On Thu, Jul 11, 2024 at 11:48 AM Neal Gompa <ngomp...@gmail.com> wrote:
>
> On Thu, Jul 11, 2024 at 11:45 AM David Cantrell <dcantr...@redhat.com> wrote:
> >
> > On 7/11/24 11:19 AM, Richard Fontana wrote:
> > > On Thu, Jul 11, 2024 at 10:30 AM Richard Fontana <rfont...@redhat.com> 
> > > wrote:
> > >>
> > >> On Thu, Jul 11, 2024 at 10:05 AM David Cantrell <dcantr...@redhat.com> 
> > >> wrote:
> > >>>
> > >>> Looking at Fedora now we have nmap-7.95 in Fedora 40 as an update and 
> > >>> it has:
> > >>>
> > >>>     License: LicenseRef-NPSL-0.94
> > >>
> > >> Yes. This is erroneous because `LicenseRef-NPSL-0.94` inaccurately
> > >> referred to the license we are now calling `LicenseRef-NPSL-0.92`
> > >> (Callaway/Cotton "NPSL") but the license of Nmap changed several more
> > >> times in the progression to 7.95.
> > >>
> > >>> The exception is only for LicenseRef-Nmap and not these NPSL variants, 
> > >>> right?  Which means nmap will have to be removed?
> > >>
> > >> Yes,
> > >
> > > Actually the Nmap maintainer/licensor has informally offered to let
> > > Fedora continue to use `LicenseRef-Nmap` for 7.95 (if I understood
> > > what they were saying correctly) so that is a possibility. But clearly
> > > not a long-term solution.
> >
> > This idea makes me somewhat nervous.  Why would Fedora get an exception and 
> > not other distributors (or do other distributions also have exceptions)?  
> > And what does that mean for the actual code or patches shared between 
> > distributions?  I think unless the license in the source actually changes, 
> > taking this route would lead to problems.
> >
> > Do we know if upstream is open to discussing relicensing to a well-known 
> > and established open source license that would still offer the protections 
> > and guarantees they want?  That may not be possible.  Reading the 
> > LicenseRef-Nmap license I see a contributor agreement, lots of restrictions 
> > on derived works and how those are licensed, a patent grant, explicit 
> > permission to link with OpenSSL (thanks!), the license is governed by the 
> > laws of the State of Washington (ok, sure), an advertising clause if you 
> > set up a web site to execute nmap and display results -but then- the very 
> > next block says you don't have permission to use the trade names, 
> > trademarks, service marks, or product names.
> >
> > Looking a bit further at Fedora downstreams, I do see that nmap is part of 
> > RHEL.  And has been since RHEL-3.  Right now that's inherited via nmap's 
> > inclusion in Fedora.  If Fedora were to remove nmap, RHEL would have a 
> > decision to make.  I suppose that's fine, we are talking about Fedora here. 
> >  But we would at least want RHEL to be aware if that change were to happen.
>
> All the distributors that asked got the exception. I believe at one
> point it was even publicly stated that everyone could do this without
> requesting it after so many asked.

A further issue here is that many other distros seem to be assuming
that the iterations of the NPSL after the universally-condemned NPSL
0.92 (LicenseRef-NPSL-0.92) are all nonproblematic. I am not sure what
this is based on beyond a well-meaning impulse to believe that any
change to NPSL 0.92 must have been good enough.

Richard

-- 
_______________________________________________
legal mailing list -- legal@lists.fedoraproject.org
To unsubscribe send an email to legal-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/legal@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to