Dailydave mailing list archives

Re: Nmap/Nessus copyright

From: ADT <synfinatic () gmail com>
Date: Thu, 20 Oct 2005 15:09:52 -0700

Hey Fyodor,

[Note to everyone, I'm no lawyer, but like everyone else it seems I like to
pretend I'm one on the internet. I have however talked to various lawyers
regarding licensing issues with the GPL and BSD licenses so I do have at
least the limited benefit of getting their input. Please consult a real
lawyer before acting on what I have to say below.]

The problem is your interpretation of the GPL of what constitues a
derivative work as specified in your COPYING file does not match the FSF's
interpretation of the GPL. If I were to ship an appliance contains the Nmap
binary and which does a fork() of Nmap and then parses the XML output and
does pretty reporting, graphs, etc that would be according to you a
derivative work and I would have to either GPL my code or contact you for
alternative licensing.

However, if you read the FSF's FAQ:
http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation

"By contrast, pipes, sockets and command-line arguments are communication
mechanisms normally used between two separate programs. So when they are
used for communication, the modules normally are separate programs. But if
the semantics of the communication are intimate enough, exchanging complex
internal data structures, that too could be a basis to consider the two
parts as combined into a larger program."

I would argue that the results output of Nmap in text or XML form is not a
"complex internal data structure" since it is clearly intended to be parsed
by external processes and is thereby a mere aggregation of Nmap and my
(theoretical) code and not a derivative work.

Personally, I would really love to see you drop your interpretation of the
GPL in the COPYING file since it doesn't actually clarify anything (would a
shell script which uses sed on the output constitute a derivative work since
it execs nmap and then parses and modifies the raw output?) and arguably
isn't legally binding anyways (the license is the license, not your
interpretation of it).

Of course you're free to modify the GPL as you would like to enforce
whatever rules you'd like, just you can't call it the GPL anymore:

http://www.fsf.org/licensing/licenses/gpl-faq.html#ModifyGPL

My .02

-Aaron

On 10/20/05, Fyodor <fyodor () insecure org> wrote:


On Thu, Oct 20, 2005 at 08:01:57PM +0100, Dave Korn wrote:

Renaud Deraison wrote:

licensing the output is. For instance, in the case of Nmap Fyodor
decided that you're not allowed to process the results from a scan
launched by your proprietary web GUI (cf nmap-3.XX/COPYING) -- in
that way he cleared the ambiguity. We find that kind of restriction
to be very extreme (especially if you're talking about "free"
software) and decided to not go with it, but at the same time there
should be some middle ground between considering the output as public
domain or restricting its use drastically.


This is nonsensical too. There is no reasonable meaning of the words
under which a text file with lines like "Port 21: Open" and "Port 80:
Closed" could be considered a "derivative work" based on Nmap. It won't
compile, it won't run, and it won't scan a remote host. I can't even

begin

imagine how Fyodor could hope to succeed in any such claim.


I succeed by not making any such claims. I don't consider Nmap output
files in themselves to constitute a derivative work of Nmap. Also, if
someone puts up a proprietary web GUI at, say, scanmyports.com<http://scanmyports.com>,
which
uses Nmap and charges people who go to the site to lanuch scans, that
is OK too. It would be nice if they contributed any Nmap
fixes/improvements back, but the license doesn't require that. Now
things are different if they distribute Nmap as part of this system on
an appliance or whatever, because then they actually are copying Nmap
and must abide by the copyright restrictions for doing so [
http://www.insecure.org/nmap/data/COPYING ]. If they don't agree to
those terms, nothing else gives them the right to redistribute Nmap.

I hope this helps clear things up.

Cheers,
-F

Current thread:

RE: Sourcefire Acquired by Check Point Software, (continued)
- RE: Sourcefire Acquired by Check Point Software Kyle Quest (Oct 08)
  - RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)
  - RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
    - Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 08)
    - Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 09)
    - Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 09)
    - RE: Sourcefire Acquired by Check Point Software Dave Korn (Oct 20)
    - Re: Nmap/Nessus copyright Fyodor (Oct 20)
    - RE: Nmap/Nessus copyright C. Church (Oct 20)
    - Re: Nmap/Nessus copyright Fyodor (Oct 20)
    - Re: Nmap/Nessus copyright ADT (Oct 20)
    - Re: Nmap/Nessus copyright Fyodor (Oct 20)
    - Re: Nmap/Nessus copyright ADT (Oct 21)
    - Re: Nmap/Nessus copyright Fyodor (Oct 21)
    - Re: Nmap/Nessus copyright ADT (Oct 21)
    - Re: Nmap/Nessus copyright Paul Wouters (Oct 21)
    - Re: Nmap/Nessus copyright Dave Aitel (Oct 21)
    - Re: Nmap/Nessus copyright Fyodor (Oct 21)
    - Re: Sourcefire Acquired by Check Point Software Michel Arboi (Oct 21)
- RE: Sourcefire Acquired by Check Point Software Kyle Quest (Oct 08)
  - RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)

(Thread continues...)