Licence of hashx and equix
Currently our Cargo.toml's declare an intention to (after consulting tevador - the algorithm's inventor) relicence the hashx and equix crates to MIT/Apache. I don't agree with this plan; but, also I have a qualm with the current licence; and we need to worry whether we can relicence.
Best licence, and governance
IMO these libraries should probably remain LGPL.
In general, IMO Arti as a whole should be LGPL. But also, IMO choice of licence is a political question which (for a project like Arti, funded by a charkty) shouldn't be left to individual developers. We don't appear to have any settled policy on licensing. The Tor Project as a whole ought to have one.
Qualm - "or later"
The current licence is "LGPL-3.0-only". This is a hostage to fortune. It doesn't seem likely that the FSF will publish a new version soon, but we can hope for improved governance there in the future, and probably there will need to be an update at some point.
We should leave the door open to future adoption of an LGPLv4.
We could do this by writing "or later, at your option" aka "LGPL-3.0-or-later". In practice this would leave the decision about adopting a new version to the principal developers at that time: after all, if an LGPL-4 is published which we object to, we can change our tree to be LGPL-3.0-only, and then soon enough, as we develop, the LGPL-4 won't be useable with our codebase.
Or we could do it by appointing a licence steward - "proxy" as per LGPL 3.0 section 6, who can decide whether to adopt a future new version. Probably we'd want to appoint "The Tor Project Community Council or its successors" or "The Tor Project, Inc, or its successors".
Ability to relicense
Relicensing involves permission of every copyrightholder.
Currently there are two non-TPI contributors. We would need to ask their permission. (One of them made only a 1 line typo fix which is de minimis according to most jurisdictions' copyright law, but best practice is to ask everyone.)
We may also need to ask permission of some TPI contributors, depending on their employment contracts.
So we should probably email everyone from the git log.