Dailydave mailing list archives
Re: Nmap/Nessus copyright
From: Fyodor <fyodor () insecure org>
Date: Thu, 20 Oct 2005 16:29:43 -0700
On Thu, Oct 20, 2005 at 03:09:52PM -0700, ADT wrote:
least the limited benefit of getting their input. Please consult a real lawyer before acting on what I have to say below.]
Trust me, I have. Plenty of them. Including FSF lawyers. And this Nmap license isn't anything new -- it has been this way for many years.
interpretation of the GPL. If I were to ship an appliance contains the Nmap binary and which does a fork() of Nmap and then parses the XML output and does pretty reporting, graphs, etc that would be according to you a derivative work and I would have to either GPL my code or contact you for alternative licensing.
Correct. Buy a proprietary license or just make your "pretty graphs and reporting" software open source.
The problem is your interpretation of the GPL of what constitues a derivative work as specified in your COPYING file does not match the FSF's interpretation of the GPL.
That may be so, but the interpretations don't have to match. Their interpretation is to a large degree guided by their own political decisions and best interest. They don't always agree with Linus' interpretation of derivative works for the Linux kernel either (for example, look at proprietary modules). My interpretation isn't binding, nor is it meant to be, on the FSF or any other software but mine. MySQL also has their own interpretations of derivative works which may differ from those of the FSF.
Personally, I would really love to see you drop your interpretation of the GPL in the COPYING file since it doesn't actually clarify anything
I think it does. It clarifies that the proprietary appliance you mentioned above which they (hypothetically) charge huge amounds of money for and secretly use Nmap under the covers is not OK. Many years ago, companies used to do this and see no problem with it. So the Nmap license clarifies our expectations more precisely.
(would a shell script which uses sed on the output constitute a derivative work since it execs nmap and then parses and modifies the raw output?)
Don't distribute your proprietary shell script with Nmap and you'll be fine. Or make the shell script open source. If I see a proprietary "Synfinatic security scanner" on the shelf at Fry's, and I buy it to find that it is just Nmap with a little shell script controlling it, you can bet I'll be upset :).
and arguably isn't legally binding anyways (the license is the license, not your interpretation of it).
The license is at http://www.insecure.org/nmap/data/COPYING , and it clearly states the restrictions and interpretations at the top.
Of course you're free to modify the GPL as you would like to enforce whatever rules you'd like, just you can't call it the GPL anymore:
The Nmap license is a modified version of the GPL. The modifications and interpretations are stated up top. For example, "As a special exception to the GPL terms, Insecure.Com LLC grants permission to link the code of this program with any version of the OpenSSL library ..." This is all stated in the man page, on the web site, at the top of every source file, etc. And has been for years. It isn't like we're springing new restrictions on anybody. Licensing is an important issue, but I am very busy today preparing for two East Coast presentations next week, so I probably won't be able to continue this thread further. Don't take that to mean I don't care. If there is actually something cool you want to do with Nmap that you feel the license may prohibit, let me know and we can try to work something out. Lots of open source software uses Nmap successfully (honeyd, nessus 2.X, etc.) I do want Nmap to be useful for open source software and the license is intended to allow that. If a company wants to profit by selling applications that use Nmap under the covers, they can buy a license. If I wanted to enable people to repackage proprietary derivatives of my work, I would have chosen the BSD license rather than a GPL based one. Cheers, Fyodor
Current thread:
- RE: Sourcefire Acquired by Check Point Software, (continued)
- RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 09)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 09)
- RE: Sourcefire Acquired by Check Point Software Dave Korn (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- RE: Nmap/Nessus copyright C. Church (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- Re: Nmap/Nessus copyright ADT (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- Re: Nmap/Nessus copyright ADT (Oct 21)
- Re: Nmap/Nessus copyright Fyodor (Oct 21)
- Re: Nmap/Nessus copyright ADT (Oct 21)
- Re: Nmap/Nessus copyright Paul Wouters (Oct 21)
- Re: Nmap/Nessus copyright Dave Aitel (Oct 21)
- Re: Nmap/Nessus copyright Fyodor (Oct 21)
- Re: Sourcefire Acquired by Check Point Software Michel Arboi (Oct 21)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)