Re: Revisiting the Nmap Public Source License

[Henri Doreau <henri.doreau () gmail com>]

2013/3/27 Fyodor <fyodor () nmap org>:
> Hi Folks.  Long time members of this list may recall my proposal in 2006 to
> better formalize Nmap's open source license.  Right now the license is
> basically a mishmash of GPLv2 with several paragraphs of clarifications and
> exceptions.  It is confusing to people, and it is also missing some
> important provisions of newer open source licenses.  So back in 2006, I
> created an "Nmap Public Source License" which is still based on GPLv2, but
> also contains key provisions from other open source licenses.  I posted the
> request for comments to this list here:
>
> http://seclists.org/nmap-dev/2006/q4/126
>
> The annotated version of the license is here:
>
> http://nmap.org/nmap/npsl/npsl-annotated.html
>
> The new license is very similar to the current one[1] in function, but I
> think it has better structure.  Nobody really complained about the new
> license, so I decided to get some more legal review and then make the
> change.  Then I, uh, sort of dropped the ball for 7 years.  I get very
> excited about Nmap's technical direction, but legal stuff like this (while
> incredibly important) isn't my passion.  And it is too easy to just say
> "I'll do it next month" and then pretty soon "I should research the new
> Mozilla Public License 2 and GPLv3 first" before taking any action and
> then, before you know it, 7 years have passed :).
>
> So the Nmap Public Source License may not be perfect, but I think it is
> better than the current mish-mash.  My suggestion is that we switch to that
> for now.  We can touch it up later if needed, but I don't want to delay
> this for any more years.  I did make one change today, related to
> installers which download Nmap over the Internet at runtime.  I hope that
> will help prevent fiascos such as Download.com distributing trojan Nmap
> installers[2].
>
> The license change would only apply to future versions of Nmap, not 6.25
> and earlier.  And since I know licenses can be a touchy subject, I'll wait
> a couple weeks to collect feedback before making any change.
>
> Cheers,
> Fyodor
>
> [1] https://svn.nmap.org/nmap/COPYING
> [2] http://insecure.org/news/download-com-fiasco.html

Hello,

like many developers I feel very unfamiliar with these touchy licensing
issues, though I understand that they're fundamental. Therefore, I
believe I shouldn't be shy about this couple questions I have.

Could you elaborate on the advantages of having a project-specific
license? Are you sure that following our own path (i.e. not using plain
GPLv2+ terms for instance) won't constitute a weakness? Does nmap have
specificities that make NSPL more suitable for it than plain GPL?

To my understanding, having a project-specific license might have the
following drawbacks:

- Harder for free software authors to know whether they're safe
  interfacing with nmap and/or contributing code.
- Harder for lawyers to know how a court would interpret the terms (GPL
  has already been defended successfully in a number of cases). For the
  same reasons, it might be harder for nmap to get assistance and
  advises in case of trouble.

Regards

--
Henri
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/