Web lists-archives.com

Re: nmap license is incompatible with GPL




Ben Hutchings writes ("Re: nmap license is incompatible with GPL"):
> On Tue, 2018-04-10 at 11:42 +0200, Ansgar Burchardt wrote:
> > The license in particular also forbids front-ends parsing nmap's output
> > that are released under a license not compatible with nmap's:
...
> > > - Is designed specifically to execute Covered Software and parse the
> > >   results (as opposed to typical shell or execution-menu apps, which
> > >   will execute anything you tell them to).
> > +---
> 
> This is an interesting legal theory, and I would be interested to hear
> whether any free software lawyer agrees with it.  (And the distinction
> they try to draw is so unclear that I really doubt a court would want
> to rule on it.)

Personally I think under English law such things, when distributed
with nmap, would be part of a work as a `whole' (within the meaning of
the antepenultimate para in GPL s2) and would have to be distributed
under the GPL2 even if nmap was under the vanilla GPL2.

Absent the explicit statement to the contrary later in the licence,
these provisions therefore add nothing and the resulting licence would
be GPL2-compatible.

I appreciate that this is not a very popular view.

> > This means packages such as `nmapsi4`, `python-nmap`, `lsat`, `nikto`,
> > `zabbix`, `oscinventory-agent`, `fusioninventory-agent-task-network` and
> > possibly others which are licensed under the GPL-2 (some with or-later)
> > do not conform to nmap's license requirements...
> > 
> > I plan to file RC bugs against these packages soon; this thread can
> > serve as a central place for discussions.
> 
> I think we should determine that either:
> 
> 1. This provision is not enforceable, and we don't need to do that.
> 2. This provision is enforceable, it is a restriction on use, and it
>    makes nmap non-free.

The provision is certainly not a restriction on use.  It's a
restriction on the licences of software which is intimately designed
to work with nmap, and accompany it, and is best seen as extensions or
embeddings of nmap.  It's only a restriction on distribution; users
can do what they want.

I haven't looked at the packages above but many of them seem
specifically to be libraries for using nmap, or ways of embedding
nmap.  The fact that the licence is not, on its face, compatible with
nmap's, is probably a mistake.  We should ask the upstreams to "for
clarity" dual-licence their code under (i) their existing licence
(ii) the nmap licence.  And we need to check the rdepends.

Ian.

-- 
Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.