Nmap Development mailing list archives
Re: License of Nmap LUA scripts
From: Fyodor <fyodor () insecure org>
Date: Mon, 31 Jul 2006 14:09:28 -0700
On Mon, Jul 31, 2006 at 09:53:18PM +0200, Dirk Loss wrote:
I really like the idea of an Nmap scripting engine and hope that hundreds of great Nmap LUA scripts will appear shortly.
Me too!
small separate LUA files potentially written by lots of different authors, I fear we could face a very similar situation as Nessus users did with Nessus plugins in late 2004:
Great point. That was a rather unfortunate situation. We will be sure to make the plugin licenses clear. Not everything is decided yet as NSE isn't even finished or incorporated into mainstream Nmap, and I haven't had a chance to talk to the actual script contributors to see what they want. But my current plan is to treat plugins just like the rest of Nmap and release them under the same license ( http://insecure.org/nmap/data/COPYING ). Contribution rules would also be the same.
1) Are there any restrictions concerning the license of a script to be legally run from within Nmap?
You can run whatever you want. The only question is whether such a script is a derivative work and thus must comply with the Nmap (GPL) license. Last I heard, the Nessus team argues that NASL scripts must be GPL (except for the proprietary ones they write). My gut feeling is that selling a copy of Nmap (installer/tarball) which includes proprietary NSE scripts would be a GPL violation, but selling just a package of proprietary NSE scripts along with instructions for using them with the user's existing Nmap installation might be fine. I'd rather wait until the system is actually finished and I have a chance to beg some free software/copyright lawyers for advice before announcing an official policy. If someone actually wants to start selling proprietary NSE scripts, write me and I'll expedite the process of finding an answer.
2) What licenses does Fyodor allow for a script in order to be included in the default Nmap distribution? (GNU GPL, clarified/modified GNU GPL as in Nmap's COPYING file and [2], BSD license, others?)
Probably the same as for other Nmap contributions, as specified in the COPYING file: * Source code also allows you to port Nmap to new platforms, fix bugs, * * and add new features. You are highly encouraged to send your changes * * to fyodor () insecure org for possible incorporation into the main * * distribution. By sending these changes to Fyodor or one the * * Insecure.Org development mailing lists, it is assumed that you are * * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right * * to reuse, modify, and relicense the code. Nmap will always be * * available Open Source, but this is important because the inability to * * relicense code has caused devastating problems for other Free Software * * projects (such as KDE and NASM). We also occasionally relicense the * * code to third parties as discussed above. If you wish to specify * * special license conditions of your contributions, just say so when you * * send them. * Simply licensing the script under a BSD-style license works too. But it should have no advertising clause, as we don't want to have to advertise hundreds of names if and when we have thousands of scripts.
3) How should script authors insert a license statement into their work? (Script files tend to be short and the GNU GPL is quite long...)
The best (From a legal sense) way may be to simply insert the Nmap copyright header (as fond on the top of all source code files) to the top of the script. You can also find that header up top of http://insecure.org/nmap/data/COPYING . Admittedly it may still be longer than the script itself, so I'll try to think of a shorter way. The header includes the GPL by reference, so it is at least shorter than including the whole GPL. Or if you just want to BSD license the script, including a BSD-style (no advertising clause) copyright statement up top is sufficient.
4) Is there any "implicit" license automatically applied to (LUA-)code sent as patches to nmap-dev? (Are script authors supposed to have given consent to license their work under Nmap's license when sending a patch?)
When people send Nmap patches to nmap-dev I generally assume they are being offered for Nmap inclusion under the COPYING terms above. But I certainly don't want to include a patch that the author doesn't wish to be in Nmap. So if you want to send a script to nmap-dev but don't want it included in Nmap, just say so. "Please don't include this in Nmap" will do the trick. Note that we don't insist on copyright assignment like the FSF and other organizations do. So you still retain all rights to use and relicense your script/patch/code as you wish. You just give us the rights to use it too. I hope this helps! Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- License of Nmap LUA scripts Dirk Loss (Jul 31)
- Re: License of Nmap LUA scripts Fyodor (Jul 31)
- Re: License of Nmap LUA scripts Dirk Loss (Jul 31)
- Re: License of Nmap LUA scripts Fyodor (Jul 31)