On 7/11/24 11:19 AM, Richard Fontana wrote:
> On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana <rfont...@redhat.com> wrote:
>>
>> On Thu, Jul 11, 2024 at 10:05 AM David Cantrell <dcantr...@redhat.com> wrote:
>>>
>>> Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and it 
>>> has:
>>>
>>>     License: LicenseRef-NPSL-0.94
>>
>> Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately
>> referred to the license we are now calling `LicenseRef-NPSL-0.92`
>> (Callaway/Cotton "NPSL") but the license of Nmap changed several more
>> times in the progression to 7.95.
>>
>>> The exception is only for LicenseRef-Nmap and not these NPSL variants, 
>>> right?  Which means nmap will have to be removed?
>>
>> Yes,
> 
> Actually the Nmap maintainer/licensor has informally offered to let
> Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood
> what they were saying correctly) so that is a possibility. But clearly
> not a long-term solution.

This idea makes me somewhat nervous.  Why would Fedora get an exception and not 
other distributors (or do other distributions also have exceptions)?  And what 
does that mean for the actual code or patches shared between distributions?  I 
think unless the license in the source actually changes, taking this route 
would lead to problems.

Do we know if upstream is open to discussing relicensing to a well-known and 
established open source license that would still offer the protections and 
guarantees they want?  That may not be possible.  Reading the LicenseRef-Nmap 
license I see a contributor agreement, lots of restrictions on derived works 
and how those are licensed, a patent grant, explicit permission to link with 
OpenSSL (thanks!), the license is governed by the laws of the State of 
Washington (ok, sure), an advertising clause if you set up a web site to 
execute nmap and display results -but then- the very next block says you don't 
have permission to use the trade names, trademarks, service marks, or product 
names.

Looking a bit further at Fedora downstreams, I do see that nmap is part of 
RHEL.  And has been since RHEL-3.  Right now that's inherited via nmap's 
inclusion in Fedora.  If Fedora were to remove nmap, RHEL would have a decision 
to make.  I suppose that's fine, we are talking about Fedora here.  But we 
would at least want RHEL to be aware if that change were to happen.

-- 
David Cantrell <dcantr...@redhat.com>
Red Hat, Inc. | Boston, MA | EST5EDT

-- 
_______________________________________________
legal mailing list -- legal@lists.fedoraproject.org
To unsubscribe send an email to legal-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to