc: Carina Tsai <Carina.Tsai@netgear.com>,
>mbed-tls@lists.trustedfirmware.org
><mbed-tls@lists.trustedfirmware.org>, shaun.longhorn@linaro.org
><shaun.longhorn@linaro.org>
>Subject: Re: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS
>License/Royality fee for commercial usage
>
>I looked up the licensing terms and on the face of it it basically says
>that you must preserve copyright notices and such like
>
>>Apache-2.0 License: A permissive open-source license that requires preserving copyright and license notices. It grants an express patent license from contributors and allows for distribution under different terms, with or without source code.
>>GPL-2.0-or-later License: A strong copyleft license that requires derivative works to also be licensed under the GPL.
>>Contribution requirements
>>Contributors must agree that their code can be used under both the Apache-2.0 and GPL-2.0-or-later licenses.
>>This is done by including a "Signed-off-by" line in the commit message, as per the Developer Certificate of Origin.
>
>However, it is not clear how much of the source code of the rest of
>your product you need to make open source.
>
>I would expect the requirement to extend to code like e.g. interface to
>LWIP (which itself is also open source) but does it extend beyond that?
>
>Regards,
>
>Peter
>
>>Hi Carina,
>>
>>I can confirm that there are no costs to using Mbed TLS in your product as long as you are adhering to the licensing terms.
>>
>>Best regards,
>>Janos
>>(Mbed TLS developer)
>>
>>
>>From: Carina Tsai via mbed-tls <mbed-tls@lists.trustedfirmware.org>
>>Date: Friday, 17 October 2025 at 09:31
>>To: mbed-tls@lists.trustedfirmware.org
>><mbed-tls@lists.trustedfirmware.org>, shaun.longhorn@linaro.org
>><shaun.longhorn@linaro.org>
>>Cc: Ken Chen <Ken.Chen@netgear.com>, MH Cheng <mh.cheng@netgear.com>
>>Subject: [mbed-tls] Re: TrustedFirmware.org - Check for MbedTLS
>>License/Royality fee for commercial usage
>>
>>To whom it may concern,
>>
>>Our engineering team is using the Mbed TLS library in our wifi range extenders sold on markets and adhere to the licensing terms outlined in the sourcecode and docs. Thanks to Shaun's guideline, it would be no royalty if we adhere to the licensing terms. Is there any other cost required for us to use the Mbed TLS library in our wifi range extenders, adhering to the licensing terms outlined in the sourcecode and docs?
>>
>>Thank you
>>
>>Carina
>>From: Shaun Longhorn
>><shaun.longhorn@linaro.org<mailto:shaun.longhorn@linaro.org>>
>>Sent: Tuesday, September 30, 2025 7:08 PM
>>To: Ken Chen <Ken.Chen@netgear.com<mailto:Ken.Chen@netgear.com>>
>>Cc:
>>enquiries@trustedfirmware.org<mailto:enquiries@trustedfirmware.org>
>>Subject: Re: TrustedFirmware.org - Check for MbedTLS License/Royality
>>fee for commercial usage
>>
>>
>>
>>External Email. Be cautious clicking attachments and links. Report suspicious to reportphishing@netgear.com<mailto:reportphishing@netgear.com>.
>>Hi Ken,
>>
>>I'm the Community Manager at Trusted Firmware. I can't advise you directly on your licensing situation but I can point you towards the documentation.
>>
>>Mbed TLS is an open source community project and no royalty is required. You must adhere to the licensing terms outlined in the sourcecode and docs:
>>https://urldefense.com/v3/__https://github.com/Mbed-TLS/mbedtls?tab=re
>>adme-ov-file*license__;Iw!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tV
>>qOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiHKChFs4g$
>><https://urldefense.com/v3/__https:/github.com/Mbed-TLS/mbedtls?tab=re
>>adme-ov-file*license__;Iw!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47
>>wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYgjlUMvm$>
>>https://urldefense.com/v3/__https://mbed-tls.readthedocs.io/en/latest/
>>kb/licensing/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw
>>-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFce8JxgQ$
>><https://urldefense.com/v3/__https:/mbed-tls.readthedocs.io/en/latest/
>>kb/licensing/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqS
>>AY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYp5VHhyJ$>
>>
>>You can also reach out to the Mbed-TLS community on the following
>>public mailing list.
>>https://urldefense.com/v3/__https://lists.trustedfirmware.org/mailman3
>>/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!3MXub7er1tWIbR
>>b7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiFL1Ji9
>>iQ$
>><https://urldefense.com/v3/__https:/lists.trustedfirmware.org/mailman3
>>/lists/mbed-tls.lists.trustedfirmware.org/__;!!JNtdCRAd!yS-xkrvchRDdKL
>>P5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYj5o
>>Ps_K$>
>>
>>I should highlight our optional memberships for Trusted Firmware detailed on this page. https://urldefense.com/v3/__https://www.trustedfirmware.org/join/__;!!JNtdCRAd!3MXub7er1tWIbRb7ChOnIByZhgRqHIZ5tVqOSZR-WBw-Sj4Xv1FpS82uwP32GDXkYpZWoyAmzzm2FiERki85Vg$ <https://urldefense.com/v3/__https:/www.trustedfirmware.org/join/__;!!JNtdCRAd!yS-xkrvchRDdKLP5y9mF7G0dloSjUklh47wmI1jSTqSAY66GLaf-u4I2Kck5lYUj9JqV8Q3DeiJfrovLYlU0_mx6$> membership has a number of benefits detailed in the slides. It could be beneficial in terms of lab testing and project visibility. If you have an interest we can arrange a call with the Co-Chairs and discuss benefits in more detail.
>>
>>Thanks,
>>Shaun
>>Community Manager
>>
>>
>>On Tue, 30 Sept 2025 at 09:20, 'Ken Chen' via TFenquiries <enquiries@trustedfirmware.org<mailto:enquiries@trustedfirmware.org>> wrote:
>>Dear Sir/Madam,
>>
>>I am reaching out to inquire about the licensing terms and any potential royalty fees associated with using the Mbed TLS library in our commercial products.
>>I was unable to find a specific contact point for this type of query.
>>Could you kindly forward this message to the appropriate person or team for further discussion?
>>Thank you for your assistance.
>>
>>Best regards
>>Ken
>>
>>This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
>>This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately.
--
mbed-tls mailing list -- mbed-tls@lists.trustedfirmware.org
To unsubscribe send an email to mbed-tls-leave@lists.trustedfirmware.org