Re: What Wireshark base version to use for customization

[Graham Bloice <graham.bloice () trihedral com>]

On 10 December 2014 at 20:13, John Dill <John.Dill () greenfieldeng com> wrote:

> > Message: 3
> > Date: Wed, 10 Dec 2014 19:02:05 +0000
> > From: Graham Bloice <graham.bloice () trihedral com>
> > To: Developer support list for Wireshark <wireshark-dev () wireshark org>
> > Subject: Re: [Wireshark-dev] What Wireshark base version to use for
> >       customization
> > Message-ID:
> >       <
> CALcKHKq5p0Mq_o+hbR3SdcX55522roiwUBb5ea5RFi+ysLN2Dg () mail gmail com>
> > Content-Type: text/plain; charset="utf-8"
> >
> > On 10 December 2014 at 18:53, John Dill <John.Dill () greenfieldeng com>
> wrote:
> > > > Message: 3
> > > > Date: Wed, 10 Dec 2014 11:08:25 -0700
> > > > From: Stephen Fisher <sfisher () SDF ORG>
> > > > To: Developer support list for Wireshark <wireshark-dev () wireshark org>
> > > > Subject: Re: [Wireshark-dev] What Wireshark base version to use for
> > > >       customization
> > > > Message-ID: <20141210180825.GA29277 () SDF ORG>
> > > > Content-Type: text/plain; charset=us-ascii
> > > >
> > > > On Wed, Dec 10, 2014 at 12:51:23PM -0500, John Dill wrote:
> > > >
> > > > > So what restrictions are there when you have a Wireshark plugin that
> > > > > contains proprietary information (which can be of the do not export
> > > > > variety) from the govt or customer and they do *not* want that
> > > > > information released to the public, since Wireshark can be used as a
> > > > > tool to visualize and analyze these private kinds of protocols?  If
> > > > > some of that implementation leaks into the Wireshark application
> (like
> > > > > hiding all of the unnecessary protocol cruft to make it simpler for
> > > > > user to use), what are the implications?
> > > >
> > > > Is the proprietary information short, such as encryption keys?  A
> > > > preference can be used for things like that and then only if the
> > > > user's preferences file is shared will it get out.  If that's a
> > > > high-risk, you could even have the dissector/plug-in do something
> > > > non-stndard like reading a file for the information (but we probably
> > > > wouldn't want that kind of dissector in the base source).
> > >
> > > The entire packet stream generated is a proprietary system on top of
> > > TCP and UDP that consists of avionics data, all of which is considered
> > > proprietary.  There are several hundred different packet messages that
> > > contain one to several hundred data elements.
> > >
> > > I was curious how the license Wireshark uses applies to this scenario,
> > > since I've created a DLL to process data that is also distributed to a
> > > govt entity, but I'm using an open source project with a GPL license
> > > to translate this data, but the source code that translates the content
> > > they want to keep private.
> > >
> > > Regardless, there's no way I would be allowed to submit this plugin to
> > > the public Wireshark repository (not without serious legal/employment
> > > consequences), so maybe its a moot point to discuss.
> > >
> > > Best regards,
> > > John D.
> > IMHO you're contravening the licence.  When distributing you must abide by
> > the licence that permits you to distribute and which requires you to make
> > the source code available.
>
> Does the license only apply to those to whom the binary has been
> distributed
> to?  If the plugin is never publicly released, does the license imply that
> only the receivers of the plugin are required to be sent the source code?
> If the plugin is never seen by the public eye, does that imply that the
> source code may stay private as well?
>
> I've never been in a situation like this, so I don't quite understand the
> intent of Wireshark's license for this kind of scenario.
>
> Best regards,
> John D.
What covers "distribution" requiring release of source code is discussed in
the GPL FAQ (link here:
http://www.gnu.org/licenses/gpl-faq.html#GPLRequireSourcePostedPublic):

======
Q: Does the GPL require that source code of modified versions be posted to
the public?

A: The GPL does not require you to release your modified version, or any
part of it. You are free to make modifications and use them privately,
without ever releasing them. This applies to organizations (including
companies), too; an organization can make a modified version and use it
internally without ever releasing it outside the organization.

But if you release the modified version to the public in some way, the GPL
requires you to make the modified source code available to the program's
users, under the GPL.

Thus, the GPL gives permission to release the modified program in certain
ways, and not in other ways; but the decision of whether to release it is
up to you.
======

I believe it's generally accepted that distribution to another company is a
public release.

My opinion, FWIW, is that you don't need to "send" the source code only
make it available on request.  However, depending on how you make the
source code available to those you distribute the binaries to affects who
may request the source code.  The GPL FAQ states (link here:
http://www.gnu.org/licenses/gpl-faq.html#WhatDoesWrittenOfferValid):

======
Q: What does “written offer valid for any third party” mean in GPLv2? Does
that mean everyone in the world can get the source to any GPL'ed program no
matter what?

A: If you choose to provide source through a written offer, then anybody
who requests the source from you is entitled to receive it.

If you commercially distribute binaries not accompanied with source code,
the GPL says you must provide a written offer to distribute the source code
later. When users non-commercially redistribute the binaries they received
from you, they must pass along a copy of this written offer. This means
that people who did not get the binaries directly from you can still
receive copies of the source code, along with the written offer.

The reason we require the offer to be valid for any third party is so that
people who receive the binaries indirectly in that way can order the source
code from you.
======

Note that the GPL places other requirements on the distributor, e.g. no
downstream restrictions.  If you are not familiar with the GPL (or even if
you are) you should consult the appropriate legal advisors for your
jurisdiction *before* distributing a work covered by the GPL.

The intent of the Wireshark licence is that of the GPL, that is it is Free
Software, see the definition from the FSF:
https://www.gnu.org/philosophy/free-sw.html


-- 
Graham Bloice

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe