Re: Nmap/Nessus copyright

[ADT <synfinatic () gmail com>]

Hi Fyodor,

I was going to do a point by point argument but I know you're busy so
hopefully you'll have time to answer this thing which I think will
clarify things a lot.

In your last email you said:

> The Nmap license is a modified version of the GPL.  The modifications
> and interpretations are stated up top.

Which isn't what the COPYING file says:

"We don't consider these to be added restrictions on top of the GPL, but
 just a clarification of how we interpret "derived works" as it applies
  to our GPL-licensed Nmap product."

Part of the reason I have been confused is that the FSF says:

"You can use the GPL terms (possibly modified) in another license
provided that you call your license by another name and do not include
the GPL preamble, and provided you modify the instructions-for-use at
the end enough to make it clearly different in wording and not mention
GNU (though the actual procedure you describe may be similar)."

http://www.fsf.org/licensing/licenses/gpl-faq.html#ModifyGPL

Basically it seems that either:

1)  Nmap is licensed under the GPLv2 and the additional text in the
COPYING file is just filler and not at all binding (assuming the FSF's
interpretation is correct) because there can be only one correct legal
interpretation of the GPL.  Of course it's possible that your
interpretation is correct in which case the FSF is wrong, but you both
can't be correct.

or:

2) Nmap is NOT licensed under the GPLv2 but rather some kind of
modified license in which case you shouldn't be saying it's GPL,
including the preamble (unless you made arrangements with the FSF
beforehand) or mentioning GNU at the end.

Honestly, I understand your *intent* which I fully respect.  I just
don't understand what the actual license is.

Thanks,
Aaron

On 10/20/05, Fyodor <fyodor () insecure org> wrote:
> On Thu, Oct 20, 2005 at 03:09:52PM -0700, ADT wrote:
> > least the limited benefit of getting their input. Please consult a real
> > lawyer before acting on what I have to say below.]
>
> Trust me, I have.  Plenty of them.  Including FSF lawyers.  And this
> Nmap license isn't anything new -- it has been this way for many years.
>
> > interpretation of the GPL. If I were to ship an appliance contains the Nmap
> > binary and which does a fork() of Nmap and then parses the XML output and
> > does pretty reporting, graphs, etc that would be according to you a
> > derivative work and I would have to either GPL my code or contact you for
> > alternative licensing.
>
> Correct.  Buy a proprietary license or just make your "pretty graphs
> and reporting" software open source.
>
> > The problem is your interpretation of the GPL of what constitues a
> > derivative work as specified in your COPYING file does not match the
> > FSF's interpretation of the GPL.
>
> That may be so, but the interpretations don't have to match.  Their
> interpretation is to a large degree guided by their own political
> decisions and best interest.  They don't always agree with Linus'
> interpretation of derivative works for the Linux kernel either (for
> example, look at proprietary modules).  My interpretation isn't
> binding, nor is it meant to be, on the FSF or any other software but
> mine.  MySQL also has their own interpretations of derivative works
> which may differ from those of the FSF.
>
> > Personally, I would really love to see you drop your interpretation of the
> > GPL in the COPYING file since it doesn't actually clarify anything
>
> I think it does.  It clarifies that the proprietary appliance you
> mentioned above which they (hypothetically) charge huge amounds of
> money for and secretly use Nmap under the covers is not OK.  Many
> years ago, companies used to do this and see no problem with it.  So
> the Nmap license clarifies our expectations more precisely.
>
> > (would a
> > shell script which uses sed on the output constitute a derivative work since
> > it execs nmap and then parses and modifies the raw output?)
>
> Don't distribute your proprietary shell script with Nmap and you'll
> be fine.  Or make the shell script open source.  If I see a
> proprietary "Synfinatic security scanner" on the shelf at Fry's, and I
> buy it to find that it is just Nmap with a little shell script
> controlling it, you can bet I'll be upset :).
>
> > and arguably
> > isn't legally binding anyways (the license is the license, not your
> > interpretation of it).
>
> The license is at http://www.insecure.org/nmap/data/COPYING , and it
> clearly states the restrictions and interpretations at the top.
>
> > Of course you're free to modify the GPL as you would like to enforce
> > whatever rules you'd like, just you can't call it the GPL anymore:
>
> The Nmap license is a modified version of the GPL.  The modifications
> and interpretations are stated up top.  For example, "As a special
> exception to the GPL terms, Insecure.Com LLC grants permission to link
> the code of this program with any version of the OpenSSL library ..."
> This is all stated in the man page, on the web site, at the top of
> every source file, etc.  And has been for years.  It isn't like we're
> springing new restrictions on anybody.
>
> Licensing is an important issue, but I am very busy today preparing
> for two East Coast presentations next week, so I probably won't be
> able to continue this thread further.  Don't take that to mean I don't
> care.  If there is actually something cool you want to do with Nmap
> that you feel the license may prohibit, let me know and we can try to
> work something out.  Lots of open source software uses Nmap
> successfully (honeyd, nessus 2.X, etc.)  I do want Nmap to be useful
> for open source software and the license is intended to allow that.
> If a company wants to profit by selling applications that use Nmap
> under the covers, they can buy a license.  If I wanted to enable
> people to repackage proprietary derivatives of my work, I would have
> chosen the BSD license rather than a GPL based one.
>
> Cheers,
> Fyodor


--
http://synfin.net/