Thank you for the update. This brings to mind a few additional questions:
1. Does other code which is copyright/licensed under the Apache 2 license also require CLAs? 2. Does other code which is in the public domain also require CLAs? 3. Does OpenSSL expect that anyone using OpenSSL and bundling it with Apache 2 software must first ask the project for permission? 4. Assuming #1 is yes and #3 is no, can you explain why there is a difference?
