Dailydave mailing list archives
Re: Nmap/Nessus copyright
From: ADT <synfinatic () gmail com>
Date: Thu, 20 Oct 2005 15:09:52 -0700
Hey Fyodor, [Note to everyone, I'm no lawyer, but like everyone else it seems I like to pretend I'm one on the internet. I have however talked to various lawyers regarding licensing issues with the GPL and BSD licenses so I do have at least the limited benefit of getting their input. Please consult a real lawyer before acting on what I have to say below.] The problem is your interpretation of the GPL of what constitues a derivative work as specified in your COPYING file does not match the FSF's interpretation of the GPL. If I were to ship an appliance contains the Nmap binary and which does a fork() of Nmap and then parses the XML output and does pretty reporting, graphs, etc that would be according to you a derivative work and I would have to either GPL my code or contact you for alternative licensing. However, if you read the FSF's FAQ: http://www.fsf.org/licensing/licenses/gpl-faq.html#MereAggregation "By contrast, pipes, sockets and command-line arguments are communication mechanisms normally used between two separate programs. So when they are used for communication, the modules normally are separate programs. But if the semantics of the communication are intimate enough, exchanging complex internal data structures, that too could be a basis to consider the two parts as combined into a larger program." I would argue that the results output of Nmap in text or XML form is not a "complex internal data structure" since it is clearly intended to be parsed by external processes and is thereby a mere aggregation of Nmap and my (theoretical) code and not a derivative work. Personally, I would really love to see you drop your interpretation of the GPL in the COPYING file since it doesn't actually clarify anything (would a shell script which uses sed on the output constitute a derivative work since it execs nmap and then parses and modifies the raw output?) and arguably isn't legally binding anyways (the license is the license, not your interpretation of it). Of course you're free to modify the GPL as you would like to enforce whatever rules you'd like, just you can't call it the GPL anymore: http://www.fsf.org/licensing/licenses/gpl-faq.html#ModifyGPL My .02 -Aaron On 10/20/05, Fyodor <fyodor () insecure org> wrote:
On Thu, Oct 20, 2005 at 08:01:57PM +0100, Dave Korn wrote:Renaud Deraison wrote:licensing the output is. For instance, in the case of Nmap Fyodor decided that you're not allowed to process the results from a scan launched by your proprietary web GUI (cf nmap-3.XX/COPYING) -- in that way he cleared the ambiguity. We find that kind of restriction to be very extreme (especially if you're talking about "free" software) and decided to not go with it, but at the same time there should be some middle ground between considering the output as public domain or restricting its use drastically.This is nonsensical too. There is no reasonable meaning of the words under which a text file with lines like "Port 21: Open" and "Port 80: Closed" could be considered a "derivative work" based on Nmap. It won't compile, it won't run, and it won't scan a remote host. I can't evenbeginimagine how Fyodor could hope to succeed in any such claim.I succeed by not making any such claims. I don't consider Nmap output files in themselves to constitute a derivative work of Nmap. Also, if someone puts up a proprietary web GUI at, say, scanmyports.com<http://scanmyports.com>, which uses Nmap and charges people who go to the site to lanuch scans, that is OK too. It would be nice if they contributed any Nmap fixes/improvements back, but the license doesn't require that. Now things are different if they distribute Nmap as part of this system on an appliance or whatever, because then they actually are copying Nmap and must abide by the copyright restrictions for doing so [ http://www.insecure.org/nmap/data/COPYING ]. If they don't agree to those terms, nothing else gives them the right to redistribute Nmap. I hope this helps clear things up. Cheers, -F
Current thread:
- RE: Sourcefire Acquired by Check Point Software, (continued)
- RE: Sourcefire Acquired by Check Point Software Kyle Quest (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Cedric Blancher (Oct 08)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 09)
- Re: Sourcefire Acquired by Check Point Software Renaud Deraison (Oct 09)
- RE: Sourcefire Acquired by Check Point Software Dave Korn (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- RE: Nmap/Nessus copyright C. Church (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- Re: Nmap/Nessus copyright ADT (Oct 20)
- Re: Nmap/Nessus copyright Fyodor (Oct 20)
- Re: Nmap/Nessus copyright ADT (Oct 21)
- Re: Nmap/Nessus copyright Fyodor (Oct 21)
- Re: Nmap/Nessus copyright ADT (Oct 21)
- Re: Nmap/Nessus copyright Paul Wouters (Oct 21)
- Re: Nmap/Nessus copyright Dave Aitel (Oct 21)
- Re: Nmap/Nessus copyright Fyodor (Oct 21)
- RE: Sourcefire Acquired by Check Point Software Kyle Quest (Oct 08)
- Re: Sourcefire Acquired by Check Point Software Michel Arboi (Oct 21)
- RE: Sourcefire Acquired by Check Point Software Frank Knobbe (Oct 08)