On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa <ngomp...@gmail.com> wrote: > > On Thu, Jul 11, 2024 at 11:45 AM David Cantrell <dcantr...@redhat.com> wrote: > > > > On 7/11/24 11:19 AM, Richard Fontana wrote: > > > On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana <rfont...@redhat.com> > > > wrote: > > >> > > >> On Thu, Jul 11, 2024 at 10:05 AM David Cantrell <dcantr...@redhat.com> > > >> wrote: > > >>> > > >>> Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and > > >>> it has: > > >>> > > >>> License: LicenseRef-NPSL-0.94 > > >> > > >> Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately > > >> referred to the license we are now calling `LicenseRef-NPSL-0.92` > > >> (Callaway/Cotton "NPSL") but the license of Nmap changed several more > > >> times in the progression to 7.95. > > >> > > >>> The exception is only for LicenseRef-Nmap and not these NPSL variants, > > >>> right? Which means nmap will have to be removed? > > >> > > >> Yes, > > > > > > Actually the Nmap maintainer/licensor has informally offered to let > > > Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood > > > what they were saying correctly) so that is a possibility. But clearly > > > not a long-term solution. > > > > This idea makes me somewhat nervous. Why would Fedora get an exception and > > not other distributors (or do other distributions also have exceptions)? > > And what does that mean for the actual code or patches shared between > > distributions? I think unless the license in the source actually changes, > > taking this route would lead to problems. > > > > Do we know if upstream is open to discussing relicensing to a well-known > > and established open source license that would still offer the protections > > and guarantees they want? That may not be possible. Reading the > > LicenseRef-Nmap license I see a contributor agreement, lots of restrictions > > on derived works and how those are licensed, a patent grant, explicit > > permission to link with OpenSSL (thanks!), the license is governed by the > > laws of the State of Washington (ok, sure), an advertising clause if you > > set up a web site to execute nmap and display results -but then- the very > > next block says you don't have permission to use the trade names, > > trademarks, service marks, or product names. > > > > Looking a bit further at Fedora downstreams, I do see that nmap is part of > > RHEL. And has been since RHEL-3. Right now that's inherited via nmap's > > inclusion in Fedora. If Fedora were to remove nmap, RHEL would have a > > decision to make. I suppose that's fine, we are talking about Fedora here. > > But we would at least want RHEL to be aware if that change were to happen. > > All the distributors that asked got the exception. I believe at one > point it was even publicly stated that everyone could do this without > requesting it after so many asked.
A further issue here is that many other distros seem to be assuming that the iterations of the NPSL after the universally-condemned NPSL 0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what this is based on beyond a well-meaning impulse to believe that any change to NPSL 0.92 must have been good enough. Richard -- _______________________________________________ legal mailing list -- legal@lists.fedoraproject.org To unsubscribe send an email to legal-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue