Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 749390 - Add NPSL (nmap license) to MISC_FREE
Summary: Add NPSL (nmap license) to MISC_FREE
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Foundation
Classification: Unclassified
Component: Licenses (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Licenses team
URL:
Whiteboard:
Keywords: UPSTREAM
Depends on:
Blocks:
 
Reported: 2020-10-16 08:40 UTC by Hanno Böck
Modified: 2021-07-07 04:50 UTC (History)
12 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2020-10-16 08:40:33 UTC
The net-analyzer/nmap package in latest versions has LICENSE="NPSL" (it was GPL-2 before, but I believe this was just a mistake).

NPSL is currently not in any of the free license groups. From doing some quick research it seems it is a license similar to GPL-2 (Upstream: "This license is based on the GNU GPLv2, but with important additional terms, conditions, clarifications and exceptions"). I have not done a review of the differences, but I never heard of nmap being nonfree or controversial (and the rule of thumb: "Debian ships it so they seem to be fine with it and think it's a good license").

Wikipedia mentions that it once had a clause forbidding the use by SCO, but that seems ancient history and is not part of the current license.

Shall we add it to MISC_FREE?
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-16 09:20:13 UTC
(In reply to Hanno Böck from comment #0)
> The net-analyzer/nmap package in latest versions has LICENSE="NPSL" (it was
> GPL-2 before, but I believe this was just a mistake).

They changed nmap's license after 7.80, and released 7.90 with the NPSL license.

They still bundle (bug #253269) an (incompatible) fork of libdnet ("libdnet-stripped", LGPL-2, not possible to use the separately packaged versions without some changes there and upstream), liblinear (BSD, but we build against the separate version), (lib)lua (MIT, guarded by USE=system-lua), libpcap (BSD, but we use the packaged installed version instead), libpcre (BSD, but we use the packaged installed version), libssh2 (BSD, but we use the packaged installed version instead) and libz (BSD, but we use the packaged installed version instead), it's kind of hazy.

That aside, I am curious what you think the mistake is/was.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-16 09:44:17 UTC
Hm, I didn't add trustees@g.o. Is "Licenses" the correct Component, even? <https://bugs.gentoo.org/describecomponents.cgi?product=Gentoo%20Foundation> says it is.
Comment 3 Ulrich Müller gentoo-dev 2020-10-16 09:45:53 UTC
I find this license very problematic:

By section 6 of the GPL-2: "You may not impose any further restrictions on the recipients' exercise of the rights granted herein." but that's exactly what the NPSL does.

"To avoid any misunderstandings, we consider software to constitute a 'derivative work' of Covered Software for the purposes of this license if it does any of the following:
[...]
* Reads or includes Covered Software data files, such as nmap-os-db or nmap-service-probes."

This would make coreutils a derived work of nmap because its programs can read those files, for example, "cat /usr/share/nmap/nmap-os-db". So clearly, their definition of "derived work" is nonsensical.

Section 2 of the NPSL says "Covered Software is licensed to you under the terms of the GPL (Exhibit A)". Does this mean GPL without any specific version (i.e., GPL-1+), GPL-2+, or GPL-2 only?

Also, in section 2: "In addition, you agree to the terms of this License by [...] downloading the software." That's typical EULA language which may even require mirror restriction.
Comment 4 Ulrich Müller gentoo-dev 2020-10-16 10:02:04 UTC
This is also being discussed on guix-devel, and they have doubts if this is a free software license:
https://lists.gnu.org/archive/html/guix-devel/2020-10/msg00227.html

My suggestion would be _not_ to add this to MISC-FREE but wait for a statement from the FSF.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2020-10-16 10:11:54 UTC
(In reply to Ulrich Müller from comment #3)
> I find this license very problematic:
> 
> By section 6 of the GPL-2: "You may not impose any further restrictions on
> the recipients' exercise of the rights granted herein." but that's exactly
> what the NPSL does.

So they re-licensed nmap? This would of course require that they can re-license the bundled software as well as their own code.
Comment 6 Alessandro Barbieri 2020-11-25 22:30:00 UTC
fedora put this license in the free group

https://lists.fedoraproject.org/pipermail/legal/2014-January/002366.html
https://fedoraproject.org/wiki/Licensing/Nmap
Comment 7 Ulrich Müller gentoo-dev 2020-11-26 08:16:05 UTC
(In reply to Alessandro Barbieri from comment #6)
> fedora put this license in the free group
> 
> https://lists.fedoraproject.org/pipermail/legal/2014-January/002366.html
> https://fedoraproject.org/wiki/Licensing/Nmap

That's the license from 2013, not the one we're talking about here. It doesn't contain the problematic clauses:

"In addition, you agree to the terms of this License by [...] downloading the software." (section 2)

"Proprietary software companies wishing to use or incorporate Covered Software within their programs must contact Licensor to purchase a separate license." (section 0)

Especially the latter is a non-commercial restriction and as such directly violating the Open Source Definition <https://opensource.org/docs/osd> section 6 "No discrimination against fields of endeavor".
Comment 8 Ulrich Müller gentoo-dev 2020-11-26 11:52:07 UTC
@Licenses team: Any other opinion? If not, I am going to report this upstream one week from now.
Comment 9 Andrius Štikonas 2020-11-26 13:48:38 UTC
In the meantime can we please keep last FREE version in the tree even though newer one is stabilized.
Comment 10 Hanno Böck gentoo-dev 2020-11-27 07:57:55 UTC
Here's Debian's discussion about this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972216
Comment 11 Ulrich Müller gentoo-dev 2020-12-06 10:38:14 UTC
Reported upstream:
https://github.com/nmap/nmap/issues/2199
Comment 12 Hanno Böck gentoo-dev 2020-12-09 19:57:23 UTC
In case others find this relevant:
I've been digging into nmap's license history, it changed several times, but the conditions pretty much always sound problematic to me and question it as an open source license. The last version that sounds like it's "just GPL 2 without any strings attached" is 3.40PVT15, which is from 2003.
Comment 13 Ulrich Müller gentoo-dev 2021-01-08 22:37:36 UTC
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org/thread/GZIDC4DHXZP67LFU7P2OT2AQVDJRHZ2M/
"After review, Fedora has determined that the Nmap Public Source License (NPSL) Version 0.92[1] is not acceptable for use in Fedora. [...]
The license includes restrictions on 'proprietary software companies", which is a field of endeavor restriction contrary to the Open Source Definition[3]."
Comment 14 Larry the Git Cow gentoo-dev 2021-03-06 20:35:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba502f42a7ab3f8282dd5b88cf8c4126971c987e

commit ba502f42a7ab3f8282dd5b88cf8c4126971c987e
Author:     Ulrich Müller <ulm@gentoo.org>
AuthorDate: 2021-03-06 20:34:12 +0000
Commit:     Ulrich Müller <ulm@gentoo.org>
CommitDate: 2021-03-06 20:34:12 +0000

    net-analyzer/nmap: Update LICENSE
    
    "Effective immediately, Nmap 7.91 (which is the current version) and
    7.90 can also be used and redistributed under the previous (Nmap 7.80)
    license terms."
    https://github.com/nmap/nmap/issues/2199#issuecomment-792048244
    
    Bug: https://bugs.gentoo.org/749390
    Package-Manager: Portage-3.0.16, Repoman-3.0.2
    Signed-off-by: Ulrich Müller <ulm@gentoo.org>

 net-analyzer/nmap/nmap-7.91-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-07-07 04:50:30 UTC
As comment 14 has noted that NMAP is now "|| ( GPL NPSL )", I believe we can continue without NPSL in MISC_FREE esp as Fedora decided that NPSL isn't free.