The net-analyzer/nmap package in latest versions has LICENSE="NPSL" (it was GPL-2 before, but I believe this was just a mistake).
NPSL is currently not in any of the free license groups. From doing some quick research it seems it is a license similar to GPL-2 (Upstream: "This license is based on the GNU GPLv2, but with important additional terms, conditions, clarifications and exceptions"). I have not done a review of the differences, but I never heard of nmap being nonfree or controversial (and the rule of thumb: "Debian ships it so they seem to be fine with it and think it's a good license").
Wikipedia mentions that it once had a clause forbidding the use by SCO, but that seems ancient history and is not part of the current license.
Shall we add it to MISC_FREE?
(In reply to Hanno Böck from comment #0)
> The net-analyzer/nmap package in latest versions has LICENSE="NPSL" (it was
> GPL-2 before, but I believe this was just a mistake).
They changed nmap's license after 7.80, and released 7.90 with the NPSL license.
They still bundle (bug #253269) an (incompatible) fork of libdnet ("libdnet-stripped", LGPL-2, not possible to use the separately packaged versions without some changes there and upstream), liblinear (BSD, but we build against the separate version), (lib)lua (MIT, guarded by USE=system-lua), libpcap (BSD, but we use the packaged installed version instead), libpcre (BSD, but we use the packaged installed version), libssh2 (BSD, but we use the packaged installed version instead) and libz (BSD, but we use the packaged installed version instead), it's kind of hazy.
That aside, I am curious what you think the mistake is/was.
Hm, I didn't add firstname.lastname@example.org. Is "Licenses" the correct Component, even? <https://bugs.gentoo.org/describecomponents.cgi?product=Gentoo%20Foundation> says it is.
I find this license very problematic:
By section 6 of the GPL-2: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein." but that's exactly what the NPSL does.
"To avoid any misunderstandings, we consider software to constitute a 'derivative work' of Covered Software for the purposes of this license if it does any of the following:
* Reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes."
This would make coreutils a derived work of nmap because its programs can read those files, for example, "cat /usr/share/nmap/nmap-os-db". So clearly, their definition of "derived work" is nonsensical.
Section 2 of the NPSL says "Covered Software is licensed to you under the terms of the GPL (Exhibit A)". Does this mean GPL without any specific version (i.e., GPL-1+), GPL-2+, or GPL-2 only?
Also, in section 2: "In addition, you agree to the terms of this License by [...] downloading the software." That's typical EULA language which may even require mirror restriction.
This is also being discussed on guix-devel, and they have doubts if this is a free software license:
My suggestion would be _not_ to add this to MISC-FREE but wait for a statement from the FSF.
(In reply to Ulrich Müller from comment #3)
> I find this license very problematic:
> By section 6 of the GPL-2: "You may not impose any further restrictions on
> the recipients' exercise of the rights granted herein." but that's exactly
> what the NPSL does.
So they re-licensed nmap? This would of course require that they can re-license the bundled software as well as their own code.
fedora put this license in the free group
(In reply to Alessandro Barbieri from comment #6)
> fedora put this license in the free group
That's the license from 2013, not the one we're talking about here. It doesn't contain the problematic clauses:
"In addition, you agree to the terms of this License by [...] downloading the software." (section 2)
"Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license." (section 0)
Especially the latter is a non-commercial restriction and as such directly violating the Open Source Definition <https://opensource.org/docs/osd> section 6 "No discrimination against fields of endeavor".
@Licenses team: Any other opinion? If not, I am going to report this upstream one week from now.
In the meantime can we please keep last FREE version in the tree even though newer one is stabilized.
Here's Debian's discussion about this:
In case others find this relevant:
I've been digging into nmap's license history, it changed several times, but the conditions pretty much always sound problematic to me and question it as an open source license. The last version that sounds like it's "just GPL 2 without any strings attached" is 3.40PVT15, which is from 2003.
"After review, Fedora has determined that the Nmap Public Source License (NPSL) Version 0.92 is not acceptable for use in Fedora. [...]
The license includes restrictions on 'proprietary software companies", which is a field of endeavor restriction contrary to the Open Source Definition."
The bug has been referenced in the following commit(s):
Author: Ulrich Müller <email@example.com>
AuthorDate: 2021-03-06 20:34:12 +0000
Commit: Ulrich Müller <firstname.lastname@example.org>
CommitDate: 2021-03-06 20:34:12 +0000
net-analyzer/nmap: Update LICENSE
"Effective immediately, Nmap 7.91 (which is the current version) and
7.90 can also be used and redistributed under the previous (Nmap 7.80)
Package-Manager: Portage-3.0.16, Repoman-3.0.2
Signed-off-by: Ulrich Müller <email@example.com>
net-analyzer/nmap/nmap-7.91-r1.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
As comment 14 has noted that NMAP is now "|| ( GPL NPSL )", I believe we can continue without NPSL in MISC_FREE esp as Fedora decided that NPSL isn't free.