Summary: | Add NPSL-0.95 (nmap license) to MISC_FREE | ||
---|---|---|---|
Product: | Gentoo Foundation | Reporter: | Hanno Böck <hanno> |
Component: | Licenses | Assignee: | Licenses team <licenses> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | AI0867, ajak, andrius, bruce, dilfridge, gentoo, jer, kensington, nbowler, netmon, sam, trustees, zlogene |
Priority: | Normal | Keywords: | UPSTREAM |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.debian.org/972216 https://github.com/nmap/nmap/issues/2199 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2020-10-16 08:40:33 UTC
(In reply to Hanno Böck from comment #0) > The net-analyzer/nmap package in latest versions has LICENSE="NPSL" (it was > GPL-2 before, but I believe this was just a mistake). They changed nmap's license after 7.80, and released 7.90 with the NPSL license. They still bundle (bug #253269) an (incompatible) fork of libdnet ("libdnet-stripped", LGPL-2, not possible to use the separately packaged versions without some changes there and upstream), liblinear (BSD, but we build against the separate version), (lib)lua (MIT, guarded by USE=system-lua), libpcap (BSD, but we use the packaged installed version instead), libpcre (BSD, but we use the packaged installed version), libssh2 (BSD, but we use the packaged installed version instead) and libz (BSD, but we use the packaged installed version instead), it's kind of hazy. That aside, I am curious what you think the mistake is/was. Hm, I didn't add trustees@g.o. Is "Licenses" the correct Component, even? <https://bugs.gentoo.org/describecomponents.cgi?product=Gentoo%20Foundation> says it is. I find this license very problematic: By section 6 of the GPL-2: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein." but that's exactly what the NPSL does. "To avoid any misunderstandings, we consider software to constitute a 'derivative work' of Covered Software for the purposes of this license if it does any of the following: [...] * Reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes." This would make coreutils a derived work of nmap because its programs can read those files, for example, "cat /usr/share/nmap/nmap-os-db". So clearly, their definition of "derived work" is nonsensical. Section 2 of the NPSL says "Covered Software is licensed to you under the terms of the GPL (Exhibit A)". Does this mean GPL without any specific version (i.e., GPL-1+), GPL-2+, or GPL-2 only? Also, in section 2: "In addition, you agree to the terms of this License by [...] downloading the software." That's typical EULA language which may even require mirror restriction. This is also being discussed on guix-devel, and they have doubts if this is a free software license: https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html My suggestion would be _not_ to add this to MISC-FREE but wait for a statement from the FSF. (In reply to Ulrich Müller from comment #3) > I find this license very problematic: > > By section 6 of the GPL-2: "You may not impose any further restrictions on > the recipients' exercise of the rights granted herein." but that's exactly > what the NPSL does. So they re-licensed nmap? This would of course require that they can re-license the bundled software as well as their own code. fedora put this license in the free group https://lists.fedoraproject.org/pipermail/legal/2014-January/002366.html https://fedoraproject.org/wiki/Licensing/Nmap (In reply to Alessandro Barbieri from comment #6) > fedora put this license in the free group > > https://lists.fedoraproject.org/pipermail/legal/2014-January/002366.html > https://fedoraproject.org/wiki/Licensing/Nmap That's the license from 2013, not the one we're talking about here. It doesn't contain the problematic clauses: "In addition, you agree to the terms of this License by [...] downloading the software." (section 2) "Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license." (section 0) Especially the latter is a non-commercial restriction and as such directly violating the Open Source Definition <https://opensource.org/docs/osd> section 6 "No discrimination against fields of endeavor". @Licenses team: Any other opinion? If not, I am going to report this upstream one week from now. In the meantime can we please keep last FREE version in the tree even though newer one is stabilized. Here's Debian's discussion about this: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972216 Reported upstream: https://github.com/nmap/nmap/issues/2199 In case others find this relevant: I've been digging into nmap's license history, it changed several times, but the conditions pretty much always sound problematic to me and question it as an open source license. The last version that sounds like it's "just GPL 2 without any strings attached" is 3.40PVT15, which is from 2003. https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/GZIDC4DHXZP67LFU7P2OT2AQVDJRHZ2M/ "After review, Fedora has determined that the Nmap Public Source License (NPSL) Version 0.92[1] is not acceptable for use in Fedora. [...] The license includes restrictions on 'proprietary software companies", which is a field of endeavor restriction contrary to the Open Source Definition[3]." The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba502f42a7ab3f8282dd5b88cf8c4126971c987e commit ba502f42a7ab3f8282dd5b88cf8c4126971c987e Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2021-03-06 20:34:12 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2021-03-06 20:34:12 +0000 net-analyzer/nmap: Update LICENSE "Effective immediately, Nmap 7.91 (which is the current version) and 7.90 can also be used and redistributed under the previous (Nmap 7.80) license terms." https://github.com/nmap/nmap/issues/2199#issuecomment-792048244 Bug: https://bugs.gentoo.org/749390 Package-Manager: Portage-3.0.16, Repoman-3.0.2 Signed-off-by: Ulrich Müller <ulm@gentoo.org> net-analyzer/nmap/nmap-7.91-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) As comment 14 has noted that NMAP is now "|| ( GPL NPSL )", I believe we can continue without NPSL in MISC_FREE esp as Fedora decided that NPSL isn't free. I believe that NPSL-0.95 addresses both concerns about section 0 (Preamble) and section 3 (Derivative Works): https://github.com/nmap/nmap/issues/2199#issuecomment-1379568678 Can we add it to MISC-FREE? The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86f07219759245d3f01b42f2ad0273c9549ef7ea commit 86f07219759245d3f01b42f2ad0273c9549ef7ea Author: Ulrich Müller <ulm@gentoo.org> AuthorDate: 2023-01-13 08:13:15 +0000 Commit: Ulrich Müller <ulm@gentoo.org> CommitDate: 2023-01-13 08:14:25 +0000 profiles: Add NPSL-0.95 to MISC-FREE license group Closes: https://bugs.gentoo.org/749390 Signed-off-by: Ulrich Müller <ulm@gentoo.org> profiles/license_groups | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) |