As part of providing the ability to use an OpenSSL-based SSL engine in Apache Flink, I need to include the netty-tcnative binaries into our flink-shaded-netty-4 artifacts. netty-tcnative itself is Apache 2 licensed, but since both OpenSSL as well as boringssl (a fork of OpenSSL) are BSD-style licences (https://github.com/google/boringssl/blob/master/LICENSE, https://www.openssl.org/source/license.html) and not Apache 2 (yet?), I was a bit worried about the implications and which way to go.
The following options are available:
a) using a jar file with native code dynamically linked against system OpenSSL libraries (there the jar contains only Apache 2 code)
b) using a jar file with statically linked binaries
Now both have their individual technical consequences but which of these two (if any) qualifies from a legal perspective and what are the implications?