Re: Nmap-dev-only release: Nmap 3.10ALPHA1

[Fyodor <fyodor () insecure org>]

On Wed, Aug 28, 2002 at 02:18:11PM -0500, William McVey wrote:
> C) version of nmap die?  It seems odd to me that a project that had
> conniptions on bringing in external libraries (libnet, libxml/libsax)
> due to portability and bloat issues would go down the C++ route...

I admit that XML parser bloat worries me a bit, but I'm certainly not
ruling it out.  I just need to see more compelling benefits.  But
Libnet is excluded for different reasons.  The current Nmap packet
sending routines work fine for me.  And if I decide to go with an
external library, I prefer Dug Song's libdnet for technical reasons.
Plus, Schiffman continues to attack the Nmap project for unknown
reasons :(.  His latest salvo is LibSF, which is heavily based on Nmap
(in violation of the license), but you won't find any mention of Nmap
at http://www.packetfactory.net/projects/libsf/ !  After more than
three months of trying to resolve this privately, I got frustrated and
sent this a few minutes ago (I don't know if it will go through):

Date: Fri, 8 Nov 2002 02:33:49 -0800
User-Agent: Mutt/1.4i
From: Fyodor <fyodor () insecure org>
To: libnet () securityfocus com
Subject: Re: injecting packets locally

On Mon, Oct 28, 2002 at 08:54:11AM -0800, mike schiffman wrote:
>       nmap, under the hood, is an absolute mess.  A disaster even. 

You seem to state this at every possible opportunity.  For example,
you offer even harsher criticism of Nmap source at [1].  Why do you
spend so much time reading Nmap source code when you have never   
contributed a line to it?  It seems that you use this "absolute mess"
under the covers in your own programs.  For example, this summer you
released LibSF at http://www.packetfactory.net/projects/libsf/ .  The
web page doesn't mention Nmap at all.  Yet inside the tarball is 2198
lines of your source code, plus 13,094 lines from my OS fingerprint
database!  And what your code part does is implement 7 active OS
detection methods.  All of these techniques come straight from Nmap --  
down to details as trivial as using 1,061,109,567 as the timestamp
option value in the TCP header.

The GPL license is clearly stated at the top of nmap-os-fingerprints
and including it inside a BSD-licensed library is a violation.  I am 
not trying to be a jerk.  It is just that I have spent several years
of very tedious work building this database and would like my
copyright respected.  I sent you a nice private mail to this effect
more than 3 months ago, but you dismissed me with a one-line reply.
You claimed that you will respect my copyright "in future releases",
but none have been forthcoming.

Please consider this a formal request to remove my Nmap fingerprint
database from LibSF.  After all, Nmap "is an absolute mess.  A
disaster even."  And the code "is awful", "the fallout of poor
planning", and "it's pretty much obscene that [nmap] doesn't use
libnet".  So why would you even want to include this Nmap crap in your
libraries?

Thanks,
Fyodor

[1] http://lists.insecure.org/lists/bugtraq/2002/Apr/0430.html

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).