> Since libtomcrypt is public domain, you could incorporate the source
> into the tree without making it a binary dependency.

And then we have to maintain our copy ourselves. I'm not sure why you
think this is better than depending on a system-wide install, because
it's certainly worse.

(we do have private copies of a couple of libraries: zlib, expat,
libffi. The first two are probably for historical reasons (the
system-wide versions are used by default), while the third is because
it's patched)

> I certainly wouldn't mind having 1 dependency on NSS, but having 2
> modules depend on OpenSSL is a step in the wrong direction.

Perhaps you wouldn't mind, but others would (especially packagers;
including ourselves since we build binary packages for Windows and Mac
OS X).

> It took several years until someone like Marc-Andre Lemburg to find
> that the Python website might be violating that license. Perhaps the
> reason is because no one bothers to read licenses carefully. People
> are probably violating the license without knowing it.

The solution to stop violating it is trivial, though: just add the
required mention(s).
Compare that to rewriting a lot of code and making sure it doesn't
change behaviour compared to previous Python versions.

> One is that if you mention something like "base64" in whatever could
> be deemed "advertising", you will be subject to this clause because
> base64 is a feature of OpenSSL, even if you don't use their
> implementation.

Unless "base64" is an OpenSSL trademark, this is FUD.