Re: License of Nmap LUA scripts

[Fyodor <fyodor () insecure org>]

On Mon, Jul 31, 2006 at 09:53:18PM +0200, Dirk Loss wrote:
> I really like the idea of an Nmap scripting engine and hope that
> hundreds of great Nmap LUA scripts will appear shortly.

Me too!

> small separate LUA files potentially written by lots of different
> authors, I fear we could face a very similar situation as Nessus users
> did with Nessus plugins in late 2004:

Great point.  That was a rather unfortunate situation.  We will be
sure to make the plugin licenses clear.  Not everything is decided yet
as NSE isn't even finished or incorporated into mainstream Nmap, and I
haven't had a chance to talk to the actual script contributors to see
what they want.  But my current plan is to treat plugins just like the
rest of Nmap and release them under the same license (
http://insecure.org/nmap/data/COPYING ).  Contribution rules would
also be the same.

> 1) Are there any restrictions concerning the license of a script to be
> legally run from within Nmap?

You can run whatever you want.  The only question is whether such a
script is a derivative work and thus must comply with the Nmap (GPL)
license.  Last I heard, the Nessus team argues that NASL scripts must
be GPL (except for the proprietary ones they write).  My gut feeling
is that selling a copy of Nmap (installer/tarball) which includes
proprietary NSE scripts would be a GPL violation, but selling just a
package of proprietary NSE scripts along with instructions for using
them with the user's existing Nmap installation might be fine.  I'd
rather wait until the system is actually finished and I have a chance
to beg some free software/copyright lawyers for advice before
announcing an official policy.  If someone actually wants to start
selling proprietary NSE scripts, write me and I'll expedite the
process of finding an answer.

> 2) What licenses does Fyodor allow for a script in order to be included
> in the default Nmap distribution? (GNU GPL, clarified/modified GNU GPL
> as in Nmap's COPYING file and [2], BSD license, others?)

Probably the same as for other Nmap contributions, as specified in the
COPYING file:

 * Source code also allows you to port Nmap to new platforms, fix bugs,    *
 * and add new features.  You are highly encouraged to send your changes   *
 * to fyodor () insecure org for possible incorporation into the main         *
 * distribution.  By sending these changes to Fyodor or one the            *
 * Insecure.Org development mailing lists, it is assumed that you are      *
 * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
 * to reuse, modify, and relicense the code.  Nmap will always be          *
 * available Open Source, but this is important because the inability to   *
 * relicense code has caused devastating problems for other Free Software  *
 * projects (such as KDE and NASM).  We also occasionally relicense the    *
 * code to third parties as discussed above.  If you wish to specify       *
 * special license conditions of your contributions, just say so when you  *
 * send them.                                                              *

Simply licensing the script under a BSD-style license works too.  But
it should have no advertising clause, as we don't want to have to
advertise hundreds of names if and when we have thousands of scripts.

> 3) How should script authors insert a license statement into their work?
> (Script files tend to be short and the GNU GPL is quite long...)

The best (From a legal sense) way may be to simply insert the Nmap
copyright header (as fond on the top of all source code files) to the
top of the script.  You can also find that header up top of
http://insecure.org/nmap/data/COPYING .  Admittedly it may still be
longer than the script itself, so I'll try to think of a shorter way.
The header includes the GPL by reference, so it is at least shorter
than including the whole GPL.

Or if you just want to BSD license the script, including a BSD-style
(no advertising clause) copyright statement up top is sufficient.

> 4) Is there any "implicit" license automatically applied to (LUA-)code
> sent as patches to nmap-dev? (Are script authors supposed to have given
> consent to license their work under Nmap's license when sending a patch?)

When people send Nmap patches to nmap-dev I generally assume they are
being offered for Nmap inclusion under the COPYING terms above.  But I
certainly don't want to include a patch that the author doesn't wish
to be in Nmap.  So if you want to send a script to nmap-dev but don't
want it included in Nmap, just say so.  "Please don't include this in
Nmap" will do the trick.

Note that we don't insist on copyright assignment like the FSF and
other organizations do.  So you still retain all rights to use and
relicense your script/patch/code as you wish.  You just give us the
rights to use it too.

I hope this helps!
Fyodor


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev