Re: Nmap/Nessus copyright

[Fyodor <fyodor () insecure org>]

On Thu, Oct 20, 2005 at 03:09:52PM -0700, ADT wrote:
> least the limited benefit of getting their input. Please consult a real
> lawyer before acting on what I have to say below.]

Trust me, I have.  Plenty of them.  Including FSF lawyers.  And this
Nmap license isn't anything new -- it has been this way for many years.

> interpretation of the GPL. If I were to ship an appliance contains the Nmap
> binary and which does a fork() of Nmap and then parses the XML output and
> does pretty reporting, graphs, etc that would be according to you a
> derivative work and I would have to either GPL my code or contact you for
> alternative licensing.

Correct.  Buy a proprietary license or just make your "pretty graphs
and reporting" software open source.

> The problem is your interpretation of the GPL of what constitues a
> derivative work as specified in your COPYING file does not match the
> FSF's interpretation of the GPL.

That may be so, but the interpretations don't have to match.  Their
interpretation is to a large degree guided by their own political
decisions and best interest.  They don't always agree with Linus'
interpretation of derivative works for the Linux kernel either (for
example, look at proprietary modules).  My interpretation isn't
binding, nor is it meant to be, on the FSF or any other software but
mine.  MySQL also has their own interpretations of derivative works
which may differ from those of the FSF.

> Personally, I would really love to see you drop your interpretation of the
> GPL in the COPYING file since it doesn't actually clarify anything 

I think it does.  It clarifies that the proprietary appliance you
mentioned above which they (hypothetically) charge huge amounds of
money for and secretly use Nmap under the covers is not OK.  Many
years ago, companies used to do this and see no problem with it.  So
the Nmap license clarifies our expectations more precisely.

> (would a
> shell script which uses sed on the output constitute a derivative work since
> it execs nmap and then parses and modifies the raw output?)

Don't distribute your proprietary shell script with Nmap and you'll
be fine.  Or make the shell script open source.  If I see a
proprietary "Synfinatic security scanner" on the shelf at Fry's, and I
buy it to find that it is just Nmap with a little shell script
controlling it, you can bet I'll be upset :).

> and arguably
> isn't legally binding anyways (the license is the license, not your
> interpretation of it).

The license is at http://www.insecure.org/nmap/data/COPYING , and it
clearly states the restrictions and interpretations at the top.

> Of course you're free to modify the GPL as you would like to enforce
> whatever rules you'd like, just you can't call it the GPL anymore:

The Nmap license is a modified version of the GPL.  The modifications
and interpretations are stated up top.  For example, "As a special
exception to the GPL terms, Insecure.Com LLC grants permission to link
the code of this program with any version of the OpenSSL library ..."
This is all stated in the man page, on the web site, at the top of
every source file, etc.  And has been for years.  It isn't like we're
springing new restrictions on anybody.

Licensing is an important issue, but I am very busy today preparing
for two East Coast presentations next week, so I probably won't be
able to continue this thread further.  Don't take that to mean I don't
care.  If there is actually something cool you want to do with Nmap
that you feel the license may prohibit, let me know and we can try to
work something out.  Lots of open source software uses Nmap
successfully (honeyd, nessus 2.X, etc.)  I do want Nmap to be useful
for open source software and the license is intended to allow that.
If a company wants to profit by selling applications that use Nmap
under the covers, they can buy a license.  If I wanted to enable
people to repackage proprietary derivatives of my work, I would have
chosen the BSD license rather than a GPL based one.

Cheers,
Fyodor