On 7/11/24 21:37, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
On Thu, Jul 11, 2024 at 11:45 AM David Cantrell <dcantrell@xxxxxxxxxx> wrote:
On 7/11/24 11:19 AM, Richard Fontana wrote:
On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana <rfontana@xxxxxxxxxx> wrote:
On Thu, Jul 11, 2024 at 10:05 AM David Cantrell <dcantrell@xxxxxxxxxx> wrote:
Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it has:
License: LicenseRef-NPSL-0.94
Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately
referred to the license we are now calling `LicenseRef-NPSL-0.92`
(Callaway/Cotton "NPSL") but the license of Nmap changed several more
times in the progression to 7.95.
The exception is only for LicenseRef-Nmap and not these NPSL variants, right? Which means nmap will have to be removed?
Yes,
Actually the Nmap maintainer/licensor has informally offered to let
Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood
what they were saying correctly) so that is a possibility. But clearly
not a long-term solution.
This idea makes me somewhat nervous. Why would Fedora get an exception and not other distributors (or do other distributions also have exceptions)? And what does that mean for the actual code or patches shared between distributions? I think unless the license in the source actually changes, taking this route would lead to problems.
Do we know if upstream is open to discussing relicensing to a well-known and established open source license that would still offer the protections and guarantees they want? That may not be possible. Reading the LicenseRef-Nmap license I see a contributor agreement, lots of restrictions on derived works and how those are licensed, a patent grant, explicit permission to link with OpenSSL (thanks!), the license is governed by the laws of the State of Washington (ok, sure), an advertising clause if you set up a web site to execute nmap and display results -but then- the very next block says you don't have permission to use the trade names, trademarks, service marks, or product names.
Looking a bit further at Fedora downstreams, I do see that nmap is part of RHEL. And has been since RHEL-3. Right now that's inherited via nmap's inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a decision to make. I suppose that's fine, we are talking about Fedora here. But we would at least want RHEL to be aware if that change were to happen.
All the distributors that asked got the exception. I believe at one
point it was even publicly stated that everyone could do this without
requesting it after so many asked.
A further issue here is that many other distros seem to be assuming
that the iterations of the NPSL after the universally-condemned NPSL
0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what
this is based on beyond a well-meaning impulse to believe that any
change to NPSL 0.92 must have been good enough.
Yes. Also, if every distribution that requested the exception got the
exception why does this license even need to exist? If granting
exceptions is normal but also allowing continued use of NPSL could lead
to unusual and/or unresolvable situations with downstream modifications
being under an NPSL variant or under _what_ for those granted an exception.
Fedora can't be parked on nmap 7.92 forever, which is why I go back to
removal from Fedora unless a subset of us want to have a conversation
with upstream about licensing and try to get nmap under more acceptable
terms.
--
David Cantrell <dcantrell@xxxxxxxxxx>
Red Hat, Inc. | Boston, MA | EST5EDT
--
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
