Nmap Development mailing list archives
Re: Using Samba code?
From: Ron <ron () skullsecurity net>
Date: Sat, 27 Sep 2008 23:28:44 -0500
Fyodor wrote:
On Tue, Sep 23, 2008 at 07:28:06PM -0500, Ron wrote: Hi Ron. Good question. That can be a tricky situation, and of course I'm not a copyright lawyer. Any code derived from Samba or any other GPL source generally CAN NOT be included within Nmap (even as an NSE script). Sometimes you can persuade authors to grant an exception allowing us to use sections of code under a less restrictive license (such as BSD, MIT, or LUA licenses), which we generally can include into Nmap. For example, the Metasploit Project has a different license than Nmap, so we granted them a license exception so they could ship Nmap within their Windows installer. Also, someday (when I find a good open source lawyer and find time), I might want to change the Nmap license to a different one such as this draft I made years ago: http://nmap.org/npsl/npsl-annotated.html . That Nmap Public Source License, like our current license, is GPL + some extra terms. We could not do that if we included other people's GPLv2 code.
Heh, incompatible licenses are annoying. It's almost like closed source! :)
This rule only applies to scripts included with Nmap. If you write a script and distribute it yourself as GPL, it doesn't really matter to the Nmap Project since you are then responsible for copyright compliance.
Well, worst case, I can do that fairly easily. Maybe this is a separate topic altogether, but have the NSE developers looked at a way to distribute scripts yet, besides including them in an install? Like, having one or more repositories for scripts that can easily be downloaded/updated without updating Nmap itself. The downside to that would be malicious repositories. How do you guarantee that your automatically downloaded updates from non-Nmap repositories are actually safe?
That might actually be OK, since it seems to be purely extracted data rather than an expressive/creative work such as most code. The header says "They were extracted using a loop in smbclient then printing a netmon sniff to a file". So if these status codes have the same names and numbers as given by Microsoft, and are needed for interoperability, we can probably use them if we have to. See the "minimum originality" discussion below. Still, maybe you can look around and see if they are available from another source with a more liberal license? Are these values in the header files distributed with MS Visual Studo?
This is indeed publicly distributed by Microsoft now: http://msdn.microsoft.com/en-us/library/cc704588.aspx So it seems reasonable that this is public domain knowledge, and using the codes isn't specifically tied to Samba. So to verify: I shouldn't worry about this one?
If you are just using this file to determine the API for communicating with a few functions, that doesn't sound unreasonable. Though again, it would be best if you can find the same data from some other source you can reference which has a more liberal license.
Microsoft also has details on their API. Here is one of the functions I use (Connect4()): http://msdn.microsoft.com/en-us/library/cc245746.aspx I used Samba's code to find the interface originally, which is apparently in my comments, but the Microsoft documentation provides the exact same information. So, any clue if I need to change anything? If I did go back and use Microsoft's, the only thing I'd have to change is my comments since the code itself isn't going to change.
So in conclusion, if you want to use 3rd party GPL code in Nmap (including NSE scripts), you need to either: * Persuade the author to license those portions of the code under a license we can use, such as BSD no-attribution. Or for a data like this, they might agree that they don't assert copyright control over the raw data. * Rewrite the code yourself in a way which doesn't violate copyright rules * Find similarly useful code which is already under a more liberal license and use that. * Or have a valid fair use justification, such as you often see for images in Wikipedia. For example, certain pure data files may not be eligible for copyright protection since they are considered a compilation of facts and don't satisfy the "minimum originality" requirement. For an example (alphabetical phone books and food recipes not qualifying for copyright protection), see: http://en.wikipedia.org/wiki/Feist_v._Rural
Coo., good to know. :)
I hope this helps clarify things.
If by "clarify", you mean "make more uncertain", then definitely! :P Just kidding, thanks for the summary!
Cheers, -F
Ron _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Using Samba code? Ron (Sep 23)
- Re: Using Samba code? Fyodor (Sep 27)
- Re: Using Samba code? Ron (Sep 27)
- RE: Using Samba code? Aaron Leininger (Sep 27)
- Re: Using Samba code? Fyodor (Sep 27)
- RE: Using Samba code? Aaron Leininger (Sep 28)
- Re: Using Samba code? Ron (Sep 28)
- Re: Using Samba code? Ron (Sep 27)
- Re: Using Samba code? Fyodor (Sep 27)
- Re: Using Samba code? Fyodor (Sep 27)
- Re: Using Samba code? Ron (Sep 27)
- Re: Using Samba code? Arturo 'Buanzo' Busleiman (Sep 28)