Re: Using Samba code?

[Ron <ron () skullsecurity net>]

Fyodor wrote:
> On Tue, Sep 23, 2008 at 07:28:06PM -0500, Ron wrote:
>
> Hi Ron.  Good question.  That can be a tricky situation, and of course
> I'm not a copyright lawyer.  Any code derived from Samba or any other
> GPL source generally CAN NOT be included within Nmap (even as an NSE
> script).  Sometimes you can persuade authors to grant an exception
> allowing us to use sections of code under a less restrictive license
> (such as BSD, MIT, or LUA licenses), which we generally can include
> into Nmap.  For example, the Metasploit Project has a different
> license than Nmap, so we granted them a license exception so they
> could ship Nmap within their Windows installer.  Also, someday (when I
> find a good open source lawyer and find time), I might want to change
> the Nmap license to a different one such as this draft I made years
> ago: http://nmap.org/npsl/npsl-annotated.html .  That Nmap Public
> Source License, like our current license, is GPL + some extra terms.
> We could not do that if we included other people's GPLv2 code.
Heh, incompatible licenses are annoying. It's almost like closed source! :)

> This rule only applies to scripts included with Nmap.  If you write a
> script and distribute it yourself as GPL, it doesn't really matter to
> the Nmap Project since you are then responsible for copyright
> compliance.
Well, worst case, I can do that fairly easily.

Maybe this is a separate topic altogether, but have the NSE developers
looked at a way to distribute scripts yet, besides including them in an
install? Like, having one or more repositories for scripts that can
easily be downloaded/updated without updating Nmap itself.

The downside to that would be malicious repositories. How do you
guarantee that your automatically downloaded updates from non-Nmap
repositories are actually safe?

> That might actually be OK, since it seems to be purely extracted data
> rather than an expressive/creative work such as most code.  The header
> says "They were extracted using a loop in smbclient then printing a
> netmon sniff to a file".  So if these status codes have the same names
> and numbers as given by Microsoft, and are needed for
> interoperability, we can probably use them if we have to.  See the
> "minimum originality" discussion below.  Still, maybe you can look
> around and see if they are available from another source with a more
> liberal license?  Are these values in the header files distributed
> with MS Visual Studo?
This is indeed publicly distributed by Microsoft now:
http://msdn.microsoft.com/en-us/library/cc704588.aspx

So it seems reasonable that this is public domain knowledge, and using
the codes isn't specifically tied to Samba.

So to verify: I shouldn't worry about this one?

> If you are just using this file to determine the API for communicating
> with a few functions, that doesn't sound unreasonable.  Though again,
> it would be best if you can find the same data from some other source
> you can reference which has a more liberal license.
Microsoft also has details on their API. Here is one of the functions I
use (Connect4()):
http://msdn.microsoft.com/en-us/library/cc245746.aspx

I used Samba's code to find the interface originally, which is
apparently in my comments, but the Microsoft documentation provides the
exact same information.

So, any clue if I need to change anything? If I did go back and use
Microsoft's, the only thing I'd have to change is my comments since the
code itself isn't going to change.


> So in conclusion, if you want to use 3rd party GPL code in Nmap
> (including NSE scripts), you need to either:
>
> * Persuade the author to license those portions of the code under a
>   license we can use, such as BSD no-attribution.  Or for a data like
>   this, they might agree that they don't assert copyright control over
>   the raw data.
>
> * Rewrite the code yourself in a way which doesn't violate copyright rules
>
> * Find similarly useful code which is already under a more liberal license and use that.
>
> * Or have a valid fair use justification, such as you often see for images
>   in Wikipedia.  For example, certain pure data files may not be
>   eligible for copyright protection since they are considered a
>   compilation of facts and don't satisfy the "minimum originality"
>   requirement.  For an example (alphabetical phone books and food
>   recipes not qualifying for copyright protection), see: 
>   http://en.wikipedia.org/wiki/Feist_v._Rural
Coo., good to know. :)

> I hope this helps clarify things.
If by "clarify", you mean "make more uncertain", then definitely! :P

Just kidding, thanks for the summary!

> Cheers,
> -F

Ron

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org