Dailydave mailing list archives
Re: Nmap/Nessus copyright
From: ADT <synfinatic () gmail com>
Date: Fri, 21 Oct 2005 00:36:54 -0700
Hi Fyodor, I was going to do a point by point argument but I know you're busy so hopefully you'll have time to answer this thing which I think will clarify things a lot. In your last email you said:
The Nmap license is a modified version of the GPL. The modifications and interpretations are stated up top.
Which isn't what the COPYING file says: "We don't consider these to be added restrictions on top of the GPL, but just a clarification of how we interpret "derived works" as it applies to our GPL-licensed Nmap product." Part of the reason I have been confused is that the FSF says: "You can use the GPL terms (possibly modified) in another license provided that you call your license by another name and do not include the GPL preamble, and provided you modify the instructions-for-use at the end enough to make it clearly different in wording and not mention GNU (though the actual procedure you describe may be similar)." http://www.fsf.org/licensing/licenses/gpl-faq.html#ModifyGPL Basically it seems that either: 1) Nmap is licensed under the GPLv2 and the additional text in the COPYING file is just filler and not at all binding (assuming the FSF's interpretation is correct) because there can be only one correct legal interpretation of the GPL. Of course it's possible that your interpretation is correct in which case the FSF is wrong, but you both can't be correct. or: 2) Nmap is NOT licensed under the GPLv2 but rather some kind of modified license in which case you shouldn't be saying it's GPL, including the preamble (unless you made arrangements with the FSF beforehand) or mentioning GNU at the end. Honestly, I understand your *intent* which I fully respect. I just don't understand what the actual license is. Thanks, Aaron On 10/20/05, Fyodor <fyodor () insecure org> wrote:
On Thu, Oct 20, 2005 at 03:09:52PM -0700, ADT wrote:least the limited benefit of getting their input. Please consult a real lawyer before acting on what I have to say below.]Trust me, I have. Plenty of them. Including FSF lawyers. And this Nmap license isn't anything new -- it has been this way for many years.interpretation of the GPL. If I were to ship an appliance contains the Nmap binary and which does a fork() of Nmap and then parses the XML output and does pretty reporting, graphs, etc that would be according to you a derivative work and I would have to either GPL my code or contact you for alternative licensing.Correct. Buy a proprietary license or just make your "pretty graphs and reporting" software open source.The problem is your interpretation of the GPL of what constitues a derivative work as specified in your COPYING file does not match the FSF's interpretation of the GPL.That may be so, but the interpretations don't have to match. Their interpretation is to a large degree guided by their own political decisions and best interest. They don't always agree with Linus' interpretation of derivative works for the Linux kernel either (for example, look at proprietary modules). My interpretation isn't binding, nor is it meant to be, on the FSF or any other software but mine. MySQL also has their own interpretations of derivative works which may differ from those of the FSF.Personally, I would really love to see you drop your interpretation of the GPL in the COPYING file since it doesn't actually clarify anythingI think it does. It clarifies that the proprietary appliance you mentioned above which they (hypothetically) charge huge amounds of money for and secretly use Nmap under the covers is not OK. Many years ago, companies used to do this and see no problem with it. So the Nmap license clarifies our expectations more precisely.(would a shell script which uses sed on the output constitute a derivative work since it execs nmap and then parses and modifies the raw output?)Don't distribute your proprietary shell script with Nmap and you'll be fine. Or make the shell script open source. If I see a proprietary "Synfinatic security scanner" on the shelf at Fry's, and I buy it to find that it is just Nmap with a little shell script controlling it, you can bet I'll be upset :).and arguably isn't legally binding anyways (the license is the license, not your interpretation of it).The license is at http://www.insecure.org/nmap/data/COPYING , and it clearly states the restrictions and interpretations at the top.Of course you're free to modify the GPL as you would like to enforce whatever rules you'd like, just you can't call it the GPL anymore:The Nmap license is a modified version of the GPL. The modifications and interpretations are stated up top. For example, "As a special exception to the GPL terms, Insecure.Com LLC grants permission to link the code of this program with any version of the OpenSSL library ..." This is all stated in the man page, on the web site, at the top of every source file, etc. And has been for years. It isn't like we're springing new restrictions on anybody. Licensing is an important issue, but I am very busy today preparing for two East Coast presentations next week, so I probably won't be able to continue this thread further. Don't take that to mean I don't care. If there is actually something cool you want to do with Nmap that you feel the license may prohibit, let me know and we can try to work something out. Lots of open source software uses Nmap successfully (honeyd, nessus 2.X, etc.) I do want Nmap to be useful for open source software and the license is intended to allow that. If a company wants to profit by selling applications that use Nmap under the covers, they can buy a license. If I wanted to enable people to repackage proprietary derivatives of my work, I would have chosen the BSD license rather than a GPL based one. Cheers, Fyodor
-- http://synfin.net/
Current thread:
- RE: Sourcefire Acquired by Check Point Software, (continued)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 09)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 09)
- RE: Sourcefire Acquired by Check Point Software Dave Korn (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- RE: Nmap/Nessus copyright C. Church (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- Re: Nmap/Nessus copyright ADT (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- Re: Nmap/Nessus copyright ADT (Oct 21)
- Re: Nmap/Nessus copyright Fyodor (Oct 21)
- Re: Nmap/Nessus copyright ADT (Oct 21)
- Re: Nmap/Nessus copyright Paul Wouters (Oct 21)
- Re: Nmap/Nessus copyright Dave Aitel (Oct 21)
- Re: Nmap/Nessus copyright Fyodor (Oct 21)
- Re: Sourcefire Acquired by Check Point Software Michel Arboi (Oct 21)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)